Abstract: Apparatus and methods are described for searching and replacing user credentials in a multiple disparate credential store environment. Upon authentication of a user to change credentials, credential information of multiple disparate credential stores is searched. Upon population of search results, users indicate which of the credentials they desire to change and results are committed upon affirmative execution in a user interface dialog. In this manner, users locate their credential information, from whatever store, and change it in quantity or singularly from a single point of control. They can also fully understand how many passwords, secrets, keys, etc., they have over the many disparate stores available to them and affirmatively control their relationship to other credential information. Reversion of credential information to an earlier time is still another feature as is retrofitting existing SSO services. Computer program products and computing network interaction are also disclosed.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a restricted-capability web browser pointed toward a web server. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, the restricted-capability web is launched browser toward a web server. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Apparatus and methods are described for coordinating user credentials across multiple disparate credential stores. A synchronizing engine requests and receives past and present credential information from the disparate credential stores. Users indicate which, if any, of the credential information they desire to synch together. Upon common formatting of the credential information, comparisons reveal whether differences exist between the past and present versions. If differences exist, the information is updated. In this manner, users link together various passwords, keys or other secrets to maintain convenience from a single point of control, such as in a single-sign-on (SSO) environment, regardless of the disparateness of the stores. The reverse is also possible such that linked credentials are accessible from the multiple stores. Retrofitting existing SSO services is another feature as are computer program products and computing network interaction.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a restricted-capability web browser pointed toward a web server. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, the restricted-capability web is launched browser toward a web server. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Apparatus and methods are described for providing employee cards to employees, such as PIV cards to federal employees, including provisioning the employees to a more than one agency (and more than one card) without requiring multiple instances of enrolling and adjudicating the employee. Representatively, a sponsor enters information about the employee into a computer-displayed form (e.g., web-based). Biometric identity information is collected for the employee, but if such has already begun or is complete for at least a first agency, the collected information is used for a second agency without redundant collection. In the event an adjudication level of the first agency is at least as stringent as it is for the second agency, the employee is eligible to receive an employee card for the second agency, in addition to an employee card for the first agency.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a web browser pointed toward a web server and a Logon API for use with a password/credential. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, a DLL logs onto a user account which invokes the executable file to launch the web browser in the https protocol. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation via the Logon API, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc.

Abstract: Apparatus and methods utilize a single-sign-on (SSO) framework on one or more physical or virtual computing devices. During use, it is determined whether SSO credentials are for use in a volatile session and/or for use amongst an application suite or a plurality of applications. In the former, the SSO credentials are either made temporarily available in a memory of the computing devices, if relatively high security is desired, or a credential store and its contents are made available to a disk, if relatively low security is acceptable. In the latter, the SSO credentials are shared during authentication of a single user as individual applications of the application suite or the plurality of applications are used or started independently. Other features contemplate credential lifetime, the destruction of credentials, timing of application usage relative to credentials as well as retrofitting existing SSO services. Computer program products and computing interaction are also disclosed.

Abstract: Apparatus and methods arrange user credentials on physical or virtual computing devices utilizing a single-sign-on framework. During use, a plurality of target environments exist for a user to logon to one or more applications thereof, including at least a personal and workplace environment. One or more roles of the user are identified per each target environment, such as a shopper in the personal environment and an engineer or manager in the workplace environment. The user has credentials per each role and are used to logon using a single-sign-on session to access the one or more applications. The credentials are stored in a secret store corresponding to the defined roles of the user per either the personal or workplace environment. Workplace policies defining the roles or synching credentials are other features as are establishing default roles or retrofitting existing SSO services. Computer program products and computing interaction are also disclosed.

Abstract: Methods and apparatus provide tunneling one authentication framework over a more widely accepted framework (e.g., EAP). In this manner, pluralities of strong authentication protocols are wirelessly enabled between a supplicant and server that are not otherwise wirelessly enabled. During use, packets are wirelessly transmitted and received between the supplicant and server according to EAP's prescribed message format, including a wireless access point. In a tunnel, various authentication protocols form the payload component of the message format which yields execution capability of more than one protocol, instead of the typical single protocol authentication. Certain tunneled frameworks include NMAS, LDAP/SASL, Open LDAP/SLAPD, or IPSEC. Computer program products, computing systems and various interaction between the supplicant and server are also disclosed.

