Abstract: Techniques are provided for preventing suspicious computer operations using a multi-channel protocol. An exemplary method includes detecting an operation comprising suspicious activity on a first device of a user; in response to the detecting, providing a control signal to suspend the operation on the first device; providing a notification of the suspicious activity to an identity system, wherein the identity system (i) provides an approval request to a distinct second device of the user to verify whether the operation is an authorized operation, (ii) receives a reply from the second device comprising an indication of whether the operation is an authorized operation, and (iii) notifies the first device of whether the operation is an authorized operation; and providing a control signal to enable the operation to proceed on the first device responsive to the reply from the second device indicating that the operation was an authorized operation.

Abstract: There are disclosed herein a technique for use in security. In at least one embodiment, the technique comprises receiving information relating to users and performing an affinity propagation clustering operation in connection with the information to identify a cluster of similar users. Further, the technique determines a risk in connection with a user in the cluster by comparing the user to one or more other users in the cluster. Still further, based on the risk in connection with the user, the technique controls access by the user to a computerized resource.

Abstract: Split-key based cryptography techniques are provided for data protection and synchronization across multiple computing devices of a user. A method performed by a first device of a user comprises encrypting a data using a randomly-generated data encryption key; wrapping the data encryption key with a public key of a second device of the user; and sending the encrypted data and the wrapped data encryption key of the first device wrapped with the public key of the second device to a server. The server sends the encrypted data and the wrapped data encryption key of the first device wrapped with the public key of the second device to the second device. The first device or the second device can access the encrypted data by reconstructing their respective private key using a predefined number of shares obtained using a key splitting scheme.

Abstract: A method is used in managing knowledge-based authentication systems. A set of factors is evaluated for gathering organization based information from a set of information sources for authenticating a user in a knowledge-based authentication system. The organization based information is collected based on the evaluation.

Abstract: A computer system includes a management computer for automatically changing a password used to authenticate a user to a service application. A user device includes a password vault managed by a password management application. The management computer monitors for an event signifying that the password is to be changed, e.g., a predetermined number of uses, etc. A new password is assigned, and a first message is generated and sent to the service application including the new password and an indication that it is to be used for subsequent user authentication. A second message is also generated and sent to the password management application, also including the new password and an indication that it replaces a current password in the vault for user authentication. The new password is automatically used by both the service application and the user device during subsequent authentications until expiration.

Abstract: A method includes (a) selecting a first token column or a second token column of a token table as an active token column based upon the value of a current token flag, (b) selecting a row of the token table uniquely associated with a sensitive piece of data, the selected row having a first token field storing a first token value and a second token field storing a second token value, (c) selectively extracting an active token value from the first token field when the first token column is the active token column and from the second token field when the second token column is the active token column, (d) selecting a row of a data table having the extracted active token value within a token field, and (e) causing contents of the selected row of the data table to be displayed to a user over a user interface.

Abstract: A method is used in managing knowledge-based authentication systems. Questions are created from organization based information. The questions are evaluated based on a set of parameters. Based on the evaluation, a set of questions is selected from the questions and a set of responses is selected for each question of the set of questions for a scenario. A user is authenticated in the scenario using the set of questions.

Abstract: Methods, apparatus and articles of manufacture for automated discovery of knowledge-based authentication components are provided herein. A method includes analyzing entity-related information to identify one or more individuals within the entity for exclusion from one or more authentication requirements in connection with one or more operations associated with the entity, wherein said analyzing is based on one or more pre-defined parameters, and querying an agent of the entity to approve each of the one or more individuals identified within the entity for exclusion from the one or more authentication requirements.

Abstract: An improved technique involves generating KBA questions from facts obtained from a personal information management (PIM) server under the control of an organization. Along these lines, such an organization acquires facts from documents such as emails, meeting notices, presentations, and spreadsheets that are stored on a PIM server such as a Microsoft® Exchange server or IBM Lotus® Domino server. A KBA server then generates KBA questions from the acquired facts and stores the KBA questions on a question server. In some arrangements, the KBA server filters out KBA questions based on the nature of the facts from which the KBA questions were derived. The remaining KBA questions are ranked based on historical question data; the KBA server provides the most highly ranked KBA questions to a user claiming to be a member of the organization.

Abstract: An authentication technique employs a security device that communicates with a software token construct installed on a user device via a connector. The technique includes secure provisioning of an authentication seed and safe storage of the seed in encrypted form on the user device. A key for decrypting the seed is stored within the security device, and token codes are generated by physically connecting the security device to the user device and conveying the encrypted seed from the user device to the security device over the connector.

Abstract: A method is used in managing knowledge-based authentication systems. Organization based information is analyzed for information that is suitable for creating a set of responses for a question. The question is used for authenticating a user. A set of responses is created for the question based on a set of parameters. The set of responses includes incorrect responses to the question along with a correct response. The incorrect responses helps in identifying an unauthorized user.

