Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: Systems, methods, apparatus, and computer readable media are provided for disposable component authentication with respect to a biological fluid processing device instrument. An example instrument authentication system includes a computer facilitating configuration and operation of the biological fluid processing instrument using a disposable component. A first interface is provided by the computer and is used by a service technician to configure the biological fluid processing instrument for a number of disposable components and to provide a service technician with a validation code. A key generator is to accept the validation code from the service technician and generate an authentication key in response to the entered validation code. A second interface is provided by the computer, the second interface prompting the service technician to enter an authentication key, wherein the authentication key authorizes use of a certain number of disposable components for the biological fluid processing instrument.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: A popularity determination module (PDM) is described which reduces the effectiveness of statistical guessing attacks. The PDM operates by receiving a password (or other secret information item) from a user. The PDM uses a model to determine whether the password is popular among a group of users. If so, the PDM may ask the user to select another password. In one implementation, the model corresponds to a probabilistic model, such a count-min sketch model. The probabilistic model provides an upper-bound assessment of a number of times that a password has been encountered. Further, the probabilistic model provides false positives (in which passwords are falsely assessed as popular) at a rate that exceeds a prescribed minimum rate. The false positives are leveraged to reduce the effectiveness of statistical guessing attacks by malicious entities.

Abstract: A method for secure authentication is provided which includes having a user who wishes to gain access to a computer or computer network select from among a plurality of randomly displayed images, having different background colors, the correct image and background color which correspond to the user's computer account. In one advantageous form, in addition to selecting the correct image, the user must first enter a username and password. In an alternative form, if a user is seeking access to a computer network by using a preapproved access point or computer having an approved IP address, a user is allowed to gain access to the computer network without being prompted to select a correct image.

Abstract: Methods, systems, and apparatus for voice authentication and command. In an aspect, a method comprises: receiving, by a data processing apparatus that is operating in a locked mode, audio data that encodes an utterance of a user, wherein the locked mode prevents the data processing apparatus from performing at least one action; providing, while the data processing apparatus is operating in the locked mode, the audio data to a voice biometric engine and a voice action engine; receiving, while the data processing apparatus is operating in the locked mode, an indication from the voice biometric engine that the user has been biometrically authenticated; and in response to receiving the indication, triggering the voice action engine to process a voice action that is associated with the utterance.

Abstract: A system, method and program product for generating a private key. A system is disclosed that includes a signal acquisition system for obtaining biometric input from a user and encoding the biometric input into an acquired biometric; a recognition system for determining an identity based on the acquired biometric and outputting an absolute biometric associated with the identity; an input device for accepting a knowledge input from the user; and a key generator that generates a private key based on the knowledge input and the absolute biometric.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: A method for personal badges in a social network includes receiving a badge from a user, determining a degree of similarity between the badge and one or more other badges owned by one or more users connected to the user. The method also includes, when the degree of similarity is less than a predetermined amount, crediting the badge to particular ones of the one or more users as designated by the user. Badges credited to a user may be displayed in a profile page of the user.

Abstract: A method for composing an authentication password associated with an electronic device is implemented by a password composing system including a display, a receiving unit, and a processing unit. In the method, the display is configured to display a start point, and a plurality of displayed paths. The receiving unit is configured to detect a set of user-input movements of a contact point at the display. The processing unit is configured to determine whether the user-input movements conform with a predefined valid user-input gesture, store a plurality of codes corresponding to the valid user-input gestures, and to compose the authentication password according to valid ones of the series of the user-input movements.

Abstract: In general, the invention relates to a method for performing a command on a token. The method includes receiving a first command authentication message digest (CAMD), a command, and scrambled data from a sender, and making a first determination that the sender is allowed to send commands to the token. The method further includes, based on the first determination, generating a second CAMD on the token using the command, the scrambled data, and an Administrative Command Authentication Secret (ACAS), making a second determination that the first CAMD and the second CAMD match, and based on the second determination, performing the command by the token.

