Abstract: Digital certificates are signed by a server's private key and installed at lock controllers that restrict access to physical resources. The server's public key is distributed to lock controllers and to mobile electronic devices operated by users who are given access to the physical resources. Lock-access data is digitally signed by the server's private key and provided to mobile electronic devices to facilitate access. The lock controller validates lock-access data and grants access conditionally based on time, version, and/or identity data provided within lock-access data. The use of certificates reduces the need to rely on a security scheme specific to the network. Lock controllers can also broadcast status notifications, so that updates and log data can be securely communicated with the server using mobile electronic devices as a proxy. The system is highly scalable, as each lock controller need not track the full scope of access permissions.

Abstract: A method for remote authentication aided by an audio signal includes: storing, in a memory of a computing device, at least first authentication data; receiving, by a first input device of the computing device, an audio signal electronically transmitted by a separate computing system; decoding, by a decoding module of the computing device, the received audio signal to identify a server identification value; receiving, by a second input device of the computing device, second authentication data submitted by a user of the computing device; authenticating, by an authentication module of the computing device, the received second authentication data based on the stored first authentication data; and electronically transmitting, by a transmitting device of the computing device, a result of the authentication and a profile identifier to an external processing server based on the server identification value.

Abstract: Some embodiments provide a method for an end machine, that implements a distributed application, to redirect new network connection requests to other end machines that also implement the distributed application. The method receives a set of measurement data from a set of resources of the end machine and determines whether a measurement data received from a particular resource has exceeded a threshold. When the measurement data has exceeded the threshold, the method notifies a load balancer that balances new requests for connection to the distributed application between the end machines. The notification causes the load balancer not to send any new connection request to the end machine and redirect them to other end machines.

Abstract: A method for distributing encrypted cryptographic data includes receiving, by a key service, from a first client device, a request for a first public key. The method includes transmitting, by the key service, to the first client device, the first public key. The method includes receiving, by the key service, from an access control management system, an encryption key encrypted with the first public key and a request from a second client device for access to the encryption key. The method includes decrypting, by the key service, the encrypted encryption key, with a private key corresponding to the first public key. The method includes encrypting, by the key service, the decrypted encryption key, with a second public key received from the second computing device. The method includes transmitting, by the key service, to the second client device, the encryption key encrypted with the second public key.

Abstract: A method for denying or nullifying a specific online transaction carried out by a specific user using a computing device associated with at least one input interface, while the specific user was coached by a fraudster. The method includes collecting a specific set of behavioral data relating to the behavior of the specific user during a specific online transaction, and using a multi-dimensional classification module to determine a probability that the specific user was coached during collection of the set of behavioral data. In response to the probability being greater than a predefined threshold, the specific transaction is denied or nullified.

Abstract: The invention relates to a method for validating message strings through a decentralized network. Said method also makes it possible to manage the validations of messages relating to a message chain in a unitary and asynchronous manner thus rendering the process unlimited in terms of performance. The method also allows enhanced security and confidentiality, in particular by integrating the number and geolocation constraints of message validations. The method thus makes it possible, through a decentralized network of trusted third parties with limited confidence, to restore real trust to the users.

Abstract: The present disclosure relates to a trustworthy data exchange. Embodiments include receiving, from a device, a query, wherein the query comprises a question. Embodiments include identifying particular information related to the query. Embodiments include receiving credentials from a user for retrieving the particular information related to the query. Embodiments include retrieving, using the credentials, the particular information related to the query from one or more data repositories that are part of a distributed database comprising an immutable data store that maintains a verifiable history of changes to information stored in the distributed database. Embodiments include determining, based on the particular information related to the query, an answer to the query. Embodiments include providing the answer to the device.

Abstract: A device, system, and method for decentralized management of a distributed proxy re-encryption key ledger by multiple devices in a distributed peer-to-peer network. A network device may receive shared data defining access to a proxy re-encryption key. The network device may locally generate a hash code based on the shared data. The network device may receive a plurality of hash codes generated based on versions of the shared data at a respective plurality of the other devices in the network. If the locally generated hash code matches the received plurality of hash codes, the network device may validate that the shared data is the same across the network devices and may add the received proxy re-encryption key access data and locally generated hash code to a local copy of the distributed proxy re-encryption key ledger.

