Abstract: Computer systems and methods are provided for transmitting authorization information to an image capturing device. A computing system receives, from an image capturing device, captured image data that includes a first facial image and an image of a document that includes a second facial image. The first facial image and the second facial image are included a single image frame. The captured image data is analyzed to determine a first portion of the captured image data that corresponds to the first facial image and a second portion of the captured image data that corresponds to the second facial image. The first portion of the captured image data is compared with the second portion of the captured image data. In accordance with a determination that the first facial image and the second facial image meet matching criteria, authorization information is transmitted to the image capturing device.

Abstract: Methods, systems, and apparatuses are described herein for improving the accuracy of authentication questions using e-mail processing. A request for access to an account may be received from a user device. A plurality of organizations may be identified. One or more e-mail associated with the account may be identified. The e-mails may be processed to identify one or more organizations that correspond to transactions conducted by a user. A modified plurality of organizations may be generated by removing, from the plurality of organizations, the one or more organizations. An authentication question may be generated and provided to the user device. A response to the authentication question may be received, and the user device may be provided access based on the response.

Abstract: Sensitive information can be managed using a trusted platform module. For example, a system can encrypt target information using a cryptographic key to generate encrypted data. The system can also receive an encrypted key from a trusted platform module, where the encrypted key is a version of the cryptographic key that is encrypted using a public key stored in the trusted platform module. The system can then transmit the encrypted data and the encrypted key to a remote computing system, for example to store the encrypted data and the encrypted key on the remote computing system. Using these techniques, the target information may be secured and stored in remote locations.

Abstract: The present disclosure relates to two-factor authentication with a Hardware Security Module (HSM). In response to a login attempt, the HSM indicates that two-factor authentication is required. To generate the second authentication factor, a management console is accessed using credentials. The management console generates the second authentication factor and provides the second authentication factor to the client. The client then provides the second authentication factor to the HSM to complete the two-factor authentication operations.

Abstract: Systems, methods, and computer-readable media are disclosed for data unblocking in application platforms. An application platform may comprise a plurality of systems. A system may store data having a residence period. Upon expiration of the residence period, the data may be blocked from further processing. Data which is blocked may need to then be unblocked. Systems may be leading systems or dependent systems. Data unblocking may be triggered from the leading system to the dependent systems. At runtime, the dependent system may receive a trust token which may be used to verify a calling system as the leading system. If a data unblocking request is called from a dependent system, data unblocking may be prevented.

Abstract: A system, method, and apparatus for implementing workflows across multiple differing systems and devices is provided herein. During operation, a workflow is automatically generated based upon a camera detecting denial of entry of an individual. The workflow can then be implemented or suggested as a newly-created workflow at other various entry points.

Abstract: In an approach for a rule-based filtering system for securing password logins, a processor receives a password input on a user device. A processor determines whether the password requires filtering. Responsive to determining the password requires filtering, a processor filters characters from the password based on a set of filtering rules to create a filtered password. A processor determines whether the filtered password matches a stored password.

Abstract: Aspects of a privileged identity management system and method provide users with the ability to request elevated privileges to perform tasks on computing systems and software applications. The privileged identity management system and method also provides users with the ability to extend the elevated privileges to access privileged features or perform tasks using elevated privileges. The privileged identity management system and method utilize a different device that is readily available to the user in order to provide communications relating to the elevated privileges.

Abstract: A method for authenticating a counterparty to a digital transaction includes obtaining, at a mobile terminal from a unverified counterparty, characteristic content associated with the digital transaction to be displayed in a trusted user interface provided by the mobile terminal, sending, by the mobile terminal, data associated with the characteristic content to an authentication server; and obtaining, from the authentication server, a result of an authentication judgment by the authentication server, the authentication judgment based on the data associated with the characteristic content and an item of reference content.

Abstract: Techniques include receiving an access notification identifying a request by an identity for access to an access-protected network resource; identifying a configurable and multi-dimensional policy defining rights of the identity to access the access-protected network resource with respect to the operation of the access-protected network resource; automatically determining, based on the configurable and multi-dimensional policy, whether to perform at least one of: permitting the identity to access the access-protected network resource; denying the identity to access the access-protected network resource; or rotating a secret associated with the identity.

