Abstract: A system including a user interface circuit, a classifier, a counter, and an action circuit. The user interface circuit is configured to receive a user input establishing a rule, wherein the rule describes (i) a characteristic of an event, and (ii) an action to initiate in response to a predetermined threshold being met. The classifier is configured to identify, based on the characteristic described in the rule, events that have the characteristic in a network device. The counter is configured to count a number of the events that have the characteristic in the network device as identified by classifier. The action circuit is configured to initiate the action described in the rule in response to the number of the events meeting the predetermined threshold in the rule.

Abstract: A method of enabling users of a third party Internet service, who are not necessarily subscribers of an IP Multimedia Subsystem, IMS, network, to access services provided by the IMS network. The method comprises registering a user with said third party Internet service via the Internet using an Internet service identity of the user, and sending to the user, from said third party Internet service and via the Internet, IMS network access information. The access information is then used to register the user with the IMS network, wherein, following IMS registration, the user is able to access IMS network services.

Abstract: Preference data is received. The received preference data is compared to stored preference data associated with a user with which the received preference data is associated. A determination is made whether to authorize an action based at least on the comparison. The preference data is received as a selection.

Abstract: Techniques involving migrating authenticated content on a network towards the consumer of the content. One representative technique includes a network node receiving an encrypted seed having at least a location of the user data at a network service that stores the user data, and a cryptographic key to access the user data. The seed is received in response to a user login attempt to the network service. The user data is requested from the location using at least the received cryptographic key. The method further includes receiving and storing the user data at the network node, where the network node is physically closer to a location of the user than is the location of the network service. If the user is successfully authenticated, user access is provided to the stored user data at the network node rather than from the network service.

Abstract: Certain aspects of a method and system for allowing system-on-chip individual I/O control to be disabled and enabled by programmable non-volatile memory are disclosed. Aspects of one method may include mapping at least one bit of a control vector within a security processor comprising a non-volatile memory to each of a plurality of on-chip I/O physical buses. At least one of the plurality of on-chip I/O physical buses may be enabled or disabled by modifying the mapped bit or bits of the control vector.

Abstract: This invention discloses a system for determining whether a purported or alleged authorized user is in fact the authorized user, by comparing new data on a real-time basis against probability distribution representations including an authorized user probability distribution representation and a global or wide population probability distribution representation, to provide a probability as to whether the purported authorized user is the authorized user. This invention may utilize keyboard dynamics or data, or X-Y device data, or other data from similar measurable characteristics, to determine the probability that the new data from the purported authorized user indicates or identifies that user as the authorized user. This invention identifies the user continuously as the user interacts with the system and to identify a change in situation in the environment of the user.

Abstract: Various embodiments herein include at least one of systems, methods, and software to receive and process credential requests for remote support of computer applications. One embodiment includes receiving a credentials request in a first environment from a second environment in response to an incident in the first environment. This embodiment further includes processing the received credentials request within the first environment by approving the request, activating credentials, and sending the credentials to the second environment. This embodiment may further include receiving, within the first environment, a message indicating the incident is resolved and deactivating the credentials.

Abstract: Example embodiments disclosed herein relate to a storage device. The storage device may include a mechanism that monitors for receipt of cached authentication data from a host computing device upon resuming operation from a standby mode of the host computing device. The storage device may further include a mechanism that unlocks the storage device in response to receipt of the cached authentication data from the host computing device. In addition, the storage device may include a mechanism that monitors for receipt of re-authentication data and a mechanism that locks the storage device when a predetermined period of time has passed since resuming operation from the standby mode without receipt of the re-authentication data. Related computing devices, methods, and machine-readable storage media are also disclosed.

Abstract: Print data including a provisional registration command is received. When the print data including the provisional registration command is received, an authentication code is obtained. The authentication code is stored in a user information DB. Provisional registration data is obtained from the user information DB. Then, a list of provisional registration data is displayed. It is determined whether the provisional registration data is selectively input or not. If the provisional registration data is selectively input, user information in which IC card information or biological information and the authentication code are associated with each other is transmitted to an authentication server. The authentication server executes a process of registering the received user information.

Abstract: A method for registering a computing device to a user account using at least one user-selected fingerprintable device externally accessible to the computing device including transmitting a registration information request to the computing device, receiving at least one device fingerprint of the at least one user-selected fingerprintable device accessible by the computing device, and primary identification data of the computing device, generating a skeleton key, recording the primary identification data, and associating the skeleton key and the primary identification data with the user account.