Abstract: An attempted transaction is identified involving a customer device and the first customer device is redirected to a security broker. A security report for the first customer device is received from the security broker. The security report is based on security data transmitted from the customer device to the security broker. An action can be performed in association with the attempted transaction based at least in part on the received security report. In some aspects, the security broker receives security data describing security conditions on the customer device in connection with the transaction between the customer device and a transaction partner. A risk tolerance policy is identified that corresponds to the transaction partner, such as an ecommerce provider. A security report is generated based on a comparison of the risk tolerance policy and the security data and the security report.

Abstract: This application discloses a mobile network authentication method, a terminal device, a server, and a network authentication entity. The method includes: receiving, by a first terminal device, a DH public key and a first ID that are sent by at least one second terminal device; sending a first message to a server, where the first message includes a DH public key of each second terminal device of the at least one second terminal device and a first ID of the second terminal device; receiving a second message sent by the server, where the second message includes a DH public key of the server and a second ID of the second terminal device that is generated by the server; and sending, by the first terminal device, the second ID of the second terminal device and the DH public key of the server to the second terminal device.

Abstract: Data items such as files or database records associated with particular applications (such as messaging applications and other applications) can be stored in one or more remote locations, such as a cloud storage system, and synchronized with other devices. The remote storage can be configured such that each application executing on a client device can only view data items stored at the remote location to which the application has permission to access. An access manager on each client device enforces application specific access policies. Storage at the remote location can be secured for each application associated with a user or user account, for example, using isolated containers. The cloud storage of data can be anonymized and anonymous group data can be stored in the cloud storage.

Abstract: A client obtains, in response to a request to a server, a response that includes data for fulfillment of the request, a digital signature that can be verified using a digital certificate, and location information that specifies a location where the digital certificate can be obtained. The client uses the location information to access the location and obtains the digital certificate. Using the digital certificate, the client evaluates the digital signature provided in the response to determine whether the digital signature is valid. If the digital signature is valid, the client accepts the data included in the response for fulfillment of the request.

Abstract: Disclosed herein are embodiments for providing finite state machine driven workflows. In an embodiment, a workflow template is defined for a type of task. The workflow template may represent a finite state machine. The workflow template may be linked to an external party and an asset type, which may be stored in a workflow database. An asset may be received from the external party including an external party attribute identifying the external party, an asset type attribute, and an owner attribute. The owner attribute may be associated with an application end user. A determination may be made whether the external party attribute and the asset type attribute of the asset match the external party and the asset type linked to the workflow template. If a match is determined, instances of the task and the one or more actions of the workflow template may be created.

Abstract: A system and method of allowing a new device to join an existing network are disclosed. A configuration tool is used to communicate relevant information from the new network device to the gateway in the existing network using a secondary network protocol different from that used by the primary network. For example, in one embodiment, messages are exchanged between the configuration tool and the new device and between the configuration tool and the gateway using BLUETOOTH®. Once all of the pertinent information has been exchanged, the new device is able to securely join the primary network, which may be based on the IEEE802.15.4 standard.

Abstract: An authentication technique is disclosed that uses a distributed secure listing of transactions that includes encrypted data that can be used to authenticate a principal to a verifier.

Abstract: A method and system are provided for updating an elliptic curve (EC) base point G, with the EC basepoint used in encryption and coding of video data. A candidate base point G is generated that includes additional data used for validation purposes and checked as a valid base point before transmission and use.

Abstract: Verifying caller identification information is described. A query to verify a first communications connection associated with an observed caller ID is received. Using a second communications channel, a message to a device associated with the observed caller ID is transmitted. A response to the message is received. The message is evaluated to perform a security determination. The security determination is provided as output.

Abstract: Methods, devices, and systems for generating a plurality of network addresses for a plurality of communication devices communicating over a network. One method includes receiving, with an electronic processor included in a server, geographical coordinates of the network, generating, with the electronic processor, a first set of bits based on the geographical coordinates, generating, with the electronic processor, a second set of bits based on a random number, and generating, with the electronic processor, a baseline address including the first set of bits and the second set of bits. The method also includes generating the plurality of network addresses, wherein each of the plurality of network addresses includes the baseline address and a unique offset. In addition, the method includes assigning one of the plurality of network addresses to one of the plurality of communication devices.

