Abstract: Mechanisms are provided for identifying risky user entitlements in an identity and access management (IAM) computing system. A self-learning peer group analysis (SLPGA) engine receives an IAM data set which specifies user attributes of users of computing resources and entitlements allocated to the users for accessing the computing resources. The SLPGA engine generates a user-entitlement matrix, performs a machine learning matrix decomposition operation on the user-entitlement matrix to identify excessive entitlement allocations, and performs a conditional entropy analysis of the user attributes and entitlements in the IAM data set to identify a set of user attributes for defining peer groups. The SLPGA engine performs a commonality analysis of user attributes and entitlements for each of one or more peer groups defined based on the set of user attributes, and identifies outlier entitlements based on the identification of the excessive entitlement allocations and results of the commonality analysis.

Abstract: A system described herein may provide for multiple levels of authentication, such that a User Equipment (“UE”) may receive secure content from an application server, which may include or may be implemented by a multi-access edge computing (“MEC”) system. As described herein, a user associated with a UE may register the UE and/or a particular application with an authentication system and/or the application server. The registration of the UE and/or the application may establish a “trust” relationship between the authentication system and the UE, such that a user-level authentication performed by the UE, such as biometric authentication, may be accepted by the authentication system and/or the application system as an authentication of the user.

Abstract: An electronic apparatus for performing a user authentication is provided. The electronic apparatus includes an input and at least one processor configured to perform a user authentication based on user authentication information input through the input and user authentication information pre-stored in the electronic apparatus while the electronic apparatus is in a lock state, switch the electronic apparatus to be in a lock release state when the user authentication is successful, and enhance security for use of the electronic apparatus in the lock release state when the user authentication is successful based on the user authentication information input after a user authentication failure occurs from the input of the user authentication information input a predetermined number of times or more.

Abstract: The present invention reduces the risk of user biometric information being leaked to a third party. A biometric authentication device (820) receives an echo signal (response signal) from a client device. The echo signal is formed as a result of an inspection signal being applied to an authentication subject by a client device, and the inspection signal being transmitted into the body or to the surface of the body of the authentication subject and changing into the echo signal. The biometric authentication device (820) comprises: an inspection signal generation unit (821) that generates the same inspection signal as the client device; a transmission characteristic calculation unit (823) that calculates, from the inspection signal and the echo signal, a transmission characteristic of the authentication subject; and an authentication unit (824) that authenticates the authentication subject by comparing a preregistered first transmission characteristic and a calculated second transmission characteristic.

Abstract: The technology disclosed herein provides a system for allowing users to login into one or more devices without a password. Implementations of the system include one or more biometric data collection devices (shoe, glasses, watch) and a device configured to store one or more user identification data, receive a request for user verification, request user's biometric data from one or more of the biometric data collection devices, generate a personal unclonable function (PUF) value based on combination of at least one of the user identification data and the user's biometric data, and verify the user's identity by comparing the PUF value to the user's PUF benchmark.

Abstract: A computing device receives, from a first client device, a request for a security token to authenticate a transaction session for a user account administered by a network resource, the first client device being associated with the user account. In response to the request, the computing device generates and sends a security token to the first client device, which communicates the security token to a second client device. The computing device receives, from the second client device, a modified security token that includes the security token and a signature on the security token using a first key stored in a trusted hardware component coupled to the second client device. A second key corresponding to the first key is registered with the network resource. The computing device verifies the modified security token using the second key. Upon successfully verifying the modified security token, the computing device enables the transaction session.

Abstract: The present disclosure provides a method, system, and device for inquiry response mapping for determining a cybersecurity risk level of an entity. To manage and/or evaluate a cybersecurity risk level based on a relationship between a first entity and a second entity, questionnaires (e.g., requests or inquires) are often exchanged between two entities. One or more aspects of the present disclosure provide populating data sets (e.g., questionnaires) indicative of risk level for the first entity or the second entity. One or more other aspects of the present disclosure further provide determining a cybersecurity risk level of an entity by mapping responses to a plurality of inquiry sets directed to the first entity or the second entity.

Abstract: The authentication information processing method includes acquiring related information generated for each of a plurality of base points representing feature points of biometric information extracted from an image, for a collation base point and a registration base point. The collation base point is included in authentication information for collation used for biometric authentication. The registration base point is included in authentication information for registration. The related information associates attribute information with a central base point.

Abstract: The present invention allows for the creation of a biometrically secure environment that allows viewing, editing and sharing of confidential documents, or the like, in public places, without worrying that someone will see the contents. The invention provides privacy, for example for the purposes of reading documents, in a public environment while having the confidence that you are the only one able to read the document. Privacy may be achieved through methods of identification using biometric features, such as: face, iris or voice recognition. Verification that a real person is viewing the document may also be achieved by pulse recognition. In one embodiment, the screen will shut down when more than one person looks directly at the screen.

Abstract: A transmitting computing system's use of an audio signal to grant users of receiving computing systems access to a resource. These other receiving systems are in close proximity to the transmitting system so that they hear the audio signal on their microphones. Upon receiving the audio signal, a given receiving system sends a message representing that received audio signal to a resource server system that regulates access to that resource. The transmitting system and resource server system may have coordinated that the ability to send such a message is sufficient for access to be granted to the sender of that message. The resource server system thus determines that the message correlates to the resource, and thereby grants the user of the receiving system access to the resource. Thus, the principles described herein allow for an actual audio signal to efficiently grant resource access to other proximate users.