Abstract: A method and system of providing verification of information of a user relating to an attestation transaction is provided, and includes sending a request for information of the user, wherein the information has been previously attested to in an attestation transaction stored within a centralized or distributed ledger at an attestation address; receiving at a processor associated with a verifier the information of the user; sending a cryptographic challenge nonce; receiving at the processor associated with the verifier the cryptographic challenge nonce signed by the user's private key; verifying user identity with the cryptographic challenge nonce signed by the user's private key; deriving a public attest key by using the information of the user; deriving an attestation address using the public attest key; and verifying the existence of the attestation transaction at the attestation address in the centralized or distributed ledger.

Abstract: An information handling system may include a processor and a management controller communicatively coupled to the processor. The management controller may be configured to, in response to an encrypted storage resource being coupled to the information handling system: transmitting a request to at least one other management controller for an encryption key associated with the encrypted storage resource; receiving a response from the at least one other management controller, the response including the encryption key associated with the encrypted storage resource; and unlocking the encrypted storage resource with the received encryption key.

Abstract: A computer system (100) for distributed shared execution of one or more shared processes, comprising: first program code for the one or more shared processes that comprises one or more shared code segments (142, 144, 146) shared between a first authorizing node (102) and a second authorizing node (104), wherein the one or more shared code segments (142, 144, 146) are executable by one or more executing nodes (102, 104, 106); a distributed ledger (152, 154, 156) that provides a record of valid code segments of the program code; and second program code comprising instructions that, when executed by the first and/or second authorizing nodes, validates that an anticipated execution result of the one or more shared code segments (142, 144, 146) satisfies shared authorization conditions and, if satisfied, authorizes the execution of the one or more shared code segments by the one or more executing nodes.

Abstract: A non-transitory computer readable medium stores a program causing a computer to execute a process which includes, for example, receiving entry of first information from a requesting user, specifying, among registered users, a candidate corresponding to the received first information, and controlling a display to display a first screen including (i) a clue of second information of the candidate, the clue only partially showing the second information of the candidate, and (ii) a button for calling up a second screen from which the second information is entered by the requesting user. The first screen does not receive entry of a password from the requesting user.

Abstract: A memory device includes nonvolatile memory cells, and a secure module to process first data including information about the device stored in the cells to generate a first password key, process second data including information about the device stored in the cells to generate a second password key, generate a public key and a secret key by a public-key cryptography algorithm, using the first password key and the second password key, and provide the first password key, the second password key, the public key, and the secret key to the cells to store the first password key, the second password key, the public key, and the secret key, where the second data is different from the first data, a value of the first password key value and a value of the second password key are prime numbers, and the public key is provided to a host connected to the device.

Abstract: A system for credential authentication includes and interface and a processor. The interface is configured to receive a request for authorization to access from an application. The processor is configured to determine a set of credentials that can enable authorization to access; generate a proof request challenge; receive a proof response; determine that the proof response is valid based at least in part on information stored in a distributed ledger; generate a token; and provide the token.

Abstract: A modified measured boot approach is utilized for establishing a secure communication link between two devices. Each device may execute a respective boot process until the device reaches the stage responsible for establishing the communication link with the other device. Each device may exchange its respective self-signed certificate and extend its certificate chain with the self-signed certificate received from the other device. Each device can then generate a new pair of keys based on its extended certificate chain that includes the identity of the other device, and exchange the public key of the new key pair with the other device. A secure link can be established using the public key of the other device as a based key for a key exchange protocol. A central management entity can attest the measurements of the boot stages for each device using the corresponding public key.

Abstract: Embodiments of the present invention provide a system for providing selective security regulations associated with network communications to users. The system is configured for extracting user data associated with a user, identifying one or more characteristics based on the extracted user data, generating a custom security package for the user based on the one or more characteristics, displaying one or more options associated with the custom security package on a user device of the user, prompting the user to select at least one option from the one or more options, receiving the at least one option from the user, and deploying a functionality associated with the at least one option from the custom security package.

