Abstract: Apparatus and methods are described for searching and replacing user credentials in a multiple disparate credential store environment. Upon authentication of a user to change credentials, credential information of multiple disparate credential stores is searched. Upon population of search results, users indicate which of the credentials they desire to change and results are committed upon affirmative execution in a user interface dialog. In this manner, users locate their credential information, from whatever store, and change it in quantity or singularly from a single point of control. They can also fully understand how many passwords, secrets, keys, etc., they have over the many disparate stores available to them and affirmatively control their relationship to other credential information. Reversion of credential information to an earlier time is still another feature as is retrofitting existing SSO services. Computer program products and computing network interaction are also disclosed.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a restricted-capability web browser pointed toward a web server. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, the restricted-capability web is launched browser toward a web server. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Apparatus and methods are described for coordinating user credentials across multiple disparate credential stores. A synchronizing engine requests and receives past and present credential information from the disparate credential stores. Users indicate which, if any, of the credential information they desire to synch together. Upon common formatting of the credential information, comparisons reveal whether differences exist between the past and present versions. If differences exist, the information is updated. In this manner, users link together various passwords, keys or other secrets to maintain convenience from a single point of control, such as in a single-sign-on (SSO) environment, regardless of the disparateness of the stores. The reverse is also possible such that linked credentials are accessible from the multiple stores. Retrofitting existing SSO services is another feature as are computer program products and computing network interaction.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a restricted-capability web browser pointed toward a web server. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, the restricted-capability web is launched browser toward a web server. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Apparatus and methods are described for providing employee cards to employees, such as PIV cards to federal employees, including provisioning the employees to a more than one agency (and more than one card) without requiring multiple instances of enrolling and adjudicating the employee. Representatively, a sponsor enters information about the employee into a computer-displayed form (e.g., web-based). Biometric identity information is collected for the employee, but if such has already begun or is complete for at least a first agency, the collected information is used for a second agency without redundant collection. In the event an adjudication level of the first agency is at least as stringent as it is for the second agency, the employee is eligible to receive an employee card for the second agency, in addition to an employee card for the first agency.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a web browser pointed toward a web server and a Logon API for use with a password/credential. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, a DLL logs onto a user account which invokes the executable file to launch the web browser in the https protocol. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation via the Logon API, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc.

Abstract: Apparatus and methods utilize a single-sign-on (SSO) framework on one or more physical or virtual computing devices. During use, it is determined whether SSO credentials are for use in a volatile session and/or for use amongst an application suite or a plurality of applications. In the former, the SSO credentials are either made temporarily available in a memory of the computing devices, if relatively high security is desired, or a credential store and its contents are made available to a disk, if relatively low security is acceptable. In the latter, the SSO credentials are shared during authentication of a single user as individual applications of the application suite or the plurality of applications are used or started independently. Other features contemplate credential lifetime, the destruction of credentials, timing of application usage relative to credentials as well as retrofitting existing SSO services. Computer program products and computing interaction are also disclosed.

Abstract: Apparatus and methods arrange user credentials on physical or virtual computing devices utilizing a single-sign-on framework. During use, a plurality of target environments exist for a user to logon to one or more applications thereof, including at least a personal and workplace environment. One or more roles of the user are identified per each target environment, such as a shopper in the personal environment and an engineer or manager in the workplace environment. The user has credentials per each role and are used to logon using a single-sign-on session to access the one or more applications. The credentials are stored in a secret store corresponding to the defined roles of the user per either the personal or workplace environment. Workplace policies defining the roles or synching credentials are other features as are establishing default roles or retrofitting existing SSO services. Computer program products and computing interaction are also disclosed.

Abstract: Methods and apparatus provide tunneling one authentication framework over a more widely accepted framework (e.g., EAP). In this manner, pluralities of strong authentication protocols are wirelessly enabled between a supplicant and server that are not otherwise wirelessly enabled. During use, packets are wirelessly transmitted and received between the supplicant and server according to EAP's prescribed message format, including a wireless access point. In a tunnel, various authentication protocols form the payload component of the message format which yields execution capability of more than one protocol, instead of the typical single protocol authentication. Certain tunneled frameworks include NMAS, LDAP/SASL, Open LDAP/SLAPD, or IPSEC. Computer program products, computing systems and various interaction between the supplicant and server are also disclosed.

