Abstract: A system and method for improving network performance of DNS queries. The system includes a terminal which receives DNS queries from a customer premise equipment (CPE), and supplies matching DNS records in response to the queries. The terminal monitors all traffic from the CPE and generates a preload list containing domains and a time schedule at which name resolution should be requested for the domains. A DNS preload client in the CPE receives the preload list from the terminal, and submits preload DNS queries for name resolution of domains contained in the preload list at times specified in the time schedule. Preload records supplied in response to the preload DNS queries are stored by the CPE and used to resolve DNS queries from applications installed on the CPE.

Abstract: A server may include at least one server processor configured to execute an application. A desktop virtualization system may include at least one desktop virtualization processor. The desktop virtualization processor may be configured to instantiate a virtual desktop; authenticate a user of a client device; in response to authenticating the user of the client device, place the client device in communication with the virtual desktop through at least one network; launch a secure browser in the virtual desktop; and using the secure browser, place the client device in communication with the server through the at least one network. The application may be configured to perform processing in response to at least one command from the client device sent through the secure browser of the virtual desktop.

Abstract: Devices, systems, and methods with behavioral one-time-passcode (OTP) generation. In one example, a server includes a memory and an electronic processor communicatively connected to the memory. The memory includes a behavioral one-time-passcode (OTP) program and a user profile repository. The electronic processor, when executing the behavioral OTP program, is configured to receive a one-time-passcode (OTP) request, generate a behavioral one-time-passcode (OTP) based on a user profile stored in the user profile repository in response to receiving the OTP request, and output the behavioral OTP that is generated.

Abstract: Disclosed are systems and methods for managing online identity authentication risk in a nuanced identity system. For example, a method may include receiving a request by a user for a transaction on an electronic platform; determining a risk associated with the requested transaction; determining a current level of assurance associated with the user on the electronic platform; determining that the risk exceeds the current level of assurance; adjusting the current level of assurance such that the adjusted level of assurance exceeds the risk; and executing the requested transaction on the electronic platform after adjusting the current level of assurance.

Abstract: Provided are methods and systems for performing a secure machine learning analysis over an instance of data. An example method includes acquiring, by a client, a homomorphic encryption scheme, and at least one machine learning model data structure. The method further includes generating, using the encryption scheme, at least one homomorphically encrypted data structure, and sending the encrypted data structure to at least one server. The method includes executing a machine learning model, by the at least one server based on the encrypted data structure to obtain an encrypted result. The method further includes sending, by the server, the encrypted result to the client where the encrypted result is decrypted. The machine learning model includes neural networks and decision trees.

Abstract: A modular biometric station system is used to form one or more modular biometric stations with cohesive form factors. Such biometric stations include a core unit, one or more end caps, and one or more modules. The modules may be configured to communicably and electrically couple to one or more of the end caps. The end caps may be configured to communicably and electrically couple to the core unit and/or one or more of the modules and may communicably and electrically couple one or more of the modules to the core unit. The core unit, end caps, and/or the modules may be able to communicably interact when coupled together. The core unit, end caps, and modules may all share a form factor. The core unit may include hardware and/or software that satisfies common requirements, and the modules may include peripherals and/or other components that can be coupled to the core unit to adapt the modular biometric station to a variety of different needs of different applications.

Abstract: Provided are embodiments of systems, devices and methods for multi-factor identity verification, which may include utilization of automated picture ID to Selfie matching, cross-reference address information, biometrics and geo-location information and unique smartphone device identifiers, especially in the context of healthcare industry.

Abstract: Blockchain-controlled and location-validated locking systems and methods are described. A method includes maintaining state information for a lock, where the first state of the lock corresponds to an open state and the second to a locked state. The method further includes receiving a current location of a device associated with a person, authorized to change a state of the lock, attempting to change a state of the lock and a current location of the lock. The method further includes receiving a digital signature from the device. The method further includes automatically transmitting a control signal to the lock to change the state of the lock only when the current location of the person is determined to be the same as the current location of the lock and a valid proof of work is performed by a miner associated with a blockchain configured to manage transactions corresponding to the lock.

Abstract: A method of providing at least one communications service provider a connection to an Internet Protocol, IP, server in a perimeter network, the IP server providing a service over a public IP network, the method comprising the steps of detecting, in the perimeter network, an irregularity in IP traffic arriving at the perimeter network over the public IP network, disregarding, in the perimeter network, IP traffic arriving at the perimeter network over the public IP network, and enabling, in the perimeter network, a connection between the IP server and the at least one communications service provider for the service provided by the IP server over at least one private IP network.

Abstract: A method including configuring a virtual private network (VPN) server, having established VPN connections with one or more user devices, aggregate amounts of VPN data communicated with a host device; configuring the VPN server to determine difference amounts indicating differences in the aggregate amounts of VPN data; configuring the VPN server to determine average aggregate amounts of VPN data; configuring the VPN server to determine a largest average aggregate amount, from among the average aggregate amounts, as an average threshold level; and configuring the VPN server to selectively transmit a notification to the one or more devices indicating that the one or more user devices is to manage transmission of data from the one or more user devices based at least in part on a result of comparing the average threshold level with an observed average aggregate amount. Various other aspects are contemplated.