Abstract: Disclosed is a system for recommending content of a predefined category to an account holder, detecting spam applications, or account holders based on the account holder application graphs. The system receives information corresponding to applications executing on the client device of the account holders and generates an application graph for each account holder that includes a list of predefined application categories that are preferred by the account holder. For each predefined category, a list of account holders preferring content relevant to that category is predicted based on the set of generated application graphs. Some application graphs may be detected as spam application graphs by comparing the generated application graphs with a set of predefined spam application graphs. Alternatively, if the generated application graph does not match the predefined spam application graphs, they are compared to a set of application graphs from a database to find similar application graphs.

Abstract: Embodiments of the present invention provide a persistent integration platform for conducting a multichannel resource transfer. In particular, the system may utilize a multi-step and multilayered authentication process across multiple disparate computing systems to complete the resource transfer process. In some embodiments, the system may utilize a persistent element which may be accessed by the user across multiple devices which aids in the resource transfer. For instance, the resource transfer process may be started on a first computing system, which may be a stationary networked terminal. At this point, a record of the resource transfer may be created within the persistent element. The user may thereafter access the persistent element through a second computing system, such as a user device, to resume the resource transfer and complete the remaining steps as necessary.

Abstract: Systems and methods for authenticating a user to access a public terminal are described. Disclosed embodiments may include reading, using the physical credential reader, a user identifier from the physical credential device. Disclosed embodiments may also include transmitting the public terminal identifier and the user identifier to a secure server. Further, disclosed embodiments may include receiving, after completing the transmission, a unique code from the secure server. Disclose embodiments may additionally include displaying the unique code on the display device. Disclosed embodiments may include receiving, after displaying the unique code, an authentication message from the secure server. Disclosed embodiments may further include, responsive to receiving the authentication message, authorizing the user to use a terminal command at the public terminal.

Abstract: A communications system comprises a client device and a server device; the server device comprising server communication circuitry configured to establish a server-authenticated first encrypted data path between the client device and the server device; and the client device comprising client communication circuitry configured to provide client-specific information to the server device using the first encrypted data path; the server communication circuitry being configured to use the client-specific information provided by the client device to establish a second encrypted data path between the server device and the client device, the second encrypted data path being authenticated by at least the client device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for program execution and data proof scheme to prove that sub-logic code that was expected to be executed within a TEE was indeed executed, and that the resulting data is trustworthy. In some implementations, each sub-logic code of a plurality of sub-logic code is registered, and stored within the TEE, and a key pair (private key, public key) corresponding to the sub-logic code is generated. The client receives and stores the public key, sends requests to the TEE with an identifier of the sub-logic that is to be executed. The sub-logic code corresponding to the identifier is executed within the TEE, which signs the result using a digital signature that is generated using the private key of the sub-logic code. The client verifies the result based on the digital signature and the public key of the sub-logic code.

Abstract: Methods and systems anchor hypertext transfer protocol (HTTP) level communication in an information-centric networking (ICN) network. Both content requests and responses to servers within the ICN network and to servers located outside the ICN network, in an IP network for example, are disclosed. Communication may be between two IP capable only devices at the HTTP level, one connected to an ICN network while the other one is connected either to an ICN or IP network. The disclosed namespace 200 enables IP based HTTP communication within the ICN network. An information-centric networking (ICN) network attachment point (NAP) or border gateway (BGW) may receive an HTTP request packet and encapsulate the received HTTP request packet. The ICN NAP/BGW may then forward the HTTP request packet towards the local ICN network servers. The HTTP request packet may be published to a named content identifier (CID) that may be determined through a hash function of a fully qualified domain name (FQDN).

Abstract: A key generation and distribution method is disclosed. The method includes receiving a first request from a first requestor, the first requestor comprising an identity of the first requestor; generating a new identity (ID) based on the identity of the first requestor; generating a secret key for the new ID with a predetermined pair of global keys, namely a Global Secret Key (GSK) and a Global Public Key (GPK); transmitting the new ID, secret key and the GPK to the first requestor; receiving a request from a second requestor, the request comprising a plurality of identities; generating an new ID for each of the plurality of identities; generating a secret key based on the IBC key generation algorithm for each of the plurality of new IDs; and transmitting the plurality of new IDs, secret keys corresponding to each of the plurality of IDs and the GPK to the second requestor.