Abstract: An improved technique involves authenticating a user requesting access to a particular mobile device using knowledge-based authentication (KBA) questions generated from data taken from a group of mobile devices to which the particular mobile device belongs. Along these lines, consider a corporation that has a group of mobile devices distributed to its employees. The mobile devices provide data to an enterprise KBA (eKBA) server regarding events on each of the mobile devices. Because an owner of a mobile device belongs to a group of employees, the owner is able to answer questions regarding fellow employees. On the other hand, a malicious user that illegitimately gains access to the owner's mobile device will not be able to answer such questions, even if the malicious user knows details about the owner.

Abstract: An improved technique involves employing knowledge based authentication (KBA) to validate a user trying to reissue a SIM card. Along these lines, when a user goes to a mobile device vendor and requests a reissue of a SIM card, the vendor relays that request to an authentication server which in turn sends KBA questions to the user. The KBA questions are based on data available to the mobile carrier to which the genuine subscriber subscribes. Such data concerns information including calls made and received, amount of minutes and data used in a month, and amount billed in particular months. The vendor honors or denies the request to reissue the SIM card based on the answers submitted by the user to the authentication server.

Abstract: Method and system for generating user interactions in a flow-based engine during the execution of a synchronous flow which potentially represent the logic for handling another user interaction. The method encapsulates and hides the asynchronous nature of the user interaction, thus enabling the author of the business flow to use the user interaction as a single synchronous action oblivious to the underlying asynchronous implementation, said method comprising of the steps: defining user interactions action in a business flow diagram as an atomic action; translating said flow into executable form; executing said flow, presenting said UI to end-user as a replacement to the original UI response for which the flow was invoked; receiving end-user response; resuming said flow and using said response in subsequent flow commands and continuing the original user interaction session.

Abstract: An improved technique involves automatically producing a set of KBA questions using values of attributes associated with correctly answered questions. A KBA question server obtains such attribute values from a prior set of pilot questions taken from users who were successfully authenticated. Examples of attributes include a source of facts in a question, placement of facts in a question, and question structure. The KBA question server then generates optimal formatting rules based on the attribute values; such formatting rules define a relationship between facts used to derive KBA questions and the words used to express the KBA questions to users. The KBA question generator then produces KBA questions according to the formatting rules.

Abstract: Methods, computer program products, and apparatuses are provided for securely exchanging a data file between a client machine and a remote application server (e.g., a banking application operating on a banking server) in the context of a user communicating with the remote application server through a secure virtualized environment running on a virtualization server.

Abstract: A user accessing a protected resource is authenticated using multiple channels, including a mobile device of the user. A user attempting to access a protected resource is authenticated by receiving a request from a mobile device of the user to access the protected resource; receiving a public key from the mobile device of the user; providing a provision token to the mobile device, wherein the provision token is used by the user to access the protected resource using a second device; and confirming the provision token to a provider of the protected resource to authorize the user to access the protected resource. The user then communicates with the provider using a second device to authorize the provisioning token. A transaction signing protocol is also provided.

Abstract: A modular virtualization platform is provided for secured communications between a user device and an application server. A client-side computing device performs secured communications during a virtual session with an application server across a network. The client-side computing device loads a virtual machine client; and selects a remote module to serve as a virtualization server for the virtual session based on one or more performance factors. The virtual session is established with the selected module, and secured communications can occur between the client-side computing device and the application server via the virtual session of the selected module. The performance factors can be collected from a plurality of modules using a peer-to-peer gossip-based state notification process. A route list preferably stores the performance factors for a plurality of modules. The route list can contain pointers to a plurality of remote modules in a plurality of virtualization platforms, to increase reliability.

Abstract: A method of operating a VM server (VMS) is described, including (a) executing a VM instance (VMI) at the VMS, the VMI having a remote display within a terminal program of a client computer, the terminal program being configured to send commands received by the client from a user to the VMS to affect operation of the VMI, (b) running a browser within the VMI, the browser having a connection to a secure web application running on a web application server, the commands sent from the terminal program to the VMS allowing the user to interact with the web application via the terminal program and the browser running on the VMI, (c) at the VMS, asynchronously collecting information in connection with the commands sent from the user to the VMS, and (d) at the VMS, asynchronously sending the collected information to an analysis server to be analyzed for anomalous behavior.

Abstract: Method and system for generating user interactions in a flow-based engine during the execution of a synchronous flow which potentially represent the logic for handling another user interaction. The method encapsulates and hides the asynchronous nature of the user interaction, thus enabling the author of the business flow to use the user interaction as a single synchronous action oblivious to the underlying asynchronous implementation, said method comprising of the steps: defining user interactions action in a business flow diagram as an atomic action; translating said flow into executable form; executing said flow, presenting said UI to end-user as a replacement to the original UI response for which the flow was invoked; receiving end-user response; resuming said flow and using said response in subsequent flow commands and continuing the original user interaction session.