Abstract: Mutual authentication techniques are described in this patent document. For example, when a first person calls a second person, neither of them know that the other person is who he or she says he or she is. Thus, after a second person receives the call, the second person is asked to authenticate himself or herself using a user device. After the second person logs into his or her account, the second person can input on the user device a one-time passcode to authenticate the first person. The user device sends the passcode to an authentication server that allows the first person to send back the inputted one-time passcode to the second person. Upon receiving the inputted one-time passcode, the second person can use his or her user device to indicate that the one-time passcode is correct so that the second person can be authenticated to access the first person's account.

Abstract: There are provided a network identity authentication method, a network identity authentication system, a user agent device used in the network identity authentication method and the network identity authentication system, and a computer-readable storage medium. The network identity authentication method includes: acquiring, by a user agent, identity information and a registration rule of a target website via a network terminal; acquiring registration information for the target website based on the identity information or generating registration information for the target website according to the registration rule; transmitting the identity information and the registration information to a server agent and sending, by the server agent based on the identity information and the registration information, an authentication request to a website server to complete an authentication process.

Abstract: A method for initiating a secure session using a smartphone as a physical token to provide strong authentication. The phone is used through a public and independent real-time notification service. The notifications are exchanged in an encrypted manner so that their content is only accessible to the mobile phone and the authentication server.

Abstract: A system includes a configuration management server operable to interface with a plurality of client devices via a network. The configuration management server includes a processor that is configured to track a change history of modifications to one or more records of a plurality of system data and credential data. An authorization status of a user of an access client of one of the client devices is determined. An authorized view of a selected record of the one or more records is output to the access client. One or more fields of the selected record are displayed based on the authorization status. An output of the change history of modifications to the one or more fields of the selected record to the access client is limited based on the authorization status.

Abstract: A networked device communication system can configure network devices (e.g., a primary and secondary database) to send and receive sequences of messages, such as replicated data, using one or more keypairs and wrapping keys. The sequences of messages can include an initial set of messages that are encrypted by a wrapping key, and further include another set of messages that are encrypted by a replaced staggered key. The sequence of messages can be configured to be decrypted without exporting keys of hardware security modules.

Abstract: A server may include at least one server processor configured to execute an application. A desktop virtualization system may include at least one desktop virtualization processor. The desktop virtualization processor may be configured to instantiate a virtual desktop; authenticate a user of a client device; in response to authenticating the user of the client device, place the client device in communication with the virtual desktop through at least one network; launch a secure browser in the virtual desktop; and using the secure browser, place the client device in communication with the server through the at least one network. The application may be configured to perform processing in response to at least one command from the client device. The processing may include generating a one-time passcode, establishing a code word not communicated through the at least one network, and sending a message including the one-time passcode to a sender client device.

Abstract: A method for re-provisioning a user equipment (UE, 140) after a first digital security certificate for the UE (140) has expired includes communicating content data to a controller (130) over a first secure communication channel after verification of a validity of a first digital security certificate. Once it is realized the first digital security certificate has expired, the UE (140) sends a certificate provisioning request message over an unsecure channel to the controller (130) as a request to the controller (130) to provision a second digital security certificate. The UE (140) signs the certificate provisioning request message with the private key for the now expired first digital security certificate. A second digital security certificate is signed by the rescue-secret private key at the controller (130) and sent to the UE (140), which verifies its authenticity with the corresponding rescue-secret public key.

Abstract: In accordance with some embodiments, an apparatus for privacy protection is provided. The apparatus includes a housing arranged to hold a personal communication device. The apparatus further includes a local communication device at least partially supported by the housing, where the local communication device includes a personal communication device interface modem operable to provide a communication channel between the peripheral interface and the personal communication device. The apparatus further includes a validation engine coupled to the local communication device and operable to validate at least one of one or more portions of the personal communication device, a user of the personal communication device, or operational status of the personal communication device through the local communication device.

Abstract: The present disclosure provides a method, system, and device for inquiry response mapping for determining a cybersecurity risk level of an entity. To manage and/or evaluate a cybersecurity risk level based on a relationship between a first entity and a second entity, questionnaires (e.g., requests or inquires) are often exchanged between two entities. One or more aspects of the present disclosure provide populating data sets (e.g., questionnaires) indicative of risk level for the first entity or the second entity. One or more other aspects of the present disclosure further provide determining a cybersecurity risk level of an entity by mapping responses to a plurality of inquiry sets directed to the first entity or the second entity.

Abstract: A method of authenticating an account is provided. A resource access request requesting for accessing, by a first account, a target resource in a cloud storage system is received by a server from a first client, the first account logging in to the first client. In response to the resource access request, a first access right of the first account is determined by the server based on right configuration information corresponding to the target resource, the right configuration information indicating an association relationship between an account and an access right of the account to the target resource. The first account is allowed by the server to access the target resource through the first client based on the first access right indicating that the first account is allowed to access the target resource.