Abstract: Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

Abstract: An embodiment includes at least one machine readable medium on which is stored code that, when executed enables a system to initialize a trusted loader enclave (TL) and a measurement and storage manager enclave (MSM) within a memory of the system, to receive by the MSM a TL measurement of the TL from a trusted processor of the system, to determine whether to establish a secure channel between the MSM and the TL based at least in part on the TL measurement, and responsive to a determination to establish the secure channel, to establish the secure channel and store particular code in the TL. Additional embodiments are described and claimed.

Abstract: Various embodiments are generally directed to an apparatus, method, and other techniques to maintain user authentications with common trusted devices. If a user is in possession of a first computing device (e.g., a smartphone), an unlocked state of the first trusted device is maintained if the user is using a nearby trusted device (e.g., a computer) within a certain amount of time. If the first trusted device is in a pocket or other container, a longer span of time is granted to the user to register an on-body state.

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

Abstract: In one embodiment, a system comprises: a processor including at least one core to execute instructions; a plurality of sensors, including a first sensor to determine location information regarding a location of the system; and a security engine to apply a security policy to the system. In this embodiment, the security engine includes a policy logic to determine one of a plurality of security policies to apply based at least in part on the location information, where the location information indicates a location different than locations associated with the plurality of security policies. Other embodiments are described and claimed.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to facilitate secure screen input. An example disclosed system includes a user interface (UI) manager to generate a UI comprising a quantity of ordinal entry points, each one of the quantity of ordinal entry points comprising a repeating selectable pattern, an ordinal sequence generator to generate an initial randomized combination of the quantity of ordinal entry points, the randomized combination stored in a trusted execution environment, and an offset calculator to calculate a password entry value by comparing an offset value and direction value retrieved from the UI with the initial randomized combination of the quantity of ordinal entry points.

Abstract: An embodiment includes at least one machine readable medium on which is stored code that, when executed enables a system to initialize a trusted loader enclave (TL) and a measurement and storage manager enclave (MSM) within a memory of the system, to receive by the MSM a TL measurement of the TL from a trusted processor of the system, to determine whether to establish a secure channel between the MSM and the TL based at least in part on the TL measurement, and responsive to a determination to establish the secure channel, to establish the secure channel and store particular code in the TL. Additional embodiments are described and claimed.

Abstract: In an example, a computing device includes a trusted execution environment (TEE), including an enclave. The enclave may include both a binary translation engine (BTE) and an input verification engine (IVE). In one embodiment, the IVE receives a trusted binary as an input, and analyzes the trusted binary to identify functions, classes, and variables that perform input/output operations. To ensure the security of these interfaces, those operations may be performed within the enclave. The IVE tags the trusted binary and provides the binary to the BTE. The BTE then translates the trusted binary into a second format, including designating the tagged portion for execution within the enclave. The BTE may also sign the new binary in the second format and export it out of the enclave.

Abstract: In an example, a computing device may include a trusted execution environment (TEE) for executing signed and verified code. The device may receive a trusted binary object in a first form, but the object may need to be converted to a second format, either on-the-fly, or in advance. This may include, for example, a bytecode interpreter, script interpreter, runtime engine, compiler, just-in-time compiler, or other species of binary translator. The binary translator may be run from the TEE, and the output may then be signed by the TEE and treated as a new trusted binary.

Abstract: Technologies for authenticating a user of a computing device based on an authentication context state includes generating context state outputs indicative of various context states of a mobile computing device based on sensor data generated by sensors of the mobile computing device. An authentication manager of the computing device implements an authentication state machine to authenticate a user of the computing device. The authentication state machine includes a number of authentication states, and each authentication state includes one or more transitions to another authentication state. Each of the transitions is dependent upon a context state output. The computing device may also include a device security manager, which implements a security state machine that includes a number of security states. Transition between security states is dependent upon the present authentication state of the user. The device security manager may implement a different security function in each security state.