Abstract: There is provided a system and method for audio challenges for providing human response verification. There is provided a method comprising receiving a request to verify whether a client is human controlled, generating, using a database, a challenge question and a corresponding answer set, selecting a plurality of images and an audio instruction corresponding to the challenge question, presenting the plurality of images and the audio instruction to the client, receiving a submission to the challenge question from the client, and responding to the request by verifying whether the submission is contained in the answer set to determine whether the client is human controlled. By utilizing easily understood elements such as common shapes and objects, familiar characters, colors, sizes, orientations, and sounds, even young children can solve the challenge question, whereas automated systems are deterred by the complex audio and image analysis required.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: A computer-implemented method may include providing authentication code for an existing web-based application. The authentication code may be programmed to modify functionality of the existing web-based application as the existing web-based application executes while leaving a binary of the existing web-based application unchanged. The method may also include establishing strong authentication for the existing web-based application by 1) identifying, via the authentication code, a request to bind an authentication credential to a profile of a user, the request being received via a browser through which the existing web-based application is accessed, 2) directing, via the authentication code and in response to the request, the browser to an external authentication site that is not part of the existing web-based application, and 3) at the external authentication site, enabling the user to bind the authentication credential to the profile.

Abstract: A computer system determines whether the computer system is able to access an authentication server. If the computer system is able to access the authentication server, the computer system requesting a first set of credentials from a user. If the first set of credentials is valid, the computer system assigns the user a first role for performing operations on the computer system based on the first set of credentials. If the computer system is unable to access the authentication server, the computer system requests another set of credentials from the user. If the other set of credentials is valid, the computer system assigns the user another role for performing operations on the computer system based on the other set of credentials.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: A device creates a pool of available licenses for secure network resources, and receives an unused license from a network device. The device also provides the unused license in the pool of available licenses, and receives a request for a license from another network device. The device further provides, to the other network device, the unused license from the pool of available licenses.

Abstract: A method and apparatus are provided to allow a user of a communications device to utilize one-time password generators for two-way authentication of users and servers, i.e., proving to users that servers are genuine and proving to servers that users are genuine. The present invention removes the need for a user to have a separate physical device, e.g., token, per company or service, reduces the cost burden on the companies and allows for two-way authentication via multiple access methods, e.g., telephone, web interfaces, automatic teller machines (ATMs), etc. Also, the present invention may be utilized in consumer and enterprise applications.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: An interactive method for authentication is based on two shared secrets, both shared secrets in the form of an ordered path on the frame of reference. An instance of the frame of reference comprises a set of characters which is arranged in a random or other irregular pattern. The first step of authentication that a user performs requires the user to remember one or all of the characters in the displayed instance of the frame of reference found in the locations in the random subset of the first ordered path by indicating characters either in these locations, or any other locations having the same characters. The second step of authentication requires that a user enter the position of the second ordered path, which only they know during an authentication session, where the challenge identifying the position of the ordered path is the single or multiple values that matches the value of the digital content of the frame of reference.

Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.

Abstract: A method for orchestrating peer authentication during a call (e.g., a telephone call, a conference call between three or more parties, an instant messaging [IM] chat session, etc.) is disclosed. In particular, a user is first authenticated in order to participate in a call (e.g., via entering a password, etc.), and subsequently during the call the user may be peer authenticated. In accordance with the illustrative embodiment, a user who participates in a call might be prompted to authenticate another user on the call based on particular events or user behavior during the call.

Abstract: An information recording system includes a recording medium capable of limiting a function by password and an information recording device for controlling the recording medium. The recording medium stores an input password, counts updating event(s) of a password, stores the update count of the password, outputs information stored in the password related information storage according to a READ request issued from the information recording device, compares a input password with a password stored in the password register, limits a predetermined function of the recording medium according to the comparison result from the password comparator. The information recording device stores a password and a password identification ID which is associated with the update count of the password, selects a password with reference to the update count of the password and the password identification ID and outputs the selected password into the recording medium to compare the passwords.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: It is provided a method and system for multi-access authentication in Next Generation Network (NGN). A network side authentication center (NSAC) generates an authentication vector after receiving, from a user terminal (UT), UT information including subscription information and multi-access information of the UT; after receiving an authentication request including authentication information from the NSAC, the UT performs authentication on the network side, generates keying material and network side authentication information (NSAI) upon successful authentication, and sends the NSAI to the NSAC, which performs authentication on the NSAI using the authentication vector, generates keying material according to the multi-access information of the UT upon successful authentication, and informs an access forwarding functional module (AFFM) of the keying material; the AFFM encrypts and decrypts access service information of the UT according to the keying material.

