Abstract: Techniques are provided for ground distance calculations using sanitized location data. One method comprises a service provider obtaining: (i) a geographic zone identifier of multiple predefined geographic zones of a first location of a user, and (ii) a first distance between the first location of the user and multiple reference points that define boundaries of the predefined geographic zones; the service provider obtaining: (i) a geographic zone identifier of the multiple predefined geographic zones of a second location of the user, and (ii) a second distance between the first location of the user and the multiple reference points; and computing a ground distance between the first location and the second location by selecting a subset of the multiple reference points based at least in part on the relative geographic zones of the current and second locations. The user may: (i) estimate the first location and calculate the first distance; and/or (ii) compute the first and second distances.

Abstract: Techniques are provided for ground distance calculations using sanitized location data. One method comprises a service provider obtaining: (i) a geographic zone identifier of multiple predefined geographic zones of a first location of a user, and (ii) a first distance between the first location of the user and multiple reference points that define boundaries of the predefined geographic zones; the service provider obtaining: (i) a geographic zone identifier of the multiple predefined geographic zones of a second location of the user, and (ii) a second distance between the first location of the user and the multiple reference points; and computing a ground distance between the first location and the second location by selecting a subset of the multiple reference points based at least in part on the relative geographic zones of the current and second locations. The user may: (i) estimate the first location and calculate the first distance; and/or (ii) compute the first and second distances.

Abstract: Static and dynamic embodiments are presented for generating chaff passwords for use in a password-hardening system. Chaff passwords are generated by modifying portions of base passwords based on a distribution with which particular strings of digits and symbols appear in user passwords. Location oblivious chaff passwords are generated from a chaff set of passwords obtained from a chaff generation method by applying a random permutation over the elements of the obtained chaff set of passwords.

Abstract: Static and dynamic embodiments are presented for generating chaff passwords for use in a password-hardening system. Chaff passwords are generated by obtaining a source set of passwords comprising at least one valid password for each of a plurality of users; and generating a chaff set of passwords for a given user, wherein the chaff set comprises at least one valid password for the given user and a plurality of chaff passwords for the given user, wherein the plurality of chaff passwords for the given user are obtained from the source set of passwords. Chaff passwords can also be generated by modifying portions of base passwords based on a distribution with which particular strings of digits and symbols appear in user passwords. Location oblivious chaff passwords are generated from a chaff set of passwords obtained from a chaff generation method by applying a random permutation over the elements of the obtained chaff set of passwords.

Abstract: An apparatus comprises a processing device comprising NFC interface circuitry, network interface circuitry, a memory and a processor coupled to the memory. The processing device is configured to establish an NFC connection with an NFC tag using the NFC interface circuitry, establish a network connection with an authentication server using the network interface circuitry, and forward one or more messages between the NFC tag and the authentication server, the one or more messages comprising messages of a challenge/response authentication protocol performed between the NFC tag and the authentication server. Responsive to a successful completion of the challenge/response authentication protocol between the NFC tag and the authentication server, the processing device is authenticated to the authentication server.

Abstract: An apparatus comprises a first processing device comprising near field communication (NFC) interface circuitry, a memory and a processor coupled to the memory. The first processing device is configured to establish an NFC connection with an NFC tag using the NFC interface circuitry, receive a shared secret established between the NFC tag and an authentication server in an authentication protocol, and present a cryptographic value derived from the shared secret to a second processing device. The cryptographic value is utilizable by the second processing device for authenticating to the authentication server.

Abstract: A technique performs authentication before delivering a token to a client device. The technique involves receiving a first message from a first application on the client device, the first message including a token request and a first set of authentication factors. The technique further involves receiving a second message from a second application on the client device, the second message including an authentication request and a second set of authentication factors. The technique further involves generating a result message which (i) provides access to a token for use by the client device when the first set of authentication factors is consistent with the second set of authentication factors, and (ii) rejects the token request when the first set of authentication factors is inconsistent with the second set of authentication factors. The client device may be a mobile device, and the first and second messages may be received via wireless communications.

Abstract: Techniques, apparatus and articles of manufacture are provided herein. A method includes providing a first sub-set of authentication information from a set of authentication information associated with a first cryptographic device issued to a user to a second cryptographic device in connection with a first user authentication request responsive to a request from the user to access a first protected resource, wherein the first sub-set comprises a first set of N pre-computed passcodes and corresponding challenges, and providing a second sub-set of authentication information from the set of authentication information associated with the first cryptographic device to a third cryptographic device in connection with a second user authentication request responsive to a request from the user to access a second protected resource, wherein the second sub-set comprises a second set of N pre-computed passcodes and corresponding challenges.

Abstract: Methods, apparatus and articles of manufacture for decrypting a protected resource on a cryptographic device are provided herein. A method includes decrypting encoded information under a first cryptographic key to access a protected resource, wherein the first cryptographic key is read from a first cryptographic device subsequent to authenticating to the first cryptographic device using a first authentication key, randomly selecting a second cryptographic key, encrypting the protected resource under the second cryptographic key, and writing the second cryptographic key onto the first cryptographic device subsequent to authenticating to the first cryptographic device.

Abstract: An authentication system including a first server configured to store identifiers of respective users in association with respective pseudonyms, and a second server configured to store templates of the respective users in association with the respective pseudonyms. Input is received from a given user in conjunction with an authentication attempt. The first server is configured to determine if a first portion of the received input is associated with one of the user identifiers stored in the first server. If the first portion of the received input is associated with one of the user identifiers stored in the first server, the corresponding pseudonym is provided from the first server to the second server. The given user is authenticated based on a determination as to whether or not a second portion of the received input matches one of the stored user templates corresponding to the pseudonym provided to the second server.

Abstract: An authentication system comprises multiple servers and a controller coupled to or otherwise associated with the servers. The controller is configured to control storage in the servers of respective chaff sets or other types of value sets, each including at least one secret value obscured within a distinct arrangement of other values. Each of the servers comprises a local verifier configured to generate an indication as to whether or not a received input value corresponds to one of the values in its value set. The controller comprises a global verifier configured to authenticate the received input value based on the indications generated by at least a subset of the servers. By way of example, the secret value may comprise a common value which is the same for all of the value sets, with the value sets otherwise including distinct values such that their intersection yields only the common value.

Abstract: Methods, apparatus and articles of manufacture for implementing cryptographic devices operable in a challenge-response mode are provided herein. A method includes storing a set of authentication information in a first cryptographic device associated with a user, receiving a challenge in the first cryptographic device in connection with a user authentication request responsive to a request from the user to access a protected resource, wherein the challenge comprises an index of at least one non-sequential portion of the authentication information stored in the first cryptographic device, and outputting a non-sequential portion of the authentication information from the set of authentication information stored in the first cryptographic device in response to the challenge for use in authenticating the user.