Abstract: A method for providing a user authentication credential comprises a) registering, in a device, at least one reference character, as a first user authentication credential; b) submitting, by the user, to the device, at least one character, as a second user authentication credential; c) retrieving, by the device, each reference character along with a corresponding position within the first user authentication credential; d) comparing, by the device, each submitted character within the second user authentication credential to a corresponding reference character within the first user authentication credential at one and the same position within the second user authentication credential and the first user authentication credential; and e) providing, by the device to the user, if the submitted character does not match the corresponding reference character, an information item for prompting the user to correct the submitted character.

Abstract: A method provides access to data or a service from a first device relating to a first user. A set of identifiers relating each to a second device is predefined. Each second device is related to a second user. A server receives, from the first device, a request for accessing the data or service from a current location relating to the first user. The server sends, to each selected second device, a request to determine whether the first user is locally present. Each selected second device requests, from to the second device user, whether the first user is locally present. Each selected second device gets, from the second user, a presence response and sends, to the server, the presence response. The server verifies whether the received presence response includes a predefined positive presence response. If yes, the server authorizes the first device to access the data or service.

Abstract: A method for securing a system including a configuration subsystem and a production subsystem. The configuration subsystem is separate from the production subsystem that comprises a plurality of components, a gatekeeper and an entity secured with a first secret value. A generator hosted in the configuration subsystem selects a secret sharing scheme and generates, from an input parameter different from the first secret value, a set of secret shares using the secret sharing scheme. The generator uniquely assigns and securely sends a secret share extracted from the set to each of the components. The gatekeeper gets a subset of the secret shares from the components and constructs a second secret value from the subset using the secret sharing scheme. The gatekeeper computes the first secret value by applying a preset function to the second secret value, and then the gatekeeper unlocks access to the entity using the first secret value.

Abstract: A server accesses a user identifier associated with a first user device and a reference image, as a first image set, to be displayed. The server sends to a second user device an image, as a second image set, to be displayed, and a user request to select an image within the first image set. The second user device displays the second image set and the user request. The user of the first user device selects at least one displayed first image, the selected first image matching an image visually selected within the displayed second image set, according to a rule known to the user and the server. The first user device sends to the server the first user device identifier accompanied with data relating to the selected first image. If the data relating to the selected first image matches the data relating to the first reference image, the server authenticates the user.

Abstract: The invention relates to a method for authenticating a user. A server accesses an identifier relating to the user associated with an identifier relating to a second user device. The server accesses, for the user, at least one predetermined reference location within a reference table. The method comprises the following steps. Sending from a first user device to the server, through a first communication channel, a first message including the identifier relating to the user and a request to get a challenge table, as challenge user authentication data. Generating, by the server, a first challenge table including a first set of characters, the first challenge table being valid. Sending, thanks to the second user device identifier, from the server to the second user device, through a second communication channel, a second message including the first challenge table and a first request to display the first challenge table. Displaying, by or through the second user device, the first challenge table.

Abstract: A method for authenticating a user includes connecting to a server from a user device, loading from the server to the user device data including executable data, detecting by the user device, while executing the executable data, whether an identifier relating to a short range communication device exists in a vicinity of the user device, sending from the user device to the server a user identifier accompanied with the detected short range communication device identifier, verifying by the server for the identified user whether a detected short range communication device identifier matches a predetermined part of a reference short range communication device identifier. Access is granted from the server only if the detected short range communication device identifier matches the predetermined part of the reference short range communication device identifier.

Abstract: The present invention relates to a method to authenticate a user using an authenticator at an access device using another registered device named personal device, said authenticator being stored by the access device after registration of the personal device comprising a double encryption using an access device's secret key and a personal device's public key to be retrieved at each request of authentication received from the personal device, encrypted using a session key and sent with the session key encrypted using the personal device's public key to the personal device for partial decryption using the decrypted session key and the personal device's private key, re-encryption using the session key and sending back to the access device for total decryption of the authenticator, using the session key and the access device's secret key, and use of the thus decrypted authenticator to authenticate at the access device.

Abstract: A method for managing access to a first server comprises intercepting a message including a connection request, for connecting to the first server. The message is sent at an initiative of a secure element, to the first server. A filtering rule, based upon a predetermined threshold relating to a rate or a number of connection requests, as a first filtering criterion, is accessed. The filtering rule comprises a second filtering criterion. A counter is modified for each intercepted message. The counter is compared to the predetermined threshold and, if the counter is equal to or greater than the predetermined threshold and the second filtering criterion is satisfied, a message including predefined output data is sent to the secure element. The output data controls or filters a session between the secure element and the first server.

Abstract: A method for downloading an updated profile includes a) receiving by a first server an enrolment request with a subscriber identifier, b) receiving by a second server data for provisioning the second server for the subscriber, c) receiving by a third server a command for downloading an updated profile accompanied with the subscriber identifier and an profile identifier, d) sending from the third server to the second server a request for at least one data update accompanied with the subscriber identifier, e) sending from the second server to the third server the data update, f) associating by the third server the data update and a profile, g) sending from the third server to the device or a chip the associated updated profile, i) activating by the device the associated updated profile, and j) sending to the second server a message that the associated updated profile is activated.