Abstract: Data are accessed securely in a data storage device that includes a non-volatile solid-state storage device integrated with a magnetic storage device. An identical copy of drive security data, such as an encrypted version of a drive access password, is stored in both the non-volatile solid-state storage device and in the magnetic storage device. In response to receiving a command from a host device that results in access to the magnetic storage device, access is granted to the magnetic storage device if the copy of drive security data stored in the non-volatile solid-state storage device matches the copy of drive security data stored in the magnetic storage device. Furthermore, encrypted drive-unique identification data associated with the drive may be stored in both the non-volatile solid-state storage device and the magnetic storage device, and access is granted if both copies of the encrypted drive-unique identification data match.

Abstract: An information processing apparatus includes an accepting unit, a memory, an activating unit, and a controller. The accepting unit accepts first key information and second key information. The first key information includes performance information representing a performance and an identifier for identifying a device. The second key information includes the performance information and temporary use permission information. The memory stores the performance information in the first key information if the first key information is accepted and if the identifier is a predetermined identifier, and stores the temporary use permission information and the performance information in the second key information if the second key information is accepted. The activating unit activates the device with the performance represented by the performance information.

Abstract: Personalized access controls associated with digital media are provided. The system records access controls associated with specific digital media assets in a digital library and creates policy decisions regarding use of the asset based on these settings. Data management for the access controls is also specified, including on an individual and group basis.

Abstract: A third-party can subscribe to one or more electronic message group lists without joining the group lists by creating a trust relationship between the subscriber and a group list member. In particular, the subscriber can send a trust indicator to the group member, who can then determine whether to accept the trust indicator for all or specific groups that are associated with the group member, as appropriate. In at least one embodiment, the group member can send a trust indicator acceptance message to the subscriber that identifies the group member, and any or all group lists associated with the group member. The subscriber can then receive messages directed to the trusted group member or group lists, and can send group messages to the group lists subject to a receive setting associated with the group lists or group members of the group lists.

Abstract: A network security system includes a server configured to receive an access request via a network from a remote computing device, a database storing customer account information accessible by the server, and memory accessible by the server and storing a customer notification program. When executed by the server, the program identifies the remote computing device by a device fingerprint and requesting location, determines whether the device fingerprint matches any authorized device fingerprints stored in the database and sends, responsive to a mismatch between the device fingerprint and the authorized device fingerprints, a notification of the request to a customer-specified address. The notification indicates the request, the identity of the remote computing device, and the requesting location. The program may resolve the request responsive to a reply to the notification from the customer-specified address.

Abstract: Techniques to manage digital telephones are described. An apparatus may comprise a digital telephone management component having a telephone interface module operative to receive security information in the form of a personal identification number (PIN) for an operator or device. The digital telephone management component may also comprise a telephone security module communicatively coupled to the telephone interface module, the telephone security module operative to receive encrypted security credentials from a computing device, and decrypt the encrypted security credentials with the PIN. The digital telephone management component may further comprise a telephone authentication module communicatively coupled to the telephone security module, the telephone authentication module operative to authenticate the digital telephone using the security credentials. Other embodiments are described and claimed.

Abstract: A server receives a request from the client. The request includes a cryptographically protected object that includes a respective user identifier and validation value. When the respective user identifier is valid, the validation value fails a first requirement in a predefined manner, and a count of consecutively received cryptographically protected objects whose validation value has failed the first validation requirement is less than a threshold value that is greater than one, the server returns to the client a response to the request in accordance with the respective user identifier, the response including an updated cryptographically protected object that includes the respective user identifier and an updated validation value, and updates the count. When the respective user identifier is valid, the validation value fails a first requirement in the predefined manner, and the count is equal to or exceeds the threshold value, the server performs a predefined remedial action.

Abstract: A method, system, and medium are provided for locating a lost mobile device utilizing a radio frequency signal associated with the lost mobile device. One embodiment of the method includes activating a signal on a lost mobile device. An identifier associated with the lost mobile device allows a locating mobile device to receive the signal from the lost mobile device and filter out interference. The strength of the signal is determined and a location of the lost mobile device is communicated to a user based on the strength of the signal.