Abstract: Invoking a computer implemented service includes receiving a request from a first user to access a service associated with a second user. The request is associated with a security token for the first user and an identity token for the second user. The acceptability of the security token is determined to authenticate the first user, and the acceptability of the identity token is determined to securely identify the second user. The first user is able to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.

Abstract: A security token access device, a user device such as a computing device or communications device, and a method for managing multiple connections between multiple user devices and the access device. The access device maintains connection information, including security information, for each user device securely paired with the access device. Each time a new user device is paired with the access device, the access device transmits a notification to the user devices already paired to the user device. A user may provide instructions to the access device to terminate a pairing with one of the user devices by overwriting at least a portion of the connection information associated with the designated user device. A user device may further request a listing of all user devices currently paired with the access device.

Abstract: Mobile devices provide security based on geographic location. With such a technique, a mobile device may automatically check its current location against geographic information as to the location(s) in which it is permitted to operate. When the user attempts access to the device, the mobile device will prompt the user for his/her credential only if the geographic location matches an allowed location. The user gains access then by inputting information corresponding to the credential, e.g. username and password, of a valid user. In the examples, if the geographic location does not match an allowed location, the mobile device provides a warning to the user, and the user is not allowed to enter any credential information. Optionally, the mobile device may send an alert message about the device being taken outside a specified boundary, e.g. to report the situation to other personnel.

Abstract: The Internet is becoming an essential part of our lives. This trend is even stronger with the rise of cell phones having Internet access that almost the entire population carries with them at all times. Security is a huge problem on the Internet, however, and new authentication methods are needed specifically for cell phones. Presented here is a method of identifying a mobile electronic device by its configuration settings, potentially including contact list information. This invention, in particular, fills a crucial need to secure access to the Internet from mobile phones.

Abstract: A method and apparatus which ensures that static data entered into a communications device or apparatus is accurate, or at least consistent with data provided to an authentication service. In some embodiments of the invention, the authentication service may maintain a database of static data associated with each communications apparatus and/or verify the validity of at least a portion of the static data.

Abstract: A method and apparatus wherein the method includes the steps of generating a globally unique identifier (GUID) for a security system appliance, saving a public key and private key of the security system appliance in a memory of the security system appliance, a manufacturer of the security system appliance generating a signed version of the GUID and the public key, saving the signed version of the GUID and public key in the memory of the security system appliance, the security system appliance sending a registration message including the signed version of the GUID and public key to a security system server and the security system server authenticating the security system appliance using the signed version of the GUID and public key of the security system appliance and a public key of the manufacturer.

Abstract: A server computing system receives a request to authenticate the identity of a user. The user may wish to perform an action that requires the user's identity to first be verified. In response to the request, the server computing system automatically contacts trusted associates that are listed in policy data for the user and determines whether the trusted associates validate the identity of the user. The server computing system provides one-time passwords to the user for the trusted associates that have validated the identity of the user. Subsequently, the user can combine the one-time passwords to form an authentication password, which can be used to determine whether the user is allowed to perform the action.

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

Abstract: A method for locally authenticating a vehicle diagnostic tool with a vehicle using a challenge-response authentication scheme includes: receiving a pairing request from the vehicle diagnostic tool; presenting a user with a challenge through at least one of an audio system and an LCD display associated with the vehicle; receiving a response to the challenge from a user; and authenticating the vehicle diagnostic tool if the response from the user is identical to an expected response.

Abstract: A mobile terminal includes a near-field communication device capable of performing near-field wireless communication with an external device, and a controller configured to instruct the external device or the near-field communication device to execute a command. The near-field communication device has a storage unit, a first mutual authentication unit for authenticating the controller and for requesting the controller to authenticate the near-field communication device, a first communication key setting unit for setting a first communication key, a second mutual authentication unit for authenticating the external device and for requesting the external device to authenticate the near-field communication device, and a second communication key setting unit for setting a second communication key.

Abstract: Methods, systems, and products authenticate a user to a device. A user selects or submits a media file for authentication. Features in the media file are compared to a set of criteria for authentication. The number of matching criteria, that are within a range of values for each criterion in the set of criteria, are determined. The number of matching criteria is compared to a threshold value. When the number of matching criteria equals or exceeds the threshold value, then the user that selected or submitted the media file is authenticated.