Abstract: Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a web browser pointed toward a web server and a Logon API for use with a password/credential. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, a DLL logs onto a user account which invokes the executable file to launch the web browser in the https protocol. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation via the Logon API, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Apparatus and methods are described for providing employee cards to employees, such as PIV cards to federal employees, including provisioning the employees to a more than one agency (and more than one card) without requiring multiple instances of enrolling and adjudicating the employee. Representatively, a sponsor enters information about the employee into a computer-displayed form (e.g., web-based). Biometric identity information is collected for the employee, but if such has already begun or is complete for at least a first agency, the collected information is used for a second agency without redundant collection. In the event an adjudication level of the first agency is at least as stringent as it is for the second agency, the employee is eligible to receive an employee card for the second agency, in addition to an employee card for the first agency.

Abstract: Apparatus and methods are described for using preferential credentials in an environment of multiple disparate credential stores. For at least two disparate credential stores, credential information is known, including a preferred credential indicated by a user. Upon indication of a desire to link another credential information to the preferred credential information, the two are mapped to one another. Users can sign-on, singularly, with the preferred credential information, and have access to both the disparate credential stores. A credential value can be shared by multiple credential ID's or one credential ID can be associated with multiple credential values thereby giving users the ability to cross-reference secrets and credentials for most efficiency. Default credentials are also possible as are retrofits for existing SSO services. Policy applications, computer program products and computing network interaction are other noteworthy features.

Abstract: Apparatus and methods are described for searching and replacing user credentials in a multiple disparate credential store environment. Upon authentication of a user to change credentials, credential information of multiple disparate credential stores is searched. Upon population of search results, users indicate which of the credentials they desire to change and results are committed upon affirmative execution in a user interface dialog. In this manner, users locate their credential information, from whatever store, and change it in quantity or singularly from a single point of control. They can also fully understand how many passwords, secrets, keys, etc., they have over the many disparate stores available to them and affirmatively control their relationship to other credential information. Reversion of credential information to an earlier time is still another feature as is retrofitting existing SSO services. Computer program products and computing network interaction are also disclosed.

Abstract: Apparatus and methods are described for coordinating user credentials across multiple disparate credential stores. A synchronizing engine requests and receives past and present credential information from the disparate credential stores. Users indicate which, if any, of the credential information they desire to synch together. Upon common formatting of the credential information, comparisons reveal whether differences exist between the past and present versions. If differences exist, the information is updated. In this manner, users link together various passwords, keys or other secrets to maintain convenience from a single point of control, such as in a single-sign-on (SSO) environment, regardless of the disparateness of the stores. The reverse is also possible such that linked credentials are accessible from the multiple stores. Retrofitting existing SSO services is another feature as are computer program products and computing network interaction.

Abstract: A distributed authentication system includes a cryptography service node, and a client node interface coupled to a network authentication database, for providing automatic authentication to enable the client node to access network resources, such as applications or services, resident in one or more network server nodes. Authentication secrets corresponding to the network resources are each encrypted with a respective strong key and stored in the authentication database. Authentication of the client node is accomplished with the retrieval of an authentication secret corresponding to a requested network resource. The retrieval process includes: i) decrypting the authentication secret using the strong key and encrypting the secret using a second key, and ii) sending a copy of the second key encrypted with a third key along with the encrypted secret to the requesting client node via a communication medium.

Abstract: A distributed authentication service that automates an authentication exchange between a user and an application program of a distributed network system. The novel distributed authentication service comprises an exchange controller coupled to an authentication database containing a group of encrypted application secrets associated with the user. Each application secret is, in turn, associated with a particular program resident in the system. According to the present invention, the controller cooperates with the database to automate the exchange procedure by (i) receiving an authentication inquiry generated by the particular program in response to the user's request to access that program and (ii) providing that program with the proper application secret retrieved from the database. The group of encrypted application secrets associated with the user is referred to as a "keychain." Each keychain is assigned a public/private key pair, with all secrets in the keychain being encrypted with the public key.