Abstract: A method and system for managing access to resources on a secured network is disclosed. The method includes reading packet information in respective packets of a packet communication received at a security node and applying one of the plurality of access rules. The method also includes determining whether the security node is to block the respective packets and/or the packet communication from reaching a resource on the secured network based on the applied access rule. If the security node is to block the respective packets and/or the packet communication, it is determined whether the applied access rule is a simulated access rule. Responsive to the applied access rule being a simulated access rule, the respective packets and/or the packet communication are passed towards the resource on the secured network and a log event is generated that indicates the security node blocked the respective packets and/or the packet communication.

Abstract: A system and method is presented for authentication, so as to control access to a resource. A set of objects (for example, a set of images) is established in advance between the user and the service for which the user is to be authenticated. During the authentication, the user, instead of inputting an alpha-numeric password, will be sent several sets (e.g., tables) containing the previously specified objects (e.g., images) in some arrangement (e.g., spatial pattern) among other objects (images). In order to authenticate, the user is shown additional tables, and must determine, as to each, whether it contains the same set of specified objects in the same spatial relationship as in the first table shown. After the user has correctly identified which tables reflect the specified objects in the requisite pattern, the user will be considered authenticated, and will then be granted access to the requested resource (for example, a bank account).

Abstract: In accordance with the embodiments of the present invention, the biometric information created for biometric authentication is available for a predetermined time after it was acquired. In addition, the authentication processing is performed on the biometric information useful for a predetermined time after the biometric information was acquired when authenticating it. Therefore, the authentication processing can be normally performed on only the biometric information that is acquired immediately when it is necessary for the user to do the financial transaction or individual authentication.

Abstract: A cellular network system comprises a device identifier comparator and a connection enable indicator. A device identifier comparator for comparing a received device identifier with one of a plurality of stored device identifiers, wherein the one of the stored plurality of stored device identifiers is associated with a stored subscriber identifier. A connection enable indicator for indicating whether a connection from a cellular device associated with the received device identifier to a data network associated with the cellular network system should be enabled.

Abstract: An authenticated RFID system is provided that uses elliptic curve cryptography (ECC) to reduce the signature size and read/write times when compared to traditional public key implementations such as RSA. Either ECDSA or ECPVS can be used to reduce the signature size and ECPVS can be used to hide a portion of the RFID tag that contains sensitive product identifying information. As a result, smaller tags can be used or multiple signatures can be written at different stages in a manufacturing or supply chain. A key management system is used to distribute the verification keys and aggregate signature schemes are also provided for adding multiple signatures to the RFID tags, for example in a supply chain.

Abstract: Mobile devices may often communicate with network (“cloud”) services that require an account. Because it may be undesirable to require user interaction when creating an account, it may be desirable to create an account associating a mobile device to a network service without requiring a user to explicitly enter authentication information, such as a username and password. In an embodiment, data corresponding to a mobile device is obtained to generate authentication information which is then sent to messaging address of a user. In another embodiment, in response to an event, a mobile device obtains an identifier for a user, sends the identifier to a server, where the server transmits one set of authentication information to a messaging address associated with the user and another set of authentication information to the device.

Abstract: Systems and methods disclosed allow a permitting party to share personal information with a receiving party. The receiving party may use the information to authenticate the permitting party, assess the permitting party, determine if the permitting party is compatible with one or more other users associated with the receiving party, or validate the permitting party. The permitting party may define how much of the permitting party's personal information is shared, and/or limit the use of the information for one or more specific purposes. A requesting party may also set up criteria for the types of information it wants to review along with the intended use of the information. The systems and methods disclosed also enables permitting parties the ability to grant requesting parties access to requested information.

Abstract: A digital signature method, a method for initializing a digital signature scheme, a system for digitally signing a message and a computer program product are described. At least the digital signature method involves a signer having a weak security parameter. The signer retrieves a cryptographic element from each of a plurality of computing entities. Each cryptographic element is a function of a commitment supplied by the signer and the commitment includes a cryptographic function of a weak security parameter provided by the signer. A strong cryptographic security parameter is generated using a plurality of said elements. A message is then signed according to the digital signature scheme using the strong cryptographic security parameter to generate a digital signature.