Abstract: A mechanism for using a mobile device connected to a security device to authenticate a user to a service provider using a security device operating according to an applet without storing keys or user interface text on the security device or the mobile device. Registration and authentication messages to the mobile device are routed to a security device. These messages include a nonce. The security device encrypts responses from the user using the nonce and transmits an encrypted response message including the encrypted response to the authentication server, wherein the nonce is unique for each communication between the authentication server and the security device. Other systems and methods are disclosed.

Abstract: To authorize a transaction, a first device sends to a first server a transaction-authorization request accompanied with an Id-PAN relating to a user account, and including an identifier of a second device. The first server sends to a second server a user-authorization request accompanied with the Id-PAN and transaction data. The second server sends to the second device a request for user approval including the transaction data and the user account data. The second device requests whether the device user approves a requested transaction. The second device sends to the second server a request for authorizing the transaction and data relating to user approval. The second server verifies whether the requested transaction is approved by the user. The second server sends to a server a verification result including a transaction authorization or refusal.

Abstract: The invention is a method for deploying a trusted identity for a user issued by an issuer. The user has a user device configured to send a request for signature to an issuer device handled by the issuer. The request comprises a user public key allocated to the user. The issuer device is configured to compute an issuer signature by signing both the user's trusted identity and the user public key using an issuer private key allocated to the issuer. A block chain transaction containing the issuer signature is created and submitted to a Block Chain for transaction verification and storage.

Abstract: A method for deploying credentials in a server and a client system including three devices. The second device has primary credentials including a public key, a private key and a primary certificate. After successful authentication of a user, the first device generates a new private key/public key pair and wraps the new private key. After successful authentication of the user, the second device derives a new certificate comprising the new public key, the new certificate having the same usage specified in the primary certificate. The second device signs the new certificate using the private key of the primary credentials. The third device forwards to the server the primary certificate and the new credentials combining the new public key, the wrapped private key and the new certificate. The server verifies the chain of trust of the new credentials and, in case of successful verification, associates the new credentials to the user.

Abstract: To authorize a data transaction, a terminal reads user account information from a device. The terminal sends, through a payment network, to a first server a request for authorizing a transaction accompanied with the account information. The first server sends to a device a request for a user approval relating to a transaction. The device requests whether the user approves a requested transaction authorization. Only if the user approves the requested transaction authorization, the device sends to the first server a request for authorizing a transaction and an identifier relating to the device. The first server retrieves, based upon the at identifier relating to the device, the account information. The first server sends to a second server a request for authorizing a transaction and the account information. The second server sends, through the first server and the payment network, to the terminal, either a transaction authorization or a transaction refusal.

Abstract: The invention is a system comprising a host device and a secure element including a plurality of virtual profiles and an execution component configured to run simultaneously several of said virtual profiles. The system comprises a discovery agent configured to provide a subset of the plurality of virtual profiles, configuration data for each virtual profile of said subset and capability data reflecting the maximum of logical channels handled by the host device. The system comprises an allocating agent configured to cooperate with the discovery agent to allocate a range of logical channels to each virtual profile of the subset based on the capability data and to determine in each of the ranges a main logical channel which remains permanently available when the virtual profile to which the range is allocated has been booted.

Abstract: The present invention concerns a method for transferring securely the subscription information and user data from a first terminal to a second terminal, the terminals respectively containing a first and a second UICC. According to the invention, the method consists in: i—transmitting an identifier of the second terminal to the first terminal; ii—transmitting from the first terminal to a secure vault the identifier of the second terminal and an identifier of the first UICC; iii—transmitting from the secure vault to the first terminal a subscription installation public key of the second terminal; iv—in the first UICC, packaging and encrypting the subscription information and user data with the subscription public installation key of the second terminal; v—transmitting the package to the second UICC of the second terminal; vi—installing the package on the second UICC.

Abstract: The invention proposes a method for downloading a subscription in an UICC embedded in a terminal, this method consisting in: transferring an ICCID to the terminal; sending the ICCID over an IP link to a secure vault; selecting in the secure vault a subscription corresponding to the ICCID; transmitting the subscription to the terminal over the IP link; storing the subscription in the terminal.

Abstract: The invention is a method of managing an application embedded in a secure element which is able to communicate with another device through a HTTP session. The application has previously registered for being triggered when a preset event will occur into the secure element. The triggering of the application is blocked as a HTTP session is in progress between the secure element and the device when the preset event occurs.

Abstract: The present invention relates to a web server having a web application using published API of one or more cloud storage providers, said web application being dedicated to secure and economical sharing of encrypted files residing at the cloud storage providers, said files being managed under a virtual folder which is shared by a group of different entities.

Abstract: A system and method of operating a device to securely update the control firmware controlling the device. Downloading a firmware update package to a first microcontroller of the device. Determining a firmware update portion and an encrypted hash portion of the firmware update package wherein the encrypted hash portion is cryptographically signed by a signatory. Confirm that the encrypted hash portion conforms to the firmware update by independently computing the hash of the encrypted firmware update portion on the first microcontroller and comparing that value to the signed hash. Other systems and methods are disclosed.