Abstract: A security server receives a request of a user to activate a secure communications channel over the network and, in response, transmits an activation code for delivery to the user via another network. The security server receives an activation code from the user network device via the network, compares the received activation code with the transmitted activation code to validate the received activation code, and activates the secure communications channel based on the validation. The security server next receives a query including a question for the user from an enterprise represented on the network, transmits the received enterprise query to the user network device via the secure communications channel, and receives, from the user network device via the secure communications channel, a user answer to the transmitted enterprise query. The security server then transmits the received user answer to the enterprise to further authenticate the user to the enterprise.

Abstract: A method of operating a security server to securely transact business between a user and an enterprise via a network includes receiving, at the security server from an enterprise with which the user is currently connected via the network, a request of the enterprise to activate a secure communications channel over the network between the user and the security server. The request includes contact information for contacting the user via other than the network. The security server, in response, transmits an activation code for delivery to the user via other than the network and in a manner corresponding to the received contact information. The security server receives, from the user via the network, an activation code and compares the received activation code with the transmitted activation code to validate the received activation code. The secure communications channel is then activated based on the validation of the received activation code.

Abstract: Systems and methods for making a payment on behalf of a payer to a payee are provided. A request to make a payment on behalf of a payer to a payee is received at a first payment service provider. The first payment service provider supports a first payment network within a plurality of payment networks that each include a respective plurality of payers and payees. The payer is one of the plurality of payers and payees associated with the first payment network, and the payor is not one of the plurality of payers and payees associated with the first payment network. A second payment network within the plurality of payment networks with which the payee is associated is identified by the first payment service provider. A payment instruction to make the payment to the payee is transmitted by the first payment service provider to a second payment service provider associated with the second payment network.

Abstract: The present invention provides a security and privacy enhanced method for geolocation. The system works by creating a space called the N?4Tk space on top of the Internet by locating N geographically dispersed servers in the Internet and computing as the coordinate for any computing device on the Internet, its distance to the N servers. The distance is computed as the 4Tk distance which is the time taken by a message of size k to travel between two points at a particular time of day. The system can also be used iteratively where each iteration uses a different set of Slaves in order to close in on the user with finer granularity. Interesting benefits of the system include the difficulty for an attacker to misrepresent the location, and also while the system can hone in on a locale for the user it does not violate the user's privacy.

Abstract: User authentication is achieved by creating a window on the user's PC that is in communication with a security server, where this communication channel is separate from the communication channel between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server signals both the web page on the user's browser and the window to which it has a separate channel. If user authentication is requested by the web site, the security server computes a one time password based on a secret which it shares with the web site, but not with the user, and which is not associated with any particular user, and the web site can re-compute the one time password to authenticate the user.

Abstract: The present invention provides a new method of site and user authentication. This is achieved by creating a pop-up window on the user's PC that is in communication with a security server, and where this communication channel is separate from the communication between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server checks the legitimacy of the web site and then signals both the web page on the user's browser, as well as the pop-up window to which it has a separate channel. The security server also sends a random image to both the pop-up window and the browser. If user authentication is requested by the web site the user is first authenticated by the security server for instance by out of band authentication. Then the security server computes a one time password based on a secret it shares with the web site and sends it to the pop up window.

Abstract: The present invention provides a new method of site and user authentication. This is achieved by creating a pop-up window on the user's PC that is in communication with a security server, and where this communication channel is separate from the communication between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server checks the legitimacy of the'web site and then signals both the web page on the user's browser, as well as the pop-up window to which it has a separate channel. The security server also sends a random image to both the pop-up window and the browser. If user authentication is requested by the web site the user is first authenticated by the security server for instance by out of band authentication. Then the security server computes a one time password based on a secret it shares with the web site and sends it to the pop up window.

Abstract: A system for authenticating communication network users includes a user-associated user station communicatively coupled to an authenticating station via the communication network. The authenticating station is configured to authenticate the user and receive a first value, representing a first user credential, from the user station. A first key portion is generated based on the first value and a second value that is unknown to the user. The first key portion, along with a second key portion, is used for authenticating credentials of the user for a predefined period of time or for authenticating user credentials for a predefined number of times. The second key portion is generated based on the first key portion. A cookie that includes the second value or a value derived from the second value is generated and transmitted to the user station and then the second value is destroyed.