Abstract: Systems and methods for integrating biometric authentication with video conference sessions are described. An individual seeking to participate in a video conference may first be identified with a biometric parameter such as an iris scan based on a comparison of the scanned iris with a database of stored parameters. If authorized, the system may connect the individual to the video session. In addition, the system may generate dynamic tags that allow the participants to identify and locate individuals in the video conference. For example, if one of the participants is speaking and moving within the room, her tag may change color and move with her on the video screen.

Abstract: A device includes a memory which stores a program, and a processor which executes, based on the program, a procedure comprising establishing a session with a request source when a request for a service, made to a second providing source, has been received from the request source, the second providing source providing the service based on data stored in a first providing source; and when an inquiry about whether to transmit the data to the second providing source has been received from the first providing source, notifying, so as to encrypt a mask range of the data, the first providing source of session information indicating the session established with the request source and notifying the request source of the session information so as to decrypt the encrypted mask range of data based on the session information.

Abstract: A method, apparatus, and computer program product for accessing a device. The device receives a key from an operating system in response to the device in a locked state being connected to a data processing system after the operating system for the data processing system is running. The device compares the key received from the operating system with a set of keys stored in the device. The key is based on a system identifier for the data processing system and a password. The device determines whether a match is present between the key and the set of keys. The device changes the device from the locked state to an unlocked state in response to a determination that the match is present.

Abstract: An improved technique involves generating an encoded representation of encrypted forms of a message which includes an institution's digital signature derived from the message. The institution sends the encoded representation to the user's computer. The user transfers an image of the encoded representation from the user's computer to a separate hand-held device. The user then derives the encrypted forms of the message and the institution's digital signature by decoding the image on the hand-held device; the user then decrypts the encrypted forms of the message and the institution's digital signature on the hand-held device. The user then sees the message without interference from an intrusive agent in a MitB attack. Further, the user can verify the institution's identity as the sender of the message by being able to validate the institution's digital signature. In this way, a MitB attack is very likely to be made apparent to the user.

Abstract: A key for entering computer related passwords via a mnemonic combination includes an electronic key with a communication means, a computer program, a storage unit, and a user interface. The communication means is for communicating with a computer device where the computer device recognizing the electronic key as a human input device. The computer program is for creating a password and a mnemonic combination associated with the password. The storage unit is for storing the password and the mnemonic combination association with the password. The user interface is for allowing a user to enter the mnemonic combination into the electronic key. Wherein, when the user enters the mnemonic combination into the user interface, the electronic key communicating the password associated with the mnemonic combination to the computer device as a human input device.

Abstract: A method of authenticating a user using a server and an image forming apparatus using the same, the method including: transmitting, from an image forming apparatus to a first server that functions as an authentication server, user authentication information; determining if the first server authenticates the user based on the user authentication information; and transmitting, to a second server that processes image data, the user authentication information if the first server authenticates the user, wherein the second server authenticates the user based on the transmitted user authentication information authenticated by the first server. Thus, the user of the image forming apparatus can be automatically authenticated by the second server by authenticating the user on the first server.

Abstract: A system and method for BIOS and controller communication is provided herein. The system may include an information handling system that includes a central processing unit coupled to a memory. The memory may contain a basic input/output system (BIOS). The information handling systems may also include a controller coupled to a nonvolatile memory and a register coupled to the central processing unit and the controller. The controller may be operable to store a key in the nonvolatile memory; write the key to the register in response to a signal from the BIOS; receive a command from the BIOS; verify the command is from the BIOS using the key; and execute the command if the command is from the BIOS.

Abstract: A URL, to launch a license contract registration process, in software which requires license registration is informed to a license contract information input server which executes a process of inputting information necessary for license registration. After input of the necessary information, the license contract information input server transfers a request for license registration to the informed URL. The information necessary for license registration is inputted in accordance with a format arbitrarily created by the license contract information input server. A Web browser used by a user to operate a license contract registration process and license management target software can run on different hosts. After distribution of the target software for a license contract, information to be input by the user at the time of license contract can be changed.