Abstract: Technologies for authenticating a user of a computing device based on an authentication context state includes generating context state outputs indicative of various context states of a mobile computing device based on sensor data generated by sensors of the mobile computing device. An authentication manager of the computing device implements an authentication state machine to authenticate a user of the computing device. The authentication state machine includes a number of authentication states, and each authentication state includes one or more transitions to another authentication state. Each of the transitions is dependent upon a context state output. The computing device may also include a device security manager, which implements a security state machine that includes a number of security states. Transition between security states is dependent upon the present authentication state of the user. The device security manager may implement a different security function in each security state.

Abstract: Technologies for information security include a computing device with one or more sensors. The computing device may authenticate a user and, after successful authentication, analyze sensor data to determine whether it is likely that the user authenticated under duress. If so, the computing device performs a security operation such as generating an alert or presenting false but plausible data to the user. Additionally or alternatively, the computing device, within a trusted execution environment, may monitor sensor data and apply a machine-learning classifier to the sensor data to identify an elevated risk of malicious attack. For example, the classifier may identify potential user identification fraud. The computing device may trigger a security response if elevated risk of attack is detected. For example, the trusted execution environment may trigger increased authentication requirements or increased anti-theft monitoring for the computing device. Other embodiments are described and claimed.

Abstract: In embodiments, apparatuses, methods and storage media (transitory and non-transitory) are described that are associated with user profile selection using contextual authentication. In various embodiments, a first user of a computing device may be authenticated and have an access control state corresponding to a first user profile established, the computing device may select a second user profile based at least in part a changed user characteristic, and the computing device may present a resource based at least in part on the second user profile. In various embodiments, the computing device may include a sensor and a user profile may be selected based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.

Abstract: In one embodiment, a system comprises: a processor including at least one core to execute instructions; a plurality of sensors, including a first sensor to determine location information regarding a location of the system; and a security engine to apply a security policy to the system. In this embodiment, the security engine includes a policy logic to determine one of a plurality of security policies to apply based at least in part on the location information, where the location information indicates a location different than locations associated with the plurality of security policies. Other embodiments are described and claimed.

Abstract: Various embodiments are generally directed to the provision and use of geometric location based security systems that use multiple beacons for determining a location. A beacon transmitted from an ultrasound broadcast as well as one or more different wireless broadcasts can be used to geo-locate a device and provide access controls based on the geo-location.

Abstract: The present disclosure is directed to an end-to-end secure communication system wherein, in addition to encrypting transmissions between clients, communication-related operations occurring within each client may also be secured. Each client may comprise a secure processing environment to process encrypted communication information received from other clients and locally-captured media information for transmission to other clients. The secure processing environment may include resources to decrypt received encrypted communication information and to process the communication information into media information for presentation by the client. The secure processing environment may also operate in reverse to provide locally recorded audio, image, video, etc. to other clients. Encryption protocols may be employed at various stages of information processing in the client to help ensure that information being transferred between the processing resources cannot be read, copied, altered, etc.

Abstract: Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

Abstract: Generally, this disclosure describes a continuous authentication confidence module. A system may include user device including processor circuitry configured to determine presence data; a confidence factor including at least one of a sensor configured to capture sensor input and a system monitoring module configured to monitor activity of the user device; memory configured to store a confidence score and an operating system; and a continuous authentication confidence module configured to determine the confidence score in response to an initial authentication of a specific user, update the confidence score based, at least in part, an expectation of user presence and/or selected presence data, and notify the operating system that the authentication is no longer valid if the updated confidence score is within a tolerance of a session close threshold; the initial authentication configured to open a session, the confidence score configured to indicate a current strength of authentication during the session.

Abstract: Technologies for determining a confidence of user authentication include authenticating a user of a computing device based on a set of authentication factors and a fusion function that fuses the set of authentication factors to generate an authentication result. A false accept rate and a false reject rate of the authentication result is determined, and an authentication confidence for the authentication result is determined. The authentication of the user is performed passively, without interruption or interruption of the user. If the authentication confidence is below a threshold value, an active authentication procedure may be performed.

Abstract: In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.