Abstract: An improved technique authenticates a user based on an ability to corroborate previous transaction data sent by a user device. Along these lines, the improved technique makes use of an independent information source for verifying the accuracy of previous transaction data obtained by a given collector. For example, when a collector of location data is a GPS unit of a cell phone, an independent information source may be a cell tower closest to the cell phone at the time of the transaction. While location data provided by the cell tower may not be as precise as that provided by the GPS unit, such data is useful for corroborating the location data from the GPS unit. In this scenario, if the data provided by the cell tower fails to corroborate that provided by the GPS unit, then the GPS unit adds significant risk to authenticating the user.

Abstract: A method performed by a client access device includes (1) receiving, at the client access device, a signal from a client authorizing device, the signal including an environmental detection instruction, the environmental detection instruction instructing the client access device to detect an aspect of a local environment, (2) detecting, at the client access device, the aspect of the environment indicated by the environmental detection instruction to yield a first environmental detection result, (3) sending the first environmental detection result from the client access device to a remote server, and (4) in response to sending the environmental detection result to the remote server, receiving a proximity signal from the remote server indicating whether or not proximity between the client access device and the client authorizing device has been established by comparing the first environmental detection result to a second environmental detection result sent from the client authorizing device to the server.

Abstract: An improved technique involves adjusting the operation of a KBA system based on facts that may contain information known to an adversary. Along these lines, the KBA system may receive an alert concerning an adversary that may know the answers to some of the KBA questions used by the KBA system in authenticating users. In response to alert, the KBA system may alter operations in order to account for the adversary. Subsequently, when a user requests authentication, the KBA system selects KBA questions based on adjustments made to the KBA system in order to avoid presenting the adversary with KBA questions derived from facts (s)he knows.

Abstract: A technique authenticates a user. The technique involves receiving, by processing circuitry, a handwritten code. The technique further involves performing, by the processing circuitry, a set of assessment operations which includes (i) a handwriting evaluation to analyze a set of biometric handwriting aspects of the handwritten code and (ii) a code evaluation to analyze code accuracy of the handwritten code. The technique further involves providing, by the processing circuitry, an authentication result based on the set of assessment operations. Such a technique strengthens security by including a “who you are” factor (i.e., handwriting biometrics uniquely identify the genuine user).

Abstract: An improved technique generates questions to authenticate a user as part of a group. Along these lines, a KBA system, upon receiving a request to authenticate a particular user, collects facts having references to users of the group of users. The collected facts, however, may also include references to users not in the group of users. In building a set of questions for the particular user, the KBA system is capable of favoring facts having references to users of the group of users and few, if any, references to users not in the group of users; conversely, the KBA system is capable of discarding facts having too many references to users not in the group of users. The particular user's responses to the set of questions are indicative of whether the particular user belongs to the group.

Abstract: An improved technique generates confounders for KBA questions from personal information management (PIM) data created from within an organization. An enterprise KBA (eKBA) server collects PIM data such as email data for a particular member of the organization. For email data, the eKBA server extracts facts from the headers of emails and generates queries having a corresponding correct answer from a first subset of the facts. Moreover, the eKBA server extracts a set of confounders from a second subset of the facts. The eKBA server then forms a multiple-choice KBA question from the query, the corresponding correct answer, and selected confounders.

Abstract: A method is used in authenticating a mobile device user. An authentication invocation from a mobile device for access to computer resource is activated. Device unique identifiers and device forensic information are collected. The device unique identifiers and the device unique identifiers are forwarded to a gateway. An OTP is resolved into a unique device identifier using an authentication server. The device identifier is adaptively authenticated using multiple authentication factors.

Abstract: A technique secures data in cloud storage. The technique involves receiving, by processing circuitry, an input/output (I/O) request which includes host data. The technique further involves encrypting, by the processing circuitry, the host data to form encrypted data and sending a block-based write transaction which includes the encrypted data to a replication storage array to store the encrypted data within the replication storage array. The technique further involves storing, by the processing circuitry, the host data within the production storage array. The encrypted host data is stored within the replication storage array to secure the host data which is also stored at the production storage array.

Abstract: A technique manages access to a limited number of computerized sessions. The technique involves receiving, from a waiting user, a session request for a computerized session, and queuing the session request in a wait queue in response to all of the limited number of computerized sessions being currently assigned to other users. The technique further involves, while the session request is queued in the wait queue, providing permission to the waiting user to un-assign a computerized session which is currently assigned to another user. With such a technique, the user has the option of simply waiting until a computerized session has been relinquished (i.e., if the user is willing to be patient) or un-assigning a computerized session currently assigned to another user (e.g., in order to speed up access to a computerized session).

Abstract: Methods, apparatus and articles of manufacture for using a token code to control access to data and applications in a mobile platform are provided herein. A method includes processing authentication information via a cryptographic operation to generate an output, partitioning the output into (i) a component that identifies the authentication information and (ii) an encryption key component, encrypting an item of cryptographic information via the encryption key component, and storing the component that identifies the authentication information and the encrypted item of cryptographic information.