Abstract: A system configured to authenticate a user for encryption or decryption includes a user authentication apparatus, a computer-readable medium operable to communicate with the user authentication apparatus, and an encryption and decryption computer communicating with the user authentication apparatus. The computer-readable medium may store user identifying information and encryption and decryption data. The encryption and decryption computer may be configured to receive an application programming interface (API) for interfacing with the user authentication apparatus and receive the user identifying information from the computer-readable medium via the API. A user may be authenticated based on the user identifying information and, once the user is authenticated, the encryption and decryption data may be read.

Abstract: A method and apparatus for processing an electronic document in a secure manner is provided. A scanner may verify that the configuration state of a file server has not changed since a prior configuration state by issuing a request to a security server. The security server may process the request to determine whether the configuration state of the file server has changed since the file server was registered with the security server. The security server may also verify that the scanner issued a request to store an electronic document using a file server or that the file server received the request. A storage medium of a file server may be protected against unauthorized removal of the storage medium by storing, separate from the storage medium, a password required to access the storage medium, and when the file server is powered on, the password is provided to the storage medium.

Abstract: A method of authenticating users to reduce transaction risks includes indicating a desire to conduct a transaction, inputting information in a workstation, and determining whether the inputted information is known. Moreover, the method includes determining a state of a communications device when the inputted information is known, and transmitting a biometric authentication request from a server to a workstation when the state of the communications device is enrolled. Additionally, the method includes obtaining biometric authentication data in accordance with a biometric authentication data capture request with the communications device, biometrically authenticating the user, generating a one-time pass-phrase and storing the one-time pass-phrase on the authentication system when the user is authenticated, comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase, and conducting the transaction when the transmitted and stored one-time pass-phrases match.

Abstract: The present invention relates to a password security input system which performs authentication through input of a security password key which is obtained by applying a shift value to an actual password key, and a password security input method thereof.

Abstract: According to one general aspect, a method may include accessing a service via a computer. The computer may be coupled to a programmable human input device. The programmable human input device may be configured to directly receive user input from a human user and stores at least one encryption key. The method may include encrypting, by the programmable human input device, user confidential input using an encryption key associated with the service and stored within the programmable human input device. The method may also include transmitting the encrypted user confidential input to the service via the computer, wherein the computer is not configured to determine the unencrypted user confidential input from the encrypted user confidential input.

Abstract: Providing registration for password/challenge authentication includes receiving an access code or pattern inputted by a user, recording a time message associated with each component of the access code or pattern via a processor, generating a data record in combining each component of the access code or pattern with the associated time message, and storing the data record.

Abstract: A processor-based system, including systems without keyboards, may receive user inputs prior to booting. This may done using the graphics controller to generate a window which allows the user to input information. The system firmware may then compare any user inputs, such as passwords, and may determine whether or not to actually initiate system booting.

Abstract: Methods, systems, and computer program products for detecting fraudulent message service message traffic are disclosed. According to one method, message service messages are monitored. It is determined that the message service message traffic indicates that the message service message traffic is fraudulent based on detection of at least one of: 1) message service message traffic received at a first network from a second network, where the traffic includes at least one message with an SCCP calling party address internal to the first network, 2) a volume of message service message traffic received at the first network from the second network that exceeds the volume of message service message traffic sent by the first network to the second network by a threshold amount, and 3) message service message traffic that is sent to a dark number. In response to detecting fraudulent message service message traffic, a mitigating action is performed.

Abstract: There is provided a system and method of selectively directing collected security data that may be displayed concurrently at a first security station and at a supervisor station, and providing a communication link between such first security station and such supervisor station so that a supervisor may assist a security operator in the evaluation of the collected security data and in making a decision about such collected data. There is further provided a system and method of determining the height of a part of a body by capturing an image of such part with a camera at a known height and known distance from such body, computing an angle of a horizontal line from a lens of such camera and a line from such camera to such part of such body, and calculating the distance between the height of such camera and the height of such part of such body.

Abstract: A storage device comprises a non-volatile storage media and a processor that is operative to receive, via an interface with one or more host devices, a first entered password needed for accessing data stored in the non-volatile storage media, generate a first number, combine the first entered password and the first number, generate a cryptographic key based on the combination of the first entered password and the first number, encrypt the received first entered password using the cryptographic key, and store the encrypted first entered password and the first number in the non-volatile media. The processor may be further operative to receive a request for authentication; provide a reply comprising the first number; receive a second number calculated based on a cryptographic combination of the first number and a second entered password, and authenticate the host device if the second number successfully decrypts the encrypted first entered password.

