Abstract: A computer system includes a management computer for automatically changing a password used to authenticate a user to a service application. A user device includes a password vault managed by a password management application. The management computer monitors for an event signifying that the password is to be changed, e.g., a predetermined number of uses, etc. A new password is assigned, and a first message is generated and sent to the service application including the new password and an indication that it is to be used for subsequent user authentication. A second message is also generated and sent to the password management application, also including the new password and an indication that it replaces a current password in the vault for user authentication. The new password is automatically used by both the service application and the user device during subsequent authentications until expiration.

Abstract: Identity data for a user is aggregated from multiple sources into a global profile, the contents of which is distributed under the control of the user to trusted risk engines. The collected identity data is related to the user's use of online services provided by multiple independent service providers. The collected identity data is aggregated into a private, global profile. The user must authorize the portion(s) of the aggregated identity data that is/are distributed, and one or more trusted risk engines to which the aggregated identity data may distributed. The global profile may be distributed to individual trusted risk engines, further based on requests received from individual ones of the trusted risk engines.

Abstract: A technique of supporting multi-factor authentication uses a database server. The technique involves receiving suspicious user activity data from a first set of authentication servers and storing the suspicious user activity data from the first set of authentication servers, as sharable authentication data, in a database of the database server. The technique further involves providing the sharable authentication data from the database to a second set of authentication servers. Each authentication server of the second set of authentication servers performs multi-factor authentication operations based on (i) local authentication data which is gathered by that authentication server and (ii) the sharable authentication data provided from the database. Accordingly, useful authentication data from one authentication server (e.g.

Abstract: A master encryption key is split at a key splitting server such that three key shares are required to reconstruct it, and is then destroyed. The key shares are distributed such that an encrypted remote management server key share is stored at a remote management server, an encrypted managed device key share is stored at a managed device, and a key splitting server key share is stored on the key splitting server. Incoming communications to the key splitting server from managed devices are prevented, and outgoing communications from the key splitting server are only allowed to managed devices. The managed device obtains the master encryption key at startup by sending its managed device key share to the remote management server, which sends the managed device key share and the remote management server key share to the key splitting server. The key splitting server reconstructs the master encryption key, encrypts it using a public key of the managed device, and sends it to the managed device.

Abstract: A digitally signed authentication assertion is generated in response to successful authentication of a current user of a user device by using a signing key that is uniquely assigned to the authenticator process to digitally sign a document indicating that the current user of the user device was successfully authenticated on the user device. The signing key uniquely assigned to the authenticator process is stored in a key container associated with the user device, and the key container is located on a key container server that is physically separate from the user device. The digitally signed authentication assertion is conveyed from the authenticator process to an authentication service, in order to securely indicate to the authentication service that the current user of the user device has been verified as an authentic user by the authenticator process.

Abstract: Methods, apparatus and articles of manufacture for using steganography to protect cryptographic information on a mobile device are provided herein. A method includes querying a user to select one or more items of data stored on a computing device to be used in connection with one or more cryptographic actions associated with said computing device, and protecting one or more items of cryptographic information within the one or more selected items of data.

Abstract: A method, system and computer program product for use in managing policies is disclosed. Policies associated with a communications device are correlated with respective locations. The location of the communications device is determined. The policy correlated with the determined location is applied to the communications device.

Abstract: There is disclosed a method and system for use in authenticating an entity. An authentication request is received from the entity. An input signal is received from a communications device associated with the entity. The input signal comprises the current location of the communications device. The current location of the communications device is derived from the input signal. Based on the current location of the communications device, an event is detected at substantially the same location as the current location of the communications device. An analysis is performed between the current location of the communications device and the event. An authentication result is generated based on the analysis between the current location of the communications device and the event. The authentication result can be used for authenticating the entity.

Abstract: Protecting master encryption keys by splitting the master encryption key into multiple key shares using a polynomial secret sharing scheme, and storing one share in a remote management server and the other shares in managed devices located on one or more secure networks. To reconstruct the master encryption key, a managed device obtains the remote management server share and combines it with its local share. Master encryption keys may be obtained without an administrator's password, thus supporting unattended startup of appliances. The remote management server may alert a system administrator upon release of the remote management key share, or request approval prior to releasing the remote management key share.

Abstract: Improved techniques involve selecting a set of authentication factors from among multiple factors based on a current situation and information about how well the multiple authentication factors have worked in similar situations in the past. Along these lines, when an authentication system performs an authentication operation on a requesting party, the authentication system first assesses a situational environment. Based on the assessment of the situational environment, the authentication system decides that it is necessary to re-authenticate the requesting party. In some arrangements, the authentication system may determine which set of factors has the highest likelihood of successfully verifying the user's identity when compared with other authentication factors. The authentication system then carries out an authentication operation on the selected set of factors and bases a successful authentication result on whether the selected set of factors can be verified.

Abstract: There is disclosed a method, system and a computer program product for use in authenticating an entity. An authentication request is received from the entity. Information in connection with the entity is acquired from an external source. Based on the information, a risk score is set such that the riskiness of the authentication request can be readily deduced therefrom.