Abstract: The invention provides a method and system for Bluetooth-based multi-end-to-multi-end communication, including: obtaining, through a short-term connection-oriented communication, a UUID of a device that needs to receive private data, corresponding the UUID to a private label according to a private label allocation table and storing the UUID in a mapping table within a broadcast host; and looking-up the mapping table, if data to be sent contains private information targeted for a specific receiving object group, then determining whether encryption is required; if encryption is required, then performing dynamical encryption based on the private label and proceeding to a step of Bluetooth broadcast payload sending; and performing corresponding non-private data hosting encapsulation or private data hosting encapsulation for the data to be sent and broadcasting the data.

Abstract: A method for managing account data and handling account recovery requests are disclosed. The method comprises a multi-level identity verification process, including a first level where a specific computing device requesting recovery of an electronic account is requested to identify a trusted contact for the electronic account and a second level where the specific computing device is requested to provide a dynamically generated security code that has been communicated to a trusted contact identified by the specific computing device.

Abstract: Methods, systems, and devices are provided for generating biometric signatures. The system can detect, at an electronic device, one or more biometric acoustic signals. The system can generate a biometric signal input of the one or more biometric acoustic signals. The system can apply a machine learning model to conduct feature extraction of the biometric signal input having one or more biometric acoustic signals. The system can generate a biometric user signature of the user from the machine learning model. The system can perform one or more privacy preserving hashing functions to the biometric user signature to generate a hashed biometric user signature. The system can determine whether the hashed biometric user signature satisfies a predetermined threshold with an enrollment hashed signature of the user. And the system can authenticate an identity of the user upon detecting that the hashed biometric user signature satisfies the predetermined threshold.

Abstract: In authenticating a first circuit by a second circuit, the second circuit selects one of a set of public values and sends to the first circuit a request for a secret value corresponding to the selected one of the set of public values. The first circuit derives the secret value from the selected one of the set of public values using a seed from set of seeds that is stored in a destructive fashion such that each use of a seed destroys that seed. The set of seeds is smaller in number than the set of public values. The second circuit determines whether the secret value matches the selected one of the set of public values using a one-way function. A positive authentication is generated based upon the determination of a match.

Abstract: A method and apparatus for person identification by a smart device, wherein the method comprises: establishing a registration information base that corresponds to the new user, and completing registration information base that corresponds to each valid user, and the registration information base comprises a name, a characteristic and person relation structure data, and the person relation structure data record each person relation appellation and respective person name; receiving an interaction command inputted by a current user, and collecting characteristic information of the current user; searching the registration information base of each valid user, judging whether a valid user that matches the characteristic information exists, and if yes, determining the user name of the current user; searching the registration information base that corresponds to the determined user name, and identifying a corresponding target person.

Abstract: Methods and systems for establishing a chain of relationships are disclosed. An identity verification platform receives a first request for registration comprising an identification of a first user, identification of an entity, and a relationship between the first user and the entity; verifies the identity of the first user and the relationship between the first user and the entity; and verifies that the entity is legitimate. Once a relationship between a first individual, invited by the first user, and the entity is confirmed, the platform creates a custom badge representing the relationship between the first individual and the entity for display on the entity's website. The platform receives an identification of a selection by an end user of the custom badge and, responsive to receiving the identification of the selection, renders, on a domain controlled by the identity verification platform, a verification that the relationship between the first individual and the entity is valid.

Abstract: Systems and methods involve an input layer function of a function-as-a-service (FaaS) pipeline that receives trigger data from a trigger layer function of one or more processors of enterprise processing systems, calls one or more processors of an enrich layer function of the FaaS pipeline that adds enriching context to the trigger data, and creates an event based at least in part on the enriched trigger data. A route layer function of the FaaS pipeline invoked by the input layer function creates an action based on the event created by the input layer function. An action layer function of the FaaS pipeline invoked by the route layer function creates a command based on the action created by the route layer function, and the action layer function sends a remediation action to a command layer function of the enterprise processor based on the action created by the route layer function.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices using Kerberos. For example, a certificate is received from a client device. In response, a Kerberos ticket-granting ticket is generated and sent to the client device. A request for a service ticket is later received from the client device. The request for the service ticket can include the ticket-granting ticket. The service ticket is then generated and sent to the client device. Subsequently, the service ticket is received from the client device and a security assertion markup language (SAML) response is sent to the client device in reply. The SAML response can provide authentication credentials for a service provider associated with the service ticket.