Abstract: Images are captured of a customer during a transaction at a transaction terminal along with images associated with items of the transaction and any bags or cart used to hold the items. The images are processed to track any movement and locations of the customer, items, bags, and cart relative to a known location of the transaction terminal. When a transaction payment is required for the transaction and movement is detected in a direction that is moving away from the transaction terminal before a payment notification is received for the transaction, one or more alerts are raised as an indication to staff and/or security systems of a potential in-progress walk-away theft.

Abstract: Methods and systems are provided for auto-configuring a newly purchased user equipment (UE) device with content consumption material that is associated with a user. These methods and systems are provided by way of receiving, in response to the user having purchased the UE device, purchase information (e.g., a credit card number) and a UE device identifier (e.g., a serial number of a purchased UE device). After receipt of this information, a database is searched to identify a user account that is associated with the purchase information. The user account identifies content consumption material that has been processed by other UE devices to enable the user to consume content. A communication is then transmitted to the UE device that causes the UE device to be configured with the identified content consumption material.

Abstract: According to an embodiment, an image processing apparatus includes a display unit, an operation unit, a processing unit, a storage unit, and a control unit. The display unit is configured to display an operation screen on which a processing mode and setting information may be selected. The operation unit is configured to receive an operation instruction from the operation screen displayed on the display unit and to transmit a processing job based on the operation instruction. The processing unit is configured to execute a process based on the processing job received from the operation unit. The storage unit is configured to store use history information indicating the processing jobs. The control unit is configured to customize the operation screen according to the use history information stored by the storage unit and cause the display unit to display the customized operation screen.

Abstract: Identifying users is disclosed including, in response to receiving an account operating request of an account sent by a user device, obtaining a personal question from a personal questions database and sending the personal question to the user device, receiving, from the user device, a verification response to the personal question, and determining whether a current user is a user associated with the account based at least in part on the verification response and a corresponding standard response in the personal questions database, where the personal question obtained from the personal questions database and the corresponding standard response were generated based at least in part on account operating information of the user associated with the account.

Abstract: The present disclosure relates to a method and system for securely transferring master keying material between to a slave dongle (12). Each slave dongle (12) is connected to a data transfer system. The slave dongle (12) contains a public key and a private key and the data transfer system holds a master keying material source that contains master keying material to be transferred securely to the slave dongle (12). The slave dongle's public key is transferred to the master keying material source. The master keying material source encrypts the master keying material with the slave dongle's public key to produce an encrypted master keying material. The encrypted master keying material is sent to the slave dongle (12) and the slave dongle (12) decrypts the encrypted master keying material with the slave dongle's private key. This allows multiple users, each having a slave dongle (12a-n) that has been configured in this manner, to use the same master keying material to securely communicate with one another.

Abstract: The invention relates generally to a wireless microphone system and methods. The system may include a receiver unit connected to one or more transmitter units. The system may be configured to monitor the link between the corresponding units and mark audio in response to a broken connection. Each transmitter unit of the system may include a switching arrangement configured to record uncompressed audio or compressed audio and, according to a processing path selected, transmit the same audio to the receiver unit. The transmission of audio may be accomplished via a dipole antenna positioned at a height from a circuit board. Advantageously, the system is configured to record and transmit audio with a low rate of dropout error.

Abstract: Apparatus, systems and methods for providing a limited capabilities computer which may operate on a network and be controlled, monitored and/or administered by a central network authority such as a VDI server.

Abstract: A server receives encrypted data from a protected-resource-requesting device that includes an encrypted combination of the device and user identification. The first server requests a most recent copy of data of a distributed ledger from a randomly selected logged-in workstation. The first server searches for a match of the encrypted data from the first device in the distributed ledger data received from the randomly selected workstation. In response to determining a match, the first server updates a table of a second server with a one-time-password (OTP) and a copy of the encrypted data received from the device. The first server sends the OTP and an instruction to the device to send the OTP and the encrypted data to the second server, which determines whether a match exists. In response to a confirmed match, the first server grants access to the device.

