Abstract: There are disclosed techniques for use in authentication. The techniques including setting a proximity threshold that represents a distance by which a first device and a second device can be separated without impacting authentication such that the selection is dependent on one or more environmental factors associated with the first device. The techniques also perform a comparison between the proximity threshold and a distance between the first and the second devices to produce a comparison result indicating whether the first device is proximate to the second device. Finally, based on the comparison result, the techniques determine whether to grant authentication such that at least one factor in the determination is the proximity of the first and the second devices.

Abstract: User authentication techniques are provided using a scene composed of selected objects. An exemplary method comprises obtaining enrollment information from a user, wherein the enrollment information comprises a first scene comprised of a first selection of objects; initiating a challenge to the user in connection with an authentication request by the user to access a protected resource; processing a second scene comprised of a second selection of objects submitted by the user in response to the challenge, and wherein the processing comprises determining a likelihood that the submitted second scene comprised of the second selection of objects matches the first scene comprised of the first selection of objects submitted by the user with the enrollment information; and resolving the authentication request based on the likelihood. Objects in the first selection of objects are optionally selected from a catalog and arranged into the first scene.

Abstract: User authentication techniques are provided using a scene composed of selected objects. An exemplary method comprises obtaining enrollment information from a user, wherein the enrollment information comprises a first scene comprised of a first selection of objects; initiating a challenge to the user in connection with an authentication request by the user to access a protected resource; processing a second scene comprised of a second selection of objects submitted by the user in response to the challenge, and wherein the processing comprises determining a likelihood that the submitted second scene comprised of the second selection of objects matches the first scene comprised of the first selection of objects submitted by the user with the enrollment information; and resolving the authentication request based on the likelihood. Objects in the first selection of objects are optionally selected from a catalog and arranged into the first scene.

Abstract: Split-key based cryptography techniques are provided for data protection and synchronization across multiple computing devices of a user. A method performed by a first device of a user comprises encrypting a data using a randomly-generated data encryption key; wrapping the data encryption key with a public key of a second device of the user; and sending the encrypted data and the wrapped data encryption key of the first device wrapped with the public key of the second device to a server. The server sends the encrypted data and the wrapped data encryption key of the first device wrapped with the public key of the second device to the second device. The first device or the second device can access the encrypted data by reconstructing their respective private key using a predefined number of shares obtained using a key splitting scheme.

Abstract: Key material is protected using white-box cryptography and split key techniques.

Abstract: New techniques are disclosed for protecting a token seed in a multifactor authentication system. A personal identification number is used to derive a fixed share, and the token seed is split, using a secret sharing technique, into a set of three shares made up of the fixed share, a remote share, and a local share, such that the token seed can only be reconstructed using any two of the three shares. The remote share is stored on a remote authentication server, and an encrypted version of the local share is stored on the user device. The remote share may be encrypted by performing a key wrapping operation on the remote share using the local share, and then storing the encrypted version of the remote share on the remote authentication server. The token seed, fixed share, remote share and local share may then be deleted from the user device.

Abstract: Methods, apparatus and articles of manufacture for authenticating by labeling are provided herein. A method includes identifying each of one or more graphical-based input elements to be associated with a computing device in response to user activity in connection with the computing device; identifying each of one or more graphical-based labels to be assigned to the one or more graphical-based input elements; displaying (i) the one or more graphical-based input elements and (ii) the one or more graphical-based labels via an interface of the computing device; generating a prompt via the computing device interface; and processing input cryptographic information entered via the computing device interface in response to the prompt against (i) the one or more graphical-based input elements and (ii) the one or more graphical-based labels.

Abstract: Methods, apparatus and articles of manufacture for authenticating by labeling are provided herein. A method includes establishing a set of cryptographic information, wherein said set of cryptographic information comprises (i) a set of one or more graphical-based input elements and (ii) one or more graphical-based labels assigned to the set of one or more input elements in accordance with a given arrangement; generating a prompt via a computing device interface in connection with an authentication request to access a protected resource associated with the computing device; processing input cryptographic information entered via the computing device interface in response to the prompt against the set of cryptographic information; and resolving the authentication request based on said processing.

Abstract: A mobile device including a first central processing unit (CPU) controlling operation of a first non-exclusive mode of the device having a first display associated therewith, and a second CPU controlling operation of a second non-exclusive mode of the device having a second display associated therewith; a plurality of individually functioning hardware resources, wherein each of said individually functioning hardware resources is accessible by only one of said first or said second CPU; and a plurality of shared hardware resources accessible by both of said first and said second CPU.

Abstract: Identity data for a user is aggregated from multiple sources into a global profile, the contents of which is distributed under the control of the user to trusted risk engines. The collected identity data is related to the user's use of online services provided by multiple independent service providers. The collected identity data is aggregated into a private, global profile. The user must authorize the portion(s) of the aggregated identity data that is/are distributed, and one or more trusted risk engines to which the aggregated identity data may distributed. The global profile may be distributed to individual trusted risk engines, further based on requests received from individual ones of the trusted risk engines.