Abstract: The invention relates to a method for establishing a secure communication between a first network device (initiator) and a second network device (responder) in a communication network and to an arrangement of network device suitable for this purpose, which are distinguished by using a symmetric cryptosystem in which both network devices each use the same secrets as keys for encrypting and decrypting data sets for performing a respective separate authentication with respect to the first and second network devices before generating a secret to be used as a shared key for the secure communication.

Abstract: Two-factor authentication is processed on a transaction terminal before access is provided to a secure resource of the transaction terminal. A first factor authentication is performed to authenticate an identifier and a credential of a user. A unique challenge is sent, in response to a successful first factor authentication, to a secure device interfaced to the transaction terminal. A one-time unique signed response is received from the secure device in response to the unique challenge and a user action that depresses a button on the secure device. The one-time unique signed response is compared against what is expected from the secure device. When the comparison is successful, a user identity for the user is set, a security role is set for the user identity, and the user is granted access to the secure resource with the set security role.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: A method for authentication related to a software client application within a client computing device includes: in a first step, an authentication-related command and/or module is invoked by the software client application, and a first group of application protocol data units is exchanged between the client computing device and a subscriber identity module entity; in a second step, a subscriber identity module applet is triggered—via the first group of application protocol data units—to contact a subscriber identity module toolkit and/or to trigger an event, so as to invoke a command of the subscriber identity module toolkit; and in a third step, a second group of application protocol data units are exchanged between the client computing device and the subscriber identity module entity, wherein the subscriber identity module toolkit thereby triggers the client computing device to request a user action from the user of the client computing device.

Abstract: Transaction scheduling is described for a user data cache by assessing update criteria. In one example an event records memory stores a list of events each corresponding to performance of a transaction at a remote resource for a user. The memory has criteria for each event and a criterion value for each criterion and event combination. An event manager assesses criteria for each event by performing an operation on the stored criterion value for each criterion and event combination, assigning a score for each criterion and event combination, and compiling the assigned scores to generate a composite score for each event. The events are ordered based on the respective composite scores and executed in the ordered sequence by performing a corresponding transaction at remote resource. Updated criterion values are stored for executed events.

Abstract: According to an embodiment, an information processing device switching between a secure mode and a non-secure mode to operate, includes one or more processors configured to perform: implementing a secure OS which operates in the secure mode; implementing a non-secure OS which operates in the non-secure mode; acquiring initialization process information autonomously in the secure mode, the initialization process information relating to an initialization process which the non-secure OS executes for a shared resource shared by the secure OS and the non-secure OS; and enabling, based on the initialization process information, the shared resource to be shared and used by the secure OS and the non-secure OS.

Abstract: Described are methods that allow credentials of a first client station to authenticate a second client station. An exemplary method includes associating a first client station with a second client station, the first client station including credential information, the associating authorizing the second client station to use the credential information, transmitting, by the second client station, an association request to a network, the network utilizing the credential information to authorize a connection, the second client station configured to perform a proxy functionality for requests received from the network to be forwarded to the first client station and responses received from the first client station to be forwarded to the network, determining, by the network, whether the credential information received from the second client station is authenticated and establishing a connection between the second client station and the network using the credential information of the first client station.

Abstract: System and method for for associating general data with an end-user based on the domain name system (DNS) resolver that the end-user uses to map the canonical domain names of internet services to their associated network addresses. The present invention elegantly addresses concerns of scale regarding the key-space, for example the global number of distinct DNS resolvers, and the data-space, for example the number of distinct geographical areas to associate.

Abstract: A method for the initial operation and personalization of a subscriber identity module in a mobile radio network, prior to its first initial operation in the mobile radio network, the subscriber identity module does not yet include an individual secret key and is being equipped with an individual, unique parameter data set only after its first initial operation in the mobile radio network. A mobile radio server takes on, from the subscriber identity module, an authentication message formed with a preliminary parameter data set comprising an individual, unique subscriber identification and a non-individual, non-unique preliminary secret key, and sends, after a verification, in response thereto an individual, unique final secret key to the subscriber identity module for programming into the subscriber identity module. The preliminary parameter data set is introduced into the subscriber identity module selectively during production or by an initializing step based on an initial parameter data set.

