Abstract: In vision-based authentication platforms for secure resources such as computer systems, false positives and/or false negatives in the detection of walk-away events are reduced or eliminated by incorporating depth information into tracking authenticated system operators.

Abstract: Disclosed is a system and method for enterprise authentication. An enterprise cluster includes one or more enterprise appliances employing virtual machines managed by at least one hypervisor. Each virtual machine is associated with a respective virtual Trusted Platform Module (vTPM) secured by the hypervisor. An enterprise key (EK) is provided to the appliances of the enterprise cluster and imported into a vTPM associated with each appliance. When a user authentication request is received by a first appliance, the first appliance obtains a user encrypted key which was previously encrypted by a different vTPM on a different appliance with the same EK. The vTPM then signs a challenge based on decrypting the user encrypted key with the EK, completing the user authentication request.

Abstract: In various embodiments, authentication stations are distributed within a facility, particularly in spaces where mobile devices are predominantly used—e.g., a hospital's emergency department. Each such station includes a series of authentication devices. Mobile device may run applications for locating the nearest such station and, in some embodiments, pair wirelessly with the station so that authentication thereon will accord a user access to the desired resource via a mobile device.

Abstract: Representative embodiments of operating a secured device requiring user authentication include receiving a request from a user for operating the device without prior authentication; granting the user temporary access to the device in accordance with a security policy that specifies a predetermined time interval and/or a predetermined number of device operations within which authentication must occur to continue at least some operations of the device; computationally storing an audit trail identifying the temporary access and actions performed during the temporary access; and upon determining that authentication has not been provided within the predetermined time interval or number of device operations, preventing at least some operations of the device and updating the audit trail to specify expiration of the temporary access.

Abstract: Representative embodiments of secure authentication to a resource in accordance with a predefined, electronically stored quorum-based authentication policy include causing electronic interaction among multiple devices that constitute a quorum in accordance with the policy, computationally determining whether the interaction satisfies the policy, and if so, electronically according access to the resource to one or more individuals associated with the interacting device(s).

Abstract: Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.

Abstract: User authentication is performed using a camera to capture the user's identifying information (such as facial features) but the camera remains concealed until needed, thereby eliminating (or at least reducing) anxiety and privacy concerns. For example, the camera, when unneeded for authentication, may be hidden behind a retractable shutter or “smart” barrier that can change its state from translucent to transparent and vice versa.

Abstract: In various embodiments, the predicted location of a user within an institutional space is associated with a node at or near that location, and a virtual desktop is prepared before a user has actually logged on and authenticated. Although users are not accorded access to applications and sensitive data until they have properly authenticated themselves, the virtual desktop and associated data are assembled and retrieved in the background in order to eliminate delay following log-on.

Abstract: In vision-based authentication platforms for secure resources such as computer systems, false positives and/or false negatives in the detection of walk-away events are reduced or eliminated by incorporating depth information into tracking authenticated system operators.

Abstract: Embodiments of the present invention analyze multiple factors—such as user input events, device motion data, other data from the endpoint, or data from an external system (such as a real-time location system)—to make a probabilistic determination whether a walkaway event has occurred.

Abstract: The locations of electronic devices in an institutional facility are determined based on interaction with the wireless mobile devices of users who roam though the facility and interact with (or are detected by) the devices.

Abstract: Representative embodiments of secure authentication to a resource in accordance with a predefined, electronically stored quorum-based authentication policy include causing electronic interaction among multiple devices that constitute a quorum in accordance with the policy, computationally determining whether the interaction satisfies the policy, and if so, electronically according access to the resource to one or more individuals associated with the interacting device(s).

Abstract: Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication.

Abstract: In various embodiments, authentication stations are distributed within a facility, particularly in spaces where mobile devices are predominantly used—e.g., a hospital's emergency department. Each such station includes a series of authentication devices. Mobile device may run applications for locating the nearest such station and, in some embodiments, pair wirelessly with the station so that authentication thereon will accord a user access to the desired resource via a mobile device.

Abstract: Representative embodiments of operating a secured device requiring user authentication include receiving a request from a user for operating the device without prior authentication; granting the user temporary access to the device in accordance with a security policy that specifies a predetermined time interval and/or a predetermined number of device operations within which authentication must occur to continue at least some operations of the device; computationally storing an audit trail identifying the temporary access and actions performed during the temporary access; and upon determining that authentication has not been provided within the predetermined time interval or number of device operations, preventing at least some operations of the device and updating the audit trail to specify expiration of the temporary access.

Abstract: Convenient sharing of information among authorized network users may be facilitated by allowing a user to send information originating from multiple applications in aggregate form to another user, e.g., using a secure messaging service. In scenarios where data access is restricted, a server may check the recipient's access privileges prior to forwarding the information to her.

Abstract: In vision-based authentication platforms for secure resources such as computer systems, false positives and/or false negatives in the detection of walk-away events are reduced or eliminated by incorporating depth information into tracking authenticated system operators.

Abstract: Firmware updates for, e.g., thin client devices may be achieved in a seamless, non-disruptive manner using a two-stage firmware loader, including a base loader pre-installed on the device and a caching loader downloaded, by the base loader, from a firmware server and thereafter responsible for downloading and updating other firmware application packages.

Abstract: Convenient sharing of information among authorized network users may be facilitated by allowing a user to send information originating from multiple applications in aggregate form to another user, e.g., using a secure messaging service. In scenarios where data access is restricted, a server may check the recipient's access privileges prior to forwarding the information to her.

Abstract: In various embodiments, the predicted location of a user within an institutional space is associated with a node at or near that location, and a virtual desktop is prepared before a user has actually logged on and authenticated. Although users are not accorded access to applications and sensitive data until they have properly authenticated themselves, the virtual desktop and associated data are assembled and retrieved in the background in order to eliminate delay following log-on.