Abstract: A technique provides access control on a mobile device (e.g., a smart phone, a tablet, etc.). The technique involves displaying an image on a touch screen of the mobile device. The technique further involves, while the image is displayed on the touch screen, receiving user input from a user. The user input includes user gestures applied to the touch screen over the displayed image. The technique further involves performing an access control operation which provides an access control result based on the user input, the access control result (i) providing access to a set of protected resources when the user input matches expected input and (ii) denying access to the set of protected resources when the user input does not match the expected input.

Abstract: A technique provides protection against malicious activity. The technique involves providing a mock token to fraudster equipment. The mock token appears to be a legitimate user token that identifies a legitimate user (e.g., an actual user token, a token seed, etc.). The technique further involves receiving, from the fraudster equipment, an authentication request which uses the mock token and, in response to receiving the authentication request which uses the mock token from the fraudster equipment, performing a set of authentication server operations to protect against future activity by the fraudster equipment (e.g., deny access to the fraudster equipment, acquire specific information about the fraudster equipment, output a message to subscribers of an eFraud network, and so on).

Abstract: A method includes (1) receiving, by a mobile computing device (MCD), user-specific data from a user, (2) processing (a) a user share of a cryptographic key, the user share being fixed based on the received user-specified data, and (b) a local share of the cryptographic key to recreate the cryptographic key, wherein the local share was created by applying a secret splitting algorithm to the cryptographic key and the user share to yield a set of non-fixed shares including the local share, the user share and the set of non-fixed shares making up a set of shares of the cryptographic key, the cryptographic key being recreatable from a strict subset of the set of shares, and (3) decrypting encrypted data stored on the MCD using the recreated cryptographic key, thereby providing access, using the decrypted encrypted data, to the resource.

Abstract: A technique provisions a mobile device (e.g., a smart phone, a tablet, a personal digital assistant, etc.) with a security application on the fly. The technique involves providing, by processing circuitry of the mobile device, an initial access request to an enterprise gateway which is operated by an enterprise. The technique further involves receiving, by the processing circuitry, an enterprise response message from the enterprise gateway in response to the initial access request. The enterprise response message denies access to a set of enterprise resources of the enterprise. The technique further involves automatically prompting, by the processing circuitry, the mobile device to install a mobile security application from an application server in response to the enterprise response message denying access to the set of enterprise resources of the enterprise.

Abstract: A technique provides user authentication using a smart device (e.g., a smart phone, a tablet, etc.). The technique involves displaying, by processing circuitry of a smart device, a password prompt on a touch screen of the smart device. The password prompt includes a motion video of touch screen gestures to prompt a user of the smart device to enter a gesture password. The technique further involves receiving, by the processing circuitry, a trial gesture password entered by the user via the touch screen. The trial gesture password includes a user-entered sequence of touch screen gestures. The technique further involves performing, by the processing circuitry, multiple gesture password confirmation operations to verify that the user is able to re-enter the trial gesture password via the touch screen over time to authenticate the user to the smart device.

Abstract: Methods, apparatus and articles of manufacture for adding entropy to key generation on a mobile device are provided herein. A method includes generating a prompt via a computing device interface in connection with an authentication request to access a protected resource associated with the computing device; processing input cryptographic information entered via the computing device interface in response to the prompt against a pre-determined set of cryptographic information, wherein said pre-determined set of cryptographic information comprises one or more input elements and one or more interface manipulation measures associated with the one or more input elements; and resolving the authentication request based on said processing.

Abstract: There is disclosed a method and system for use in authenticating an entity. An entity location history is stored comprising a historical record of locations visited by the entity. An authentication request is received from the entity. A pattern of recent locations visited by the entity indicative of irregular behavior is detected. An analysis is performed between the pattern of recent locations indicative of irregular behavior and the entity location history for establishing the riskiness of the authentication request. An authentication result is generated based on the analysis between the pattern of recent locations indicative of irregular behavior and the entity location history.

Abstract: A technique provides access control. The technique involves prompting a user to enter color-shape pairings, and receiving multiple color-shape pairings from the user. Each color-shape pairing includes (i) a color selection from multiple selectable colors and (ii) a shape selection from multiple selectable shapes. The technique further involves generating an access control result based on the received multiple color-shape pairings, the access control result controlling access to a set of protected resources. For example, color segments can be displayed on a touch screen in the form of a color wheel, and multiple shapes can be rendered within each color segment. Alternatively, (i) a color palette including the multiple selectable colors and (ii) a shape menu including the multiple selectable shapes can be rendered on the touch screen to prompt the user to provide drag and drop gestures over the touch screen. Other configurations are suitable for use as well.

Abstract: A technique manages user authentication via common authentication framework circuitry. The technique involves receiving, by the common authentication framework circuitry, authentication requests from client devices of users belonging to multiple enterprises, the authentication requests including user identifiers identifying the users belonging to the multiple enterprises. The technique further involves accessing, by the common authentication framework circuitry, entries of an authentication policy database to select authentication policies for the authentication requests. Selection of the authentication policies is based at least in part on the user identifiers of the authentication requests. The technique further involves invoking, by the common authentication framework circuitry, authentication services in accordance with the selected authentication policies to perform user authentication operations in response to the authentication requests from the client devices.