Abstract: Authentication methods and systems are disclosed. In one non-limiting example, an authentication method may include detecting a user within an image, determining that the image further includes additional recognizable data, analyzing the additional recognizable data and one or more biometric features of the user, and determining that the additional recognizable data and the one or more biometric features of the user correspond to valid additional recognizable data and valid biometric features of an enrolled user, respectively. The method may further include enabling the user to access a protected asset based on determining that the additional recognizable data and the one or more biometric features of the user correspond to valid additional recognizable data and valid biometric features of an enrolled user, respectively.

Abstract: An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

Abstract: System and methods are disclosed for organizations to run a test against an active directory list to see if any user-provided passwords have been part of an existing data breach. Utilizing information from such a test identifies users that have weak passwords, reused passwords or shared passwords that have been associated with an earlier breach. With this information, the organization can seek to reduce risk by training staff for this specific issue in a timely and appropriate manner to significantly reduce the risk of a future breach by those identified users. Training can be customized and targeted at those users who attempt to use passwords that have been associated with a breach (either of their own account or of another account on the same or related domain.

Abstract: Aspects of the disclosure relate to deploying and utilizing a dynamic data stenciling system with a smart linking engine. A computing platform may receive source data from one or more data source systems. Subsequently, the computing platform may identify a target application hosted by an enterprise application host platform as being an intended recipient of a portion of the source data. Then, the computing platform may select a dynamic data stencil from a plurality of available data stencils. Thereafter, the computing platform may overlay the portion of the source data onto the target application using the dynamic data stencil. In addition, by overlaying the portion of the source data onto the target application using the dynamic data stencil, the computing platform may cause the target application to execute one or more data processing functions using the portion of the source data received from the one or more data source systems.

Abstract: According to embodiments of the present disclosure, there is provided a method, apparatus, device, storage medium and program product for log information processing. The method comprises: determining a source of a target log in response to a log query request, wherein the log query request indicates that a target user requests to query the target log; determining a log desensitization policy corresponding to the source of the target log, the log desensitization policy being determined based on log registration information associated with the source, the log registration information being used for indicating a physical meaning of a variable item in the target log; and performing, based on service attribute information of the target user, the log desensitization policy and service authority information, desensitization processing on the variable item related to the target user in the target log for providing the target user with a desensitized target log.

Abstract: A computer system for remote interactive graphical display and data management includes a data storage device storing data records, a remote data acquisition computer configured to selectively trigger display actions for the data records based on at least a time-based rule and a time-independent rule; a classification engine configured to classify a response received from a remote display interface having user-selectable options arranged to define a scale of values, in one of two categories, a first category and a second category, being below a first threshold value being classified as being in the first category, and responses on the scale above a second threshold value being in the second category, and a display interface generator configured to selectively generate a supplemental interface or a conclusion message dependent on the category.

Abstract: A system and method to support identity theft protection and, in particular, to a system and method for supporting identity theft protection as part of a distributed service oriented ecosystem in Internet protocol (IP) multimedia subsystem (IMS) and non-IMS networks. The system includes an identity session initiation protocol (SIP) application server configured to act as a security assertion markup language (SAML) bridge, which allows an SIP enabled device or a non-SIP enabled device to attach to a telecommunications service provider network. A user may accept or reject an authorization request using the SIP enabled device or non-SIP enabled device.

Abstract: Data protection operations including verification operations are disclosed. Objects written to a cloud tier are verified without reading the objects out of the cloud. A translation map is used that allows a cloud verifier engine to compare a checksum of an object generated at an local tier with a checksum of the object as stored in the cloud tier. Mismatches are identified and corrective actions can be taken by reconstructing and rewriting the object to the cloud tier. Garbage collection may be prevented from reclaiming data associated with objects that have not been verified.