Abstract: Methods, systems, and devices are described herein for delivering protected data to a trusted execution environment (TrEE) associated with an untrusted requestor. In one aspect, a targeting protocol head, or other intermediary between a requestor and a key management system or other store of protected data may register a public encryption key of a TrEE that corresponds to a private encryption key held by the TrEE or a symmetric key of the TrEE. The targeting protocol head may receive a request for protected data from a requestor associated with the TrEE, and retrieve the protected data for example, from a key management system or store of protected data. The targeting protocol head may generate targeted protected data by encrypting the protected data with the public encryption key or symmetric key of the TrEE. The targeting protocol head may then send the targeted protected data to the requestor.

Abstract: Methods And Apparatus For Direct Communication Key Establishment Methods, apparatuses and system are disclosed for establishing a key for secure direct communication between a User Equipment device, UE, and a device. The system comprises a UE (20), a device (30) and a Direct Communication Element (40). The UE establishes a UE shared key with a Bootstrapping Server Function, BSF (50), using a Generic Bootstrapping Architecture, GBA, procedure. The device receives a transaction identifier associated with the UE shared key from the UE, and sends the transaction identifier to the Direct Communication Element. The Direct Communication Element receives the transaction identifier from the device, obtains a shared session key from the BSF, derives the UE delivery key, generates the direct communication key, encrypts the direct communication key with the UE delivery key, and sends the direct communication key and the encrypted direct communication key to the device.

Abstract: A computer-implemented user classification method includes: obtaining, by a target terminal device, an initial user classification model from a server, in which the initial user classification model is provided by the server to multiple terminal devices, the multiple terminal devices including the target terminal device; obtaining first operation data of a registered user of the target terminal device; updating the initial user classification model based on the first operation data, to obtain an updated user classification model that is personalized for the registered user; and classifying, based on the updated user classification model, an identity of a current user of the target terminal device.

Abstract: A method and system for employing biometric data includes first and second user computing systems coupled to respective first and second biometric devices for generating biometric data. A first user of the first user computing system uses the first biometric device, thus causing a generation of first biometric data which is then used as a database index to locate and authorize access to a database zone exclusively dedicated to the first user. The first user can further access the database zone on the second user computing system, and authorize access to a portion of data within the database zone to a second user of the second user computing system.

Abstract: A computer system for automating dynamic multi-user communication is configured to receive a first user dataset associated with a first user. The computer system can communicate first user interface elements to a first user. The computer system then receives, from the first user, a user data response based upon the first user interface elements. Upon receiving the user data response, the computer system identifies, using a correlating function, a second user from. The computer system communicates at least a portion of the user data response to the second user. The computer system then receives, from the second user, a first user data response ranking. The computer system updates a first user ranking with the first user data response ranking. The computer system then communicates the first user data response ranking to the first user.

Abstract: A method is disclosed. The method includes: obtaining, by an authoritative directory router in an information centric network (ICN), a publish message associated with a publisher node and including: an identifier associated with a content item; and a first anchor prefix for a first anchor directory router for the publisher node; determining that a bidirectional code for the identifier falls within an authoritative code range assigned to the authoritative directory router; and updating, in response to the bidirectional code falling within the authoritative code range, a local code repository associated with the authoritative directory router with the first anchor prefix and the identifier.

Abstract: The present disclosure provides a computer-implemented method, computer system and computer program product for user authentication. According to the method, identity information can be received from a user, and a plurality of questions can be presented to the user, the plurality of questions comprising one or more valid questions generated based on a password related to the identity information and one or more invalid questions. Then, an input can be received from the user, and in response to the input corresponding to the one or more valid questions, the user can be authenticated based on the input.

Abstract: The disclosure relates to apparatuses and methods for a computer network comprising hosts accessible by directory users whose user identity information is maintained in a user information directory. The apparatus comprises at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to manage information of configurations for attribute based filtering of access requests by the directory users for a plurality of hosts and separately from the user information directory.