Abstract: A method includes receiving user input including a user password while an authentication token is retained at a first position in an authentication token receiver of an authentication token reader by an insertion force applied to the authentication token by a user. The authentication token reader includes a bias member that applies an ejection force to the authentication token while the authentication token is at the first position. The method also includes reading authentication data from a memory of the authentication token while the authentication token is retained at the first position by the insertion force applied to the authentication token by the user. The method also includes authenticating the user based on the authentication data.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: A system enables intermediary communication components to carry out cross enterprise communication. At a first sending enterprise the system comprises: a processor executing code to: receive a signed encrypted message from a sender within a first enterprise; validate the sender; decrypt the message; encrypt the message for receipt by a second enterprise; sign the encrypted message by the first enterprise; and send the re-signed re-encrypted message to a second enterprise. At the second receiving enterprise, the system comprises a processor executing code to: receive a signed encrypted message from a first enterprise; validate that the first enterprise is the sender; decrypt the message; encrypt the message for receipt by recipients at the second enterprise; sign the encrypted message by the second enterprise indicating that the message is from the first enterprise; and send the re-signed re-encrypted message to the recipients of the second enterprise.

Abstract: Online and on-premise applications identify trusted authentication providers. The applications are configured with a list of trusted issuers of authentication credentials. When an application receives a request requiring authentication, the application returns a 401 response that includes the trusted issuer list. The requesting application compares the trusted issuer list from the 401 response to its own list of authentication providers. If there is a match between the two lists, then the requesting application creates a self-issued token for the authentication provider. The authentication provider uses the self-issued token to generate an authentication token for the requesting application. The requesting application may also directly create a token for a target partner application, without an authentication provider, if there is a direct trust between the two applications.

Abstract: A system and method for protecting information on a mobile device. The method and apparatus obtain a predetermined portion of asymmetric information upon an input of the asymmetric information in the mobile device; generate an identifier by using a first generating algorithm that uses the predetermined portion of the asymmetric information as an algorithm input; generate an encryption key by using a second generating algorithm that uses the predetermined portion of the asymmetric information as an algorithm input; generate ciphered information by using an encryption algorithm that uses the encryption key and the information as algorithm inputs; associate the identifier with the ciphered information; and store the ciphered information as associated with the identifier.

Abstract: A method for accessing a user's account by customer support without viewing the user's private data includes receiving, in an application module communicating with a web service, a request for authentication by a support person using a linked user-support login name. The method includes authenticating the user, authenticating the support person and retrieving a current session of the user as viewed by the user on an electronic screen of a processing device of the user. The method further includes dynamically redacting private data of the user from the user session to create a redacted user session, and delivering the redacted user session for display in an electronic screen of a processing device of the support person.

Abstract: The present invention provides an information processing system, an information processing apparatus, and an information processing method, capable of reducing a load of user authentication on a user, when a specific operation is performed using a plurality of apparatuses. In an embodiment of the present invention, an authentication server searches a device group corresponding to devices identified by device identification information transmitted to the authentication server, and searches a workflow. Subsequently, the authentication server judges whether or not a workflow in operation exists, and, if exists, does not instruct password input but directly instructs device processing.

Abstract: A method includes receiving data related to an individual, the data comprising a plurality of elements of personally-identifying information (PII). The method further includes building, via the plurality of elements of the PII, a compositional key for the individual. In addition, the method includes storing the compositional key and a biometric print for the individual as a biometric record in a biometric repository. The method also includes, via the compositional key, providing a plurality of federated entity (FE) computer systems with access to the biometric repository.

Abstract: Security is improved as compared to the security of conventional authentication systems, only by requesting a user to perform operations involving the same number of operations as that of the conventional authentication systems. When login information is registered, an authentication system (1, 1A) accepts registration of a type of a login image that composes an authentication button for initiating user authentication. When displaying an authentication page that is used for user authentication, the authentication system (1, 1A) displays buttons including the authentication button composed of the login image and dummy buttons composed of other images. The authentication system (1, 1A) performs user authentication in a case in which an operation button selected by the user is the authentication button.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: Examples disclose providing a decryption, validation and encryption process. Specifically, disclosure includes decrypting a first encrypted application data to then validate its integrity. Disclosure also includes encrypting the decrypted application data using a technique different from that used to provide the first encrypted application data and then storing the encrypted application data.