Abstract: Methods and apparatus are provided for proactivized threshold password-based secret sharing with key rotation. An exemplary method comprises determining a difference between updated and prior values of a share, wherein the updated value comprises a fixed share of a plurality of shares of a secret; setting at least one polynomial coefficient of a correction polynomial employed by a polynomial-based secret sharing scheme to a value that depends on the difference; applying the polynomial-based secret sharing scheme to obtain share correction values that comprise a share correction value for the fixed share derived from the at least one polynomial coefficient; and providing the share correction values to at least one party that generates the fixed share from the provided share correction value for the fixed share and the prior value of the share. The secret can optionally be updated. A key rotation scheduler optionally performs a new sharing of the secret based on a refreshing schedule and/or a refreshing policy.

Abstract: Techniques for fraud detection based on user behavior that monitor and analyze user interactions with an application executing on an end user device. The techniques include monitoring behavior of an end user device user by tracking user interactions with the application executing on the end user device, and generating event records describing the user interactions and the times at which they occurred. The event records are sent to an analytics engine that uses the event records to perform a fraud detection operation by comparing the user interactions described in the event records to an expected pattern of user interactions with the application, and detecting anomalous user behavior indicative of fraud in response to the user interactions described in the event records not matching the expected pattern of user interactions with the application.

Abstract: A master encryption key is split at a key splitting server such that three key shares are required to reconstruct it, and is then destroyed. The key shares are distributed such that an encrypted remote management server key share is stored at a remote management server, an encrypted managed device key share is stored at a managed device, and a key splitting server key share is stored on the key splitting server. Incoming communications to the key splitting server from managed devices are prevented, and outgoing communications from the key splitting server are only allowed to managed devices. The managed device obtains the master encryption key at startup by sending its managed device key share to the remote management server, which sends the managed device key share and the remote management server key share to the key splitting server. The key splitting server reconstructs the master encryption key, encrypts it using a public key of the managed device, and sends it to the managed device.

Abstract: Biometric information from an initial sample is used to generate a biometric template for a user. The biometric template is split into multiple template shares using a polynomial secret sharing scheme, such that at least some threshold number of the resulting template shares must be combined to reconstruct the biometric template. After the biometric template is split, the resulting template shares are distributed to multiple components in the system, such as a server, and/or one more user devices, and the original copy of the biometric template is destroyed. To subsequently verify the identity of the user, the threshold number of template shares are obtained and combined to reconstruct the user's biometric template, and the reconstructed template is compared with biometric information extracted from one or more subsequently collected biometric samples. If there is a match between the reconstructed biometric template and the extracted biometric information, the user's identity is verified.

Abstract: Biometric information is used to generate a one-time passcode in a two factor authentication process. A current biometric sample is obtained from a user requesting access to a secure resource, together with a user identifier and a current token code. A bio-hash value that encodes a distinct biometric identifier of the authentic user for the user identifier, combined with the authentic user's PIN, is retrieved. A computed PIN is generated based on biometric information extracted from the current biometric sample and the bio-hash value. The computed PIN is combined with the current token code to generate a one-time passcode. The one-time passcode and the user identifier are conveyed to an external user identity verification process that uses the one-time passcode to validate the computed PIN and current token code contained in the one-time passcode.

Abstract: An access token is synchronized across multiple trusted devices when one of the trusted devices obtains an authorization grant from a resource owner, and uses the authorization grant to obtain the access token. The access token is synchronized with other trusted devices indicated in a trusted device list, by securely transmitting the access token to each of the trusted devices indicated in the trusted device list other than the first device. A second trusted device may then access the protected resource, using the access token originally obtained by the first device, without having to request the authorization grant from the resource owner to obtain a new access token.

Abstract: Encrypting data using a private key, and encrypting the private key by generating a first encrypted version of the private key using a first master key, and generating a second encrypted version of the private key using a second master key. The first master key is split into shares including a user input key share derived from user authentication data, and the second master key is split into shares including a remote key share stored on a remote server. Data access when the device is offline is provided by reconstructing the first master key using the user input key share, in order to decrypt the first encrypted version of the private key. Data access when the device is online is provided by reconstructing the second master key using the remote key share, in order to decrypt the second encrypted version of the private key.

Abstract: Protecting master encryption keys by splitting the master encryption key into multiple key shares using a polynomial secret sharing scheme, and storing one share in a remote management server and the other shares in managed devices located on one or more secure networks. To reconstruct the master encryption key, a managed device obtains the remote management server share and combines it with its local share. Master encryption keys may be obtained without an administrator's password, thus supporting unattended startup of appliances. The remote management server may alert a system administrator upon release of the remote management key share, or request approval prior to releasing the remote management key share.

Abstract: Embodiments are directed to techniques to automatically propagate password updates onto other devices that use a shared password to protect respective secure keys or other secrets. This may be done by calculating update data using a new password and an old password entered onto one device as part of a password change operation, and sending the update data to the other devices for use in updating the password on those devices.

Abstract: A system and method for recovering a security credential is provided. A security credential stored in the storage of a computing device is encrypted using a first encryption key generated by a server. A first decryption key for decrypting the security credential and a second encryption key for re-encrypting the security credential are received. The first decryption key and the second encryption key are generated by the server. The security credential is decrypted using the first decryption key. The security credential is communicated to a user of the computing device. The security credential is re-encrypted in the storage of the computing device using the second encryption key.