Abstract: Methods and apparatus provide server services on a client for disconnected login on the client. Users execute a connected login sequence between the client and the server according to one of many strong authentication protocols. During such time, information on the server necessary for a successful execution of the strong authentication protocol is determined and provided to the client where it is stored in a local instance. Users thereafter disconnect from the server and login locally on the client Login information, locally provided, is verified against the information of the server so provided to the client. In this manner, users can be authenticated with a strong protocol, beyond mere password information. They can be strongly authenticated when logging-in to a laptop computing device, for example, when in a location not able to connect to a network appliance, such as a server.

Abstract: Apparatus and methods are described for synching data of multiple connected systems according to business policies utilized for common computing goals, such as identity management. A plurality of connectors interface with a corresponding one of the computing systems and have at least one object or attribute indicative of a status of an aspect of the common computing goals. A central connector interfaces with each of the connectors and encapsulates the entirety of business policies in a single location. It also monitors changes in the objects or attributes and, if detected, pushes data to a connector for pushing to its corresponding computing system. In this manner, data from all systems flows through the central connector and overcomes prior problems of business policies being located piecemeal in a variety of connectors, which may need swapping. Computer program products, computing systems, retrofits to existing software, to name a few, are other features.

Abstract: Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a web browser pointed toward a web server and a Logon API for use with a password/credential. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, a DLL logs onto a user account which invokes the executable file to launch the web browser in the https protocol. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation via the Logon API, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: Apparatus and methods are described for providing employee cards to employees, such as PIV cards to federal employees, including provisioning the employees to a more than one agency (and more than one card) without requiring multiple instances of enrolling and adjudicating the employee. Representatively, a sponsor enters information about the employee into a computer-displayed form (e.g., web-based). Biometric identity information is collected for the employee, but if such has already begun or is complete for at least a first agency, the collected information is used for a second agency without redundant collection. In the event an adjudication level of the first agency is at least as stringent as it is for the second agency, the employee is eligible to receive an employee card for the second agency, in addition to an employee card for the first agency.

Abstract: Apparatus and methods are described for using preferential credentials in an environment of multiple disparate credential stores. For at least two disparate credential stores, credential information is known, including a preferred credential indicated by a user. Upon indication of a desire to link another credential information to the preferred credential information, the two are mapped to one another. Users can sign-on, singularly, with the preferred credential information, and have access to both the disparate credential stores. A credential value can be shared by multiple credential ID's or one credential ID can be associated with multiple credential values thereby giving users the ability to cross-reference secrets and credentials for most efficiency. Default credentials are also possible as are retrofits for existing SSO services. Policy applications, computer program products and computing network interaction are other noteworthy features.

Abstract: Apparatus and methods are described for searching and replacing user credentials in a multiple disparate credential store environment. Upon authentication of a user to change credentials, credential information of multiple disparate credential stores is searched. Upon population of search results, users indicate which of the credentials they desire to change and results are committed upon affirmative execution in a user interface dialog. In this manner, users locate their credential information, from whatever store, and change it in quantity or singularly from a single point of control. They can also fully understand how many passwords, secrets, keys, etc., they have over the many disparate stores available to them and affirmatively control their relationship to other credential information. Reversion of credential information to an earlier time is still another feature as is retrofitting existing SSO services. Computer program products and computing network interaction are also disclosed.

Abstract: Apparatus and methods are described for coordinating user credentials across multiple disparate credential stores. A synchronizing engine requests and receives past and present credential information from the disparate credential stores. Users indicate which, if any, of the credential information they desire to synch together. Upon common formatting of the credential information, comparisons reveal whether differences exist between the past and present versions. If differences exist, the information is updated. In this manner, users link together various passwords, keys or other secrets to maintain convenience from a single point of control, such as in a single-sign-on (SSO) environment, regardless of the disparateness of the stores. The reverse is also possible such that linked credentials are accessible from the multiple stores. Retrofitting existing SSO services is another feature as are computer program products and computing network interaction.