Abstract: Methods and apparatus are provided for randomizing state transitions for one-time authentication tokens. A user authentication passcode is generated by determining a generation time within an epoch for initiating computation of the user authentication passcode; initiating computation of the user authentication passcode at the determined generation time; and presenting the user authentication passcode at a presentation time that is de-coupled from the generation time. The generation time occurs, for example, at a random offset from a start of the epoch. A time difference between the presentation time and a completion of the computation of the user authentication passcode comprises, e.g., a uniformly distributed random variable over a range of values having a finite mean value. The epoch optionally comprises pre-computation epochs and a variable number of user authentication passcodes are optionally computed during a given pre-computation epoch.

Abstract: A method is used in managing use of security keys. Based on a request for use of a key that serves as part of a data security system, a set of criteria to apply to the request is determined. The set of criteria pertain to security management of the key that is subject of the request. The set of criteria is applied to the request; and a result is determined based on the application of the set of criteria.

Abstract: Methods, apparatus and articles of manufacture for using steganography to protect cryptographic information on a mobile device are provided herein. A method includes querying a user to select one or more items of data stored on a computing device to be used in connection with one or more cryptographic actions associated with said computing device, and protecting one or more items of cryptographic information within the one or more selected items of data.

Abstract: A method is used in managing use of security keys. Based on a request for use of a key that serves as part of a data security system, a set of criteria to apply to the request is determined. The set of criteria pertain to security management of the key that is subject of the request. The set of criteria is applied to the request; and a result is determined based on the application of the set of criteria.

Abstract: A method is used in powering security devices. Power is derived from ambient energy in the vicinity of a mobile security device. The power is caused to be used for security based computing tasks within the mobile security device.

Abstract: Improved techniques involve selecting a set of authentication factors from among multiple factors based on a current situation and information about how well the multiple authentication factors have worked in similar situations in the past. Along these lines, when an authentication system performs an authentication operation on a requesting party, the authentication system first assesses a situational environment. Based on the assessment of the situational environment, the authentication system decides that it is necessary to re-authenticate the requesting party. In some arrangements, the authentication system may determine which set of factors has the highest likelihood of successfully verifying the user's identity when compared with other authentication factors. The authentication system then carries out an authentication operation on the selected set of factors and bases a successful authentication result on whether the selected set of factors can be verified.

Abstract: Methods, apparatus and articles of manufacture for adding entropy to key generation on a mobile device are provided herein. A method includes generating a prompt via a computing device interface in connection with an authentication request to access a protected resource associated with the computing device; processing input cryptographic information entered via the computing device interface in response to the prompt against a pre-determined set of cryptographic information, wherein said pre-determined set of cryptographic information comprises one or more input elements and one or more interface manipulation measures associated with the one or more input elements; and resolving the authentication request based on said processing.

Abstract: Methods, apparatus and articles of manufacture for defending against a cyber attack via asset overlay mapping are provided herein. A method includes determining which of multiple systems within an organization stores each of multiple assets; determining a set of relationships present between the multiple assets across the multiple systems; identifying, upon an attack of a first of the multiple systems, one or more additional systems of the multiple systems vulnerable to the attack based on at least one relationship, from the determined set of relationships, between one or more of the multiple assets stored on the first system and one or more of the multiple assets stored on the additional systems; and automatically prohibiting access to the one or more additional systems storing the one or more of the multiple assets identified based on the at least one relationship with the assets stored on the first system.

Abstract: A technique controls access to a protected resource. The technique involves providing a tokencode prompt to a user. The tokencode prompt requests a tokencode from an electronic token in possession of the user. The technique further involves receiving, in response to the tokencode prompt, a current tokencode from the electronic token in possession of the user. The technique further involves performing, by a SOHO device having an embedded tokencode authentication server, an authentication operation based on the current tokencode. A result of the authentication operation (i) permits the user to access the protected resource when the authentication operation determines that the user is legitimate and (ii) denies the user access to the protected resource when the authentication operation determines that the user is not legitimate. For example, the SOHO device may be a NAS device or a firewall device which with tokencode authentication capabilities.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: Methods, apparatus and articles of manufacture for using a token code to control access to data and applications in a mobile platform are provided herein. A method includes processing authentication information via a cryptographic operation to generate an output, partitioning the output into (i) a component that identifies the authentication information and (ii) an encryption key component, encrypting an item of cryptographic information via the encryption key component, and storing the component that identifies the authentication information and the encrypted item of cryptographic information.

