Abstract: Techniques are disclosed relating to tokenized account information with integrated authentication. In some embodiments, a shared secret key is used for tokenization and authentication. In some embodiments, a payment device stores an encrypted version of the secret key and decrypts the secret key based on a user-provided password. In some embodiments, the payment device uses the secret key and a moving factor to generate a limited-use password. In some embodiments, the payment device uses the limited-use password to modify a first identifier of an account of the user. In some embodiments, the authentication system retrieves a stored version of the secret key and a copy of the account number using a second identifier. In some embodiments, the authentication system generates the limited-use password based on the stored secret key and a moving factor, de-tokenizes the modified first identifier, and compares the result with the retrieved copy of the account number.

Abstract: A method includes determining a match score indicative of similarities between (1) signal information associated with a current route being traveled by a user in connection with a transaction with a merchant and (2) signal information associated with an established route traveled by the user in connection with a previous transaction between the user and the merchant, wherein the signal information comprises signal signatures that identify one or more signal emitters identified along each route. The method also includes determining whether the current route matches the established route based on whether the match score is above a threshold. The method further includes if the match score is below the threshold, transmitting a message indicating that the user was not authenticated.

Abstract: Provided is a process that includes: receiving, with a first device, a request to authenticate a user; obtaining, with the first device, an unstructured-data authentication input; extracting, with the first computing device, a plurality of features of the unstructured-data authentication input to form a structured-data representation; determining, with the first device, a first instance of a value that deterministically varies; and determining, with the first device, a first encrypted value based on both the structured-data representation and the first instance of the value that deterministically varies; and sending, with the first device, the first encrypted value to a second computing device.

Abstract: Techniques are disclosed relating to authorization of asset sharing for transactions by other user accounts. In some embodiments, an apparatus is configured to transmit a request to a mobile device on behalf of a first user account. In some embodiments, the apparatus is configured to receive, from the mobile device in response to the request, an electronic message in a format recognized by an authorization computing system. In some embodiments, the electronic message includes a constraint for a transaction, a replenishment key, and a hash value generated based on at least a portion of other information in the message. In some embodiments, the apparatus is configured to transmit the electronic message for communication to the authorization computing system. In some embodiments, the apparatus is configured to receive transaction authorization based on a comparison of the hash value in the electronic message and a copy of the hash value from the mobile device.

Abstract: A computer system includes a service terminal, a server computer system, and a mobile device and is used to facilitate a transaction between a user and the service terminal. The service terminal receives authentication information from the user and sends the authentication information to the computer server system. Before transaction resolves, the server computer system sends a request to the mobile device to gather environmental information from one or more sensors in the physical environment of the mobile device. In response, the mobile device identifies sensors, communications with one or more sensors, and receives environmental information. The mobile device sends indications of the environmental information, which the server computer system receives and evaluates. Based on the evaluating, the server computer system determines to alter the transaction, and based on the determination to alter the transaction sends a command altering the transaction to the service terminal.

Abstract: A method includes receiving, from a data processing system, a request for an authorization code, the authorization code comprising a sequence of a plurality of characters, generating a plurality of one-time passwords, wherein respective ones of the plurality of one-time passwords correspond to respective ones of the plurality of characters, generating a plurality of modified passwords, wherein generating the plurality of modified passwords comprises concatenating, for each of the plurality of one-time passwords and each of the plurality of characters, the one of the plurality of characters to the corresponding one of the plurality of one-time passwords, generating a plurality of hash values, wherein generating the plurality of hash values comprises performing a hash function on each of the plurality of modified passwords, and sending the plurality of hash values to the data processing system.

Abstract: A biometric sensor can be integrated into a user device to enable multifactor biometric authentication of a user on the user device. The biometric sensor can comprise at fingerprint scanner and a heartrate detector, the heartrate detector further comprising an optical input device and a light emitting diode (LED). The fingerprint scanner comprises a camera encircling the edge of the biometric sensor and detects and scans the users fingerprint to compare to a stored fingerprint to authenticate the users fingerprint. The heartrate detector can determine a heartrate of the user. Based on the detected heartrate of the user and utilizing a validation profile it can be determined if the user is, for example, a live person, is under duress, or sleeping. If the heartrate data is validated by the user device within certain allowable parameters, and the fingerprint of the user is authenticated, access to the user device is enabled.

Abstract: To limit client application access to user information in a token-based authorization framework, access scopes can be degraded with age to incrementally restrict access privileges. This age-based scope degradation imposes time restrictions on the degree of detail of user resources which a resource server shares with a client application. When the client application attempts to access a resource with an access token issued for a specified scope, the age of the access token since it was first issued is measured. An authorization server determines a level of detail at which to share the user resource based on the age. The resource server then shares the user resource at the determined level of detail with the client application after some degree of reduction in detail, such as masking or altering according to the determined detail level. Scope degradation continues as specified until reaching a lowest detail level or visibility level.

Abstract: A method includes receiving a security profile comprising user-defined rules for processing sensitive data, and identifying a plurality of sensitive data components in a data file according to the security profile. The method further includes generating a respective format-preserving token for each of the identified plurality of sensitive data components. The method additionally includes generating a corresponding token key for each of the respective-format preserving tokens, and replacing each of the plurality of sensitive data components in the data file with the respective format-preserving token. Further, the method includes cryptographically camouflaging each of the token keys using a first password and storing each of the cryptographically camouflaged token keys.