Abstract: Techniques for securing an asymmetric crypto-key having a public key and a split private key with multiple private portions are provided. A first one of multiple factors is stored. All of the factors are under the control of a user and all are required to generate a first private portion of the split private key. The first private portion not stored in a persistent state. A second private portion of the split private key under control of an entity other than the user is also stored. The first private portion and the second private portion are combinable to form a complete private portion.

Abstract: To determine a geographical location of a user network device communicating with a network site on a network having a master, first slave and second slave servers, the master server receives, via the network, user messages including a user input character padded with k?1 characters, where k equals a predefined message size, and time stamps corresponding to the respective time that message was sent to the master server, the first slave server and the second slave server, and the message was received by the first slave server and by the second slave server. The master server computes the respective time taken to communicate each message to the master and slave servers based on the time stamps, adjusts the computed times based on fluctuations in the bandwidth dependent on the time of day, and determines a geographic location of the user network device as a function of the adjusted times.

Abstract: A user instruction communicated over a communications network via a first communication channel to a relying entity for action, is confirmed by having a trusted entity receive verification information corresponding to the communicated user instruction from the user over the network via a second communication channel and/or verification information corresponding to a received user instruction from the relying entity via a third communication channel. If verification information is received from only the user, it is communicated to the relying entity. If from both, the trusted entity verifies the received user instruction based on the received verification information. If from only the relying entity, it is communicated to the user.

Abstract: Systems and methods for making a payment on behalf of a payer to a payee are provided. A request to make a payment on behalf of a payer to a payee is received at a first payment service provider. The first payment service provider supports a first payment network within a plurality of payment networks that each include a respective plurality of payers and payees. The payer is one of the plurality of payers and payees associated with the first payment network, and the payor is not one of the plurality of payers and payees associated with the first payment network. A second payment network within the plurality of payment networks with which the payee is associated is identified by the first payment service provider. A payment instruction to make the payment to the payee is transmitted by the first payment service provider to a second payment service provider associated with the second payment network.

Abstract: To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: A system for securing information, includes a processor and storage device. The storage device stores information encrypted with one of a first private rolling key and a first public rolling key of an a first asymmetric rolling crypto-key, along with the one first rolling key. The processor has the logic to direct transmission, via a network, of proof of knowledge of the stored one first rolling key to authenticate a user, and of a request for the other of the first private rolling key and the first public rolling key. The processor receives the other first rolling key via the network, responsive to the directed transmission. The processor then decrypts the stored encrypted information with the received other first rolling key, and generates a second asymmetric rolling crypto-key having a second private rolling key and a second public rolling key. The processor encrypts the information with one of the second private rolling key and the second public rolling key.

Abstract: To obtain user approval of network transactions at different levels of security, a network site selects a form in which a transaction with be presented to the user from a group of transaction presentation forms including presentation of the transaction in a browser pop-up window on a user network device, in a security software application window on the user network device, and in a security application window on another user network device. The network site also selects a type of approval of the transaction required from the user from a group of transaction approval types including approval requiring no action by the user after presentation of the transaction, the user to actively approve the presented transaction, and the user to sign the presented transaction. The transaction, the selected transaction presentation form, and the selected type of user transaction approval, are transmitted to obtain approval of the transaction by the user.

Abstract: To authenticate a user of a mobile communication device for login or transaction authorization, a first application on the device directs transmission of a request for authentication of the user to a security server. A second application on the device receives the request for authentication from the security server and directs presentation of the received request for authentication to the user by the device. The second application receives a user input to the device indicating that the requested authentication should proceed and in response directs transmission of an indication that the requested authorization should proceed, to the security server. In response to this latter transmission, the second application receives a PIN from the authentication server. The first application directs transmission of the PIN received by the second application to the network site, which validates the transmitted PIN, in order to authenticate the user or the transaction to the network site.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.