Abstract: A method, electronic apparatus and computer program product for performing authentication operation is disclosed. An authentication request is received from user of computerized resource. The request comprises user identifier identifying user. The authenticity of user is verified based on user identifier. An access session is established in which user can access resource in response to successfully verifying user. An electronic input signal is received from electronic input device during session. The device is configured to take a biometric measurement from the user. Biometric data is derived from signal. A comparison is performed between biometric data and expected biometric data. An authentication result is generated based on comparison between biometric data and expected biometric data, wherein result can be used for further authentication of user during session.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: Techniques are disclosed for performing operations in an authentication token or other cryptographic device in a system comprising an authentication server. In one aspect, a code generated by the authentication server is received in the cryptographic device. The code may have associated therewith information specifying at least one operation to be performed by the cryptographic device. The cryptographic device authenticates the code, and responsive to authentication of the code, performs the specified operation. If the code is not authenticated, the operation is not performed. The code may be determined as a function of a one-time password generated by the authentication server. The function may also take as an input an identifier of the operation to be performed.

Abstract: A processing device comprises a processor coupled to a memory and is configured to obtain an intermediate value of a hash chain associated with a given access control interval, to utilize at least a portion of the intermediate value to access a protected resource during the given access control interval, and to repeat the obtaining and utilizing for one or more additional access control intervals using respective different intermediate values of the hash chain. The hash chain may comprise one of a plurality of hash chains derived from a common key, where the plurality of hash chains are associated with corresponding distinct resources and initial values of the plurality of hash chains are determined as respective functions of the common key and identifying information for corresponding ones of the protected resources.

Abstract: Methods, apparatus and articles of manufacture for defending against a cyber attack via asset overlay mapping are provided herein. A method includes determining which of multiple systems within an organization stores each of multiple assets, determining at least one relationship present between the multiple assets across the multiple systems of the organization, and identifying, upon an attack of a first system of the multiple systems within the organization, one or more additional systems of the multiple systems vulnerable to the attack based on at least one relationship between one or more of the multiple assets stored on the first system to one or more of the multiple assets stored on one or more additional systems.

Abstract: A processing device comprises a processor coupled to a memory and is configured to associate intermediate values of a hash chain with respective access control intervals, and to provide a given one of the intermediate values to user in order to allow the user to access a protected resource in the corresponding access control interval. A final value of the hash chain is provided to an access control module associated with the protected resource, and an initial value of the hash chain is stored in a secure manner. The hash chain may be generated by applying a one-way hash function to the initial value a designated number of times in order to obtain the intermediate values and the final value. The protected resource may comprise, for example, a storage array or other processing platform component, with the intermediate values controlling service technician access to that component.

Abstract: A processing device comprises a processor coupled to a memory and is configured to receive authentication information from a user, to generate a message authentication code based at least in part on the received authentication information, to generate a credential for a particular access control interval based at least in part on the message authentication code and an intermediate value of a hash chain, and to provide the credential to a user in order to allow the user to access a protected resource in the particular access control interval. The message authentication code may be generated over a message payload that includes a password provided by the user. The credential may comprise a combination of the message authentication code and the intermediate value of the hash chain.

Abstract: A technique of authenticating a person involves obtaining, during a current authentication session to authenticate the person, a first authentication factor from the person and a second authentication factor from the person, at least one of the first and second authentication factors being a biometric input. The technique further involves performing an authentication operation which cross references the first authentication factor with the second authentication factor. The technique further involves outputting, as a result of the authentication operation, an authentication result signal indicating whether the authentication operation has determined the person in the current authentication session likely to be legitimate or an imposter. Such authentication, which cross references authentication factors to leverage off of their interdependency, provides stronger authentication than conventional naïve authentication.

Abstract: A technique performs an authentication operation using pulse and facial data from a user. The technique involves obtaining current pulse data from a user, and performing a comparison between the current pulse data from the user and expected pulse data for the user. The technique further involves generating an authentication result based on the comparison between the current pulse data and the expected pulse data. The authentication result may control user access to a computerized resource. Since such a technique uses pulse data, a perpetrator cannot simply submit a static image of a subject's face to circumvent the authentication process. In some arrangements, the technique involves obtaining videos of human faces and deriving cardiac pulse rates from the videos. For such arrangements, a standard webcam can be used to capture the videos. Moreover, such techniques are capable of factoring in circadian rhythms and/or aging adjustments to detect and thwart video replay attacks.