Abstract: A ciphering key management technique for use in a WLAN receiver is provided where a hash table is stored that has a first and a second table portion. The first table portion stores transmitter address data and the second table portion stores at least one cipher key. It is determined whether a transmitter address matches transmitter address data in the first table portion, and if so, a corresponding cipher key stored in the second table portion is determined for use in decrypting the received data. The hash table technique allows for a fast search for the correct cipher key. Embodiments are described that allow for dynamically adding and removing keys without blocking the search.

Abstract: A device for generating a virtual network user that can be used, for data protection purposes, as a pseudonym by which a physical person or legal entity can gain access to the Internet and engage services that can be implemented via the network. The network user is defined by a freely specifiable combination of real and/or arbitrarily specifiable attributes. The input of these attributes into the network access device (PC) of the user activates a transformation system which facilitates the generation of the data flows that implement the virtual network user and that can be saved with the temporal sequence of the data flow in a storage device of the transformation system. An access system allocated to an independent authority is provided, which upon activation can initiate the readout of such data from a memory allocated to the storage device of the transformation system.

Abstract: A mechanism that allows a user to easily configure a rules engine to apply rules to decide which requests for access to a user's computer resources are to be granted and which are denied. A trusted token, such as a certificate of identity issued by a trusted third party authority that verifies identities of computer users, is included in a calling card object provided by the requesting user to the (server) computer that controls the resources desired by the requester. Additional conditions for access may be specified as desired by the user of the server computer.

Abstract: A method, comprising: acquiring candidate data in association with a request for accessing a resource, the candidate data comprising first data and second data; processing the first data with a first key in an attempt to effect decryption of the first data, thereby to obtain first processed data; processing the second data with a second key in an attempt to effect decryption of the second data, thereby to obtain second processed data; and granting the request if a pre-determined portion of the first processed data is derivable from the second processed data. The method may further comprise extracting from the first processed data a group identifier and the pre-determined portion of the first processed data, and effecting a comparison of the group identifier to a reference group identifier in order to conclude whether the first data has been successfully decrypted based on an outcome of the comparison.

Abstract: A computer-implemented method for protecting data stored on removable storage devices may include (1) identifying an attempt by a computing device to access encrypted data stored on a removable storage device and then, prior to allowing access to the encrypted data, (2) authenticating a user of the computing device by (a) obtaining security credentials from the user that include a time-synchronized authentication code generated by an external authentication device and (b) verifying the validity of the security credentials. Upon authenticating the user, the method may include allowing access to the encrypted data stored on the removable storage device. Various additional methods, systems, and computer-readable media are also disclosed.

Abstract: A method includes storing creating a smart card with an expiration date and renewing the smart card after the expiration date. The smart card may be created with data stored upon the smart card for use in the renewal process. The data may comprise a certificate. The smart card may be issued at the information technology department of an organization and may be renewed at a user workstation of the organization. The renewal process may include a renewal environment for authenticating the holder of the smart card. The card holder may be required to provide a personal identification number in order to enter into the renewal environment. The rights conferred by the renewed smart card may be more limited than the rights conferred by the original smart card, both in duration and access to data within the organization.

Abstract: A method and system for providing security to a Network Job Entry (NJE) network. A first NJE node and a third NJE node are connected by a second NJE node. The second NJE node conducts a security check of NJE packets traveling between the first and third NJE nodes. The security check performed by the second NJE node includes checking the userid of the person or job that sent the NJE packet, as well as the NJE data type. The NJE data type may be classified by the type of operation being performed, such as a batch job, sysout, command, message, as well as what application is being used. In one preferred embodiment, the security check includes checking the security level of the source of the data being transferred, such as a sensitive application. The security check can be based on the size of the data packet, such that excessively large data packets from a particular user are not permitted to be transmitted outside a secure NJE network.

Abstract: A method and system for protection of and secure access to a computer system or computer network. The method includes the steps of receiving a first login account identifier, such as a user name from a user in communication with the computer system or network. A determination is made if the user is recognized and enrolled from the first login account from the first login account identifier. If the user is recognized, a grid of randomly generated visual images is displayed including one visual image from an image category which has been preselected by the user upon enrollment. An image category identifier is randomly assigned to each visual image in the grid. An image category identifier, second login account identifier, such as a password, is entered and received. If the login account identifier and the image category is validated, access is permitted to the computer system or network.