Abstract: Embodiments provide payment methods, server systems and devices for dynamically adapting a timeout period. The method includes receiving, by a server system associated with a payment network, a payment transaction request from a merchant interface. The payment transaction request includes a payment information and a payment card information of a user. After receiving the payment transaction request, a plurality of authentication options may be presented to the user for authenticating the payment transaction. The user may select an authentication option from the plurality of authentication options. A timeout period for authenticating a payment transaction is determined based on the authentication option selected by the user. The timeout period is determined using a set of predefined rules. Moreover, the timeout period may be dynamically adapted based on the authentication option and one or more of a plurality of timers, a plurality of usage analytics data and a user profile information.

Abstract: An example operation may include one or more of capturing a current version of sensitive data by a data processor node, hashing, by the data processor node, the current version of the sensitive data, storing, by the data processor node, a hash of the current version of the sensitive data on a first blockchain, encrypting, by the data processor node, the current version of the sensitive data using a secret key, and storing the encrypted current version of the sensitive data on a second blockchain.

Abstract: Data is received that characterizes a computing architecture including at least one web-based server and an associated cryptographic web protocol to be implemented on such computing architecture according to a desired formal specification. Thereafter, a plurality of inattentive variants complying with the web protocol are generated without associated security checks. Messages to and from each inattentive variant are then monitored while executing the associated security checks. At least one security monitor is generated based on the monitored messages that is configured to address security vulnerabilities in the computing architecture relative to the formal specification. At least one generated security monitor can be later deployed in the computing architecture. Related apparatus, systems, techniques and articles are also described.

Abstract: The present disclosure generally relates to managing access to credentials. In some examples, an electronic device authorizes release of credentials for use in an operation for which authorization is required. In some examples, an electronic device causes display of one or more steps to be taken to enable an input device for user input. In some examples, an electronic device disambiguates between commands to change the account that is actively logged-in on the device and commands to cause credentials to be released from the secure element.

Abstract: A home automation (HA) system may include, within a senior living facility, a cloud server, HA operation devices and HA user interface devices for respective users. Each HA user interface device may wirelessly communicate with the HA operation devices and the cloud server. HA hub devices may provide communications for the HA user interface devices, the HA operation devices, and the cloud server. A caregiver interface device may cooperate with the cloud server to display contextual information for a respective user. The cloud server may cooperate with the caregiver interface device to determine when the caregiver interface device is within a room in the senior living facility associated with the respective user, and when so, determine a current operation of a given HA operation device, determine the contextual information based upon the current operation of the given HA operation device, and communicate the contextual information to the caregiver interface device.

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for validating and revoking security tokens. A request for a resource is received at an application server and from a client. The request is associated with a security token for authenticating the client by the application server. A public key of an authentication server is acquired at the application server for authenticating requests at the application server. A signature of the security token is validated at the application server. By validating the signature of the security token, it is determined whether the security token is validly issued by the authentication server. In response to the received request, the application server determines at an identifier that is associated with the client and validates the security token based on the identifier to determine whether to serve the received request and provide the resource.

Abstract: A virtual keyboard rendered on a separate computing device is independent of the user's computer. A virtual keyboard displayed on the user's computer screen is blank without any alphanumeric characters. Another virtual keyboard displayed on the user's independent computing device has a randomly generated layout of alphanumeric characters on a keypad. The user enters a password by pressing the blank keys of the blank keyboard on his computer screen with reference to the other virtual keyboard. The position sequence of these entered keys is sent to an application on a remote server computer. The remote server computer shares a virtual keyboard having the randomly generated layout of characters with the independent computing device via an online or off-line technique. When online, an encoded image of the encrypted layout is sent to the client computer and displayed for scanning by the device.

Abstract: Described herein are systems and methods that allow for secure wireless communication between a contact lens system and an accessory device to protect sensitive data and prevent unauthorized access to confidential information. In certain embodiments, tampering attempts by potential attackers are thwarted by using a Physically Unclonable Functions (PUF) circuit that is immune to reverse engineering. In addition, sensors monitor a to-be-protected electronic device to detect tampering attempts and physical attacks to ensure the physical integrity of the communication system.