Abstract: A method including receiving, by a device from a virtual private network (VPN) server, a notification indicating that the device is to manage transmission of data from the device to the VPN server, the notification being received based at least in part on a determination that an observed average aggregate amount of VPN data communicated with a host device satisfies an average threshold level associated with an aggregate amount of VPN data communicated with the host device; and managing, by the device, transmission of the data from the device to the VPN server based at least in part on receiving the notification. Various other aspects are contemplated.

Abstract: Mutual authentication techniques are described in this patent document. For example, when a first person calls a second person, neither of them know that the other person is who he or she says he or she is. Thus, after a second person receives the call, the second person is asked to authenticate himself or herself using a user device. After the second person logs into his or her account, the second person can input on the user device a one-time passcode to authenticate the first person. The user device sends the passcode to an authentication server that allows the first person to send back the inputted one-time passcode to the second person. Upon receiving the inputted one-time passcode, the second person can use his or her user device to indicate that the one-time passcode is correct so that the second person can be authenticated to access the first person's account.

Abstract: Multi-RAT UEs currently have 2 independent paths to authenticate with HSS (e.g., via the MME or the 3GPP AAA Server causing repeated authentication messages to HSS). The use of one unified authentication path between the UE and HSS for Small Cell and Wi-Fi authentication is described. First, a new 3GPP EPC-TWAN interworking architecture has the MME manage all the authentication requests from multi-RAT UEs. Second, new unified authentication procedures are added, which allow the ISWN-based multi-RAT UE to be authenticated directly with the HSS, irrespective of its current access network (TWAN or HeNB). Third, new fast re-authentication procedures for Inter-RAT handover scenarios are done. Finally, the needed extensions to the various standard protocol messages to execute the authentication procedures are described.

Abstract: The present invention relates to a biometric-based identity authentication method and system.

Abstract: A server computer system comprises a communications module; a processor coupled with the communications module; and a memory coupled to the processor and storing processor-executable instructions which, when executed by the processor, configure the processor to receive, via the communications module and from a remote computing device, a signal including a request to provision a data record for a service; select digital identity network verification as a primary verification technique; attempt verification using the primary verification technique; determine that verification using the primary verification technique has failed; responsive to determining that verification using the primary verification technique has failed, attempt verification using a secondary verification technique; determine successful verification using the secondary verification technique; and responsive to successful verification using the secondary verification technique, provision the data record for the service.

Abstract: A method and system for processing a transaction based on biometric data and access data is disclosed. Different accounts and providers may be used to process transactions, using different message formats, based on user-configured mappings. In one example, the method includes receiving, by a message processing system, an authorization request message from an access device, the authorization request message comprising a biometric template and access data. An interaction entity record identifier, associated with an interaction entity from among a plurality of different interaction entities that process messages in different message formats, may be retrieved. The authorization request message may be converted from a first format to a second format, the second format being compatible with message processing by the interaction entity. The converted authorization request message may be transmitted to the interaction entity for determining whether to authorize the transaction.

Abstract: Described herein are a system and techniques for identifying and preventing certain fraud attacks that may be used to defeat facial recognition systems. In embodiments of the system described herein, biometric data may be segregated into regions, which are then processed separately and in parallel. Likeness scores are determined for each of the separate regions. By tracking individual region likeness scores used in access requests in accordance with embodiments of the disclosure, the system is able to identify potential fraud attacks that cannot be detected using conventional systems.

Abstract: Systems and methods related to a lock for providing contactless secure access to an automobile are described. A current state of the lock can be changed based on an exchange of information, via a wireless interface, between a mobile device and the lock. The exchange of information includes a use of a sharable digital key associated with at least one of a set of persons authorized to change a state of the lock. The exchange of information is configurable to operate in a first mode or a second mode. In the first mode, no identity-related information from at least one set of persons attempting to change the state of the lock to is required. In the second mode, identity-related information from at least one of a set of persons attempting to change the state of the lock is required.

Abstract: A server may include at least one server processor configured to execute an application. A desktop virtualization system may include at least one desktop virtualization processor. The desktop virtualization processor may be configured to instantiate a virtual desktop; authenticate a user of a client device; in response to authenticating the user of the client device, place the client device in communication with the virtual desktop through at least one network; launch a secure browser in the virtual desktop; and using the secure browser, place the client device in communication with the server through the at least one network. The application may be configured to perform processing in response to at least one command from the client device. The processing may include generating a one-time passcode, establishing a code word not communicated through the at least one network, and sending a message including the one-time passcode to a sender client device.

Abstract: An authentication method for a user to access service providers through an online enabled device, an offline authentication device configured to authenticate a user to service providers through online enabled devices, and a user authentication system comprising a authentication device, an online enabled device and online service providers.