Abstract: An authentication technique employs a security device that communicates with a software token construct installed on a user device via a connector. The technique includes secure provisioning of an authentication seed and safe storage of the seed in encrypted form on the user device. A key for decrypting the seed is stored within the security device, and token codes are generated by physically connecting the security device to the user device and conveying the encrypted seed from the user device to the security device over the connector.

Abstract: An improved technique employs knowledge-based authentication (KBA) based on data stored in a mobile apparatus. The mobile apparatus collects data from sources including email data, web browsing data, accessed YouTube video data, and GPS location data recently stored in the mobile apparatus. From such data, the mobile apparatus builds questions and stores the questions on a database on the phone. Upon receiving a request to access a resource stored in the mobile apparatus from a user, the mobile apparatus selects questions at random and ranks them according to a policy accessible to the mobile apparatus. The mobile apparatus presents the highest-ranked questions to the user. The mobile apparatus grants or rejects access to the resource based on an authentication result that the mobile apparatus generates from answers to the questions submitted by the user.

Abstract: A method, electronic apparatus and computer program product for performing authentication operation is disclosed. An authentication request is received from user of computerized resource. The request comprises user identifier identifying user. The authenticity of user is verified based on user identifier. An access session is established in which user can access resource in response to successfully verifying user. An electronic input signal is received from electronic input device during session. The device is configured to take a biometric measurement from the user. Biometric data is derived from signal. A comparison is performed between biometric data and expected biometric data. An authentication result is generated based on comparison between biometric data and expected biometric data, wherein result can be used for further authentication of user during session.

Abstract: An improved technique involves authenticating a user requesting access to a particular mobile device using knowledge-based authentication (KBA) questions generated from data taken from a group of mobile devices to which the particular mobile device belongs. Along these lines, consider a corporation that has a group of mobile devices distributed to its employees. The mobile devices provide data to an enterprise KBA (eKBA) server regarding events on each of the mobile devices. Because an owner of a mobile device belongs to a group of employees, the owner is able to answer questions regarding fellow employees. On the other hand, a malicious user that illegitimately gains access to the owner's mobile device will not be able to answer such questions, even if the malicious user knows details about the owner.

Abstract: A. method is used in managing predictions in data security systems. An authentication request is received from an entity for access to a computerized resource. A predictor is determined based on context data for the authentication request and the entity. The authentication request is managed based on the predictor and the context data.

Abstract: A method performed by a computing device is described. The method includes (a) receiving an authentication request from an application server seeking to authenticate a user for access to a service provided by the application server, (b) communicating with a first authentication server to obtain a first authentication of the user, (c) communicating with a second authentication server to obtain a second authentication of the user, the second authentication server being distinct from the first authentication server and the second authentication being of a type distinct from the first authentication, (d) rejecting the authentication request if and only if one or both of the first authentication and the second authentication is negative, and (e) upon rejecting the authentication request, sending a rejection message to the application server without informing the application server whether the first authentication or the second authentication was negative.

Abstract: A method is performed by a computer in communication with a hardware security module (HSM). The method includes (a) running a process virtual machine (PVM) on the computer, the PVM being configured to execute portable bytecode instructions within a PVM environment and (b) executing, within the PVM environment, instructions for (1) reading encrypted instruction code from data storage of the computer, (2) sending the encrypted instruction code to the HSM, (3) in response, receiving decrypted instruction code from the HSM, and (4) injecting the decrypted instruction code within an application running in the PVM environment for execution by the PVM. Embodiments are also directed to analogous computer program products and apparatuses.

Abstract: A method is used in validating association of client devices with sessions. Information of a client device executing a user agent is gathered by a server for creating a device identifier for the client device upon receiving a request from the user agent for establishing a session between the user agent and the server. The device identifier includes information identifying the client device. The device identifier is associated with the session. The client device is validated by the server upon receiving subsequent requests from the client device during the session. Validating the client device includes gathering information of the client device sending each subsequent request for creating a device identifier for the client device and comparing the device identifier created from the information gathered during each subsequent request with the device identifier associated with the session.

Abstract: A technique controls access to a protected resource residing on a protected resource server. The technique involves conveying, in response to a user request to access the protected resource residing on the protected resource server, a challenge from a resource accessing device to an access control device. The technique further involves transmitting an answer to the challenge from the access control device to the resource accessing device. The technique further involves completing an authentication operation based on the answer to the challenge. The resource accessing device obtains electronic access to the protected resource residing on the protected resource server when the authentication operation results in successful authentication. The resource accessing device does not obtain electronic access to the protected resource residing on the protected resource server when the authentication operation results in unsuccessful authentication.

Abstract: Event-based biometric authentication is provided using a mobile device of a user. A user attempting to access a protected resource is authenticated by receiving a request to access the protected resource; collecting biometric information from the user in response to the request using a mobile device of the user; performing biometric authentication of the user using the collected biometric information; and granting access to the protected resource based on the biometric authentication. The authentication optionally comprises an event-based authentication. The mobile device does not have to contain token generating material.