Abstract: Technologies are provided herein and include embodiments for protecting applications and information on a user computing device and include generating a menu of icons including an application icon and a decoy icon that correspond to a mobile application in a mobile device, where the application icon is assigned to a first location in the menu and the decoy icon is assigned to a second location in the menu. The embodiment further includes communicating icon location information to the mobile application, providing the menu of icons for display on a display screen of the mobile device, receiving a first indication of user input to select the decoy icon in the menu of icons, invoking the mobile application based on the decoy icon being selected, and communicating, to the mobile application based on the decoy icon being selected, second location information indicating the second location in the menu of icons.

Abstract: A restriction request message, including a restriction parameter for a secondary account, is received from a device that is associated with a primary account, via a network node that is outside of a secure authorization network. A replenishment request message, including a password and an account replenishment parameter for the secondary account, is also received via a network node that is outside of the authorization network. Authentication is performed based on the password, and the restriction parameter for the secondary account is identified responsive to receiving the replenishment request message. Responsive to determining that the account replenishment parameter satisfies the restriction parameter, a replacement key is generated and associated with the account replenishment parameter for the secondary account.

Abstract: According to one aspect of the present disclosure, an interactive graphical user interface (GUI) is presented on a display of a personal computing device, and it is determined that the GUI includes an entry field for receipt of sensitive information from a user of the personal computing device. An interaction with the entry field is detected, and at least a portion of the GUI near the entry field is automatically modified to provide a view of physical surroundings near the personal computing device. The portion of the GUI remains modified while the user inputs the sensitive information to the entry field, and the portion of the GUI is modified in response to detecting the interaction and based on determining that the GUI includes a request for entry of sensitive information.

Abstract: According to one aspect of the present disclosure, a text-based message is received on a device. The text-based message includes an access control indicator in a body of the text-based message. The text-based message is parsed to locate the access control indicator, and it is determined whether the access control indicator is associated with a particular entry in an access control table. The access control table includes associations between one or more access control indicators and one or more applications on the device. It is determined that the text-based message is associated with a particular one of the applications on the device based on determining that the access control indicator is associated with the particular entry, and access to the text-based message by the particular application on the device is allowed based on determining, from the access control indicator, that the text-based message is associated with the particular application.

Abstract: According to one aspect of the present disclosure, a payment initiation request is received at a point of sale (POS) device from a user device. A challenge string stored at the POS device is transmitted from the POS device to the user device based on the payment initiation request. Payment information and a signed version of the particular challenge string are received at the POS device from the user device. The signed version of the particular challenge string is based on a private key associated with the user device and the particular challenge string. An authentication request including the signed version of the particular challenge string is transmitted from the POS device to a server device. An indication of whether the user device is authenticated is received at the POS device, from the server device, based on the authentication request, and a payment protocol is executed using the payment information.

Abstract: Techniques are disclosed relating to performing repeated secondary user authentication. An authentication computer system may receive, from a server computer system, a request to authenticate a user to a service that is provided by the server computer system. The authentication computer system may cause an out-of-band authentication message to be sent to an authentication application associated with the user. The authentication computer system may receive an authentication response including an authentication code that is generated, without user input, by the authentication application. The authentication server may determine whether to authenticate the authentication response and send an authentication indication to the server computer system.

Abstract: To protect confidential data, a mobile device determines whether the mobile device is at a location susceptible to visual capture of confidential data entered into the phone by external cameras. The mobile device determines whether focus of a display is on a field in which confidential data is entered. If the mobile device determines that it is at a location susceptible to an external imaging device visually capturing confidential data input into the input field, then the mobile device activate a light source on a same side as the screen presenting the display.

Abstract: An authentication server receives an item authentication query message requesting authentication of an item that is available from a computer server. An authentication score for the item is generated based on information contained in the item authentication query message. The authentication score is then provided for display at a client terminal. Authentication of the information contained in the item authentication query provides a level of computer security to end-users.

Abstract: In accordance with the teachings of the present disclosure, a method is provided for reducing the chances of shoulder surfing. The method may include determining an approximate angle of orientation of a mobile device and selecting one of first or second input key layouts, based upon the approximate angle of orientation. The first input key layout may be a standard layout of alphanumeric characters and the second input key layout may be a disordered layout of the alphanumeric characters. The method may also include displaying the selected one of the first or second input key layouts at a graphical user interface of the mobile device and receiving an input of sensitive information at the graphical user interface.

Abstract: A method for two factor authentication is described. The method comprises sending an activation code stored on a mobile device to a server for verification. An encrypted secret key generated by the server using the activation code is received. The secret key is decrypted using the activation code stored on the mobile device. The mobile device encrypts the secret key using a predetermined PIN. As a result of a user inputting the predetermined PIN, the secret key is decrypted, the mobile device generates a first token using the secret key and transmits the first token to the server to authenticate the user. After receiving authentication from the server, the information on the mobile device is synced with the server.

Abstract: A method for receiving a first access request from a client computer is described. The method comprises, in response to receiving the first access request, generating a query string comprising a predetermined number of characters, designating, via a unique indicator, a first randomized subset of the predetermined number of characters, wherein the first randomized subset comprises a plurality of the predetermined number of characters, and requesting a first predefined response comprising the first randomized subset of the predetermined number of characters. The method further comprises receiving a first client input from the client computer, determining whether the first client input matches the first predefined response, and accepting the first access request if the first client input matches the first predefined response.