Abstract: A method of providing access to securely held data is provided. A user interacts with the service provider to obtain access to a service by using a device to provide a digital identifier to the service provider, without the digital identifier being made known to the user. At a later date the user wishes to retrieve securely stored data relating to their use of the service. However, because the user does not know the digital identifier, they are unable to identify themselves to the service provider using the digital identifier. The present disclosure provides a secure method for exchanging private identifiers, which allows the user to identify themselves to the service provider in order to gain access to securely stored data relating to the user's previous use of the service. The user can do this using the device on which the digital identifier is stored, or another device.

Abstract: Systems and methods provide a platform for threat information sharing. A method comprises transmitting an access permission request to a blockchain network. The request asks for access to cyber threat information stored in at least one cyber threat information storage system. The information may come from a plurality of organizations. The blockchain network may include a blockchain ledger storing access control information from the plurality of organizations. Upon receipt of a reference to an access permission token generated by the blockchain network using at least one smart contract, a transaction request to the cyber threat information server may be sent. In response to the transaction request including the reference to the access permission token, the requested cyber threat information may be retrieved from the cyber threat information server.

Abstract: Disclosed herein are systems and methods for synchronizing anonymized linked data across multiple queues for SMPC. The systems and methods guarantee that data is kept private from a plurality of nodes, yet can still be synced within a local queue, across the plurality of local queues. In conventional SMPC frameworks, specialised data known as offline data is required to perform key operations, such as multiplication or comparisons. The generation of this offline data is computationally intensive, and thus adds significant overhead to any secure function. The disclosed system and methods aid in the operation of generating and storing offline data before it is required. Furthermore, the disclosed system and methods can help start functions across multi-parties, preventing concurrency issues, and align secure input data to prevent corruption.

Abstract: An embodiment of a method of providing identity assurance for a decentralized application (DApp) includes executing, by at least one distributed node of a blockchain system, an entitlement contract stored on the blockchain to perform a read call from a DApp contract stored on the blockchain, the read call including an address signing a transaction to the DApp contract. Performing the read call may include reading a list of registered addresses stored on the blockchain, determining whether the list includes the signing address; and providing an output indicating whether the list includes the signing address. The method may further include executing, by the at least one distributed node, a registry contract stored on the blockchain to perform a read call from the DApp contract, the read call including an identifier of the decentralized application.

Abstract: A method for personal data administration in a multi-actor environment is performed by a system that includes a data management process managed by a remote server. The system includes a user profile that is associated to a user PC device and includes a set of data management protocols and a user data registry. The system also includes a third-party account that is associated to an account ID and a third-party data registry. The method begins when a data transmission notification is received by the remote server. The remote server analyzes the notification to select an appropriate protocol from the data management protocols. The method then executes the data management protocol, makes a record of the interaction, and transmits an outgoing data packet to the third-party account. The method then monitors the outgoing data packet to determine if the user data contained therein has been transferred interacted or tampered with.

Abstract: Described are systems and methods for evaluating cyber effects in a cyber-physical system (CPS). In some embodiments, a simulation model of the CPS is built and includes an attacked component set and an evaluated component set. A control component is inserted into the simulation model. One or more direct connections between the attacked component set and the evaluated component set are disconnected. One or more indirect connections are identified and then disconnected from the simulation model with disconnected direct connections. The one or more direct connections and indirect connections are routed through the control component. A cyber-attack on the attacked component set can be simulated by configuring the control component to control outputs transmitted via a routed connection, the routed connection being one of the routed direct or indirect connections. The simulated components of the simulation model can be progressively and iteratively replaced by corresponding components from the CPS.

Abstract: Various embodiments of the present disclosure are directed to providing authentication of access while reducing user input and, specifically to a method, apparatus, and computer program product for receiving device identification information from both a secured system indicating devices with authorization and from a third party telecommunications carrier indicating the mobile device account attempting to access a service provider. Embodiments provided include an apparatus configured to receive, from a mobile device, identification information associated with the mobile device. The apparatus further comprises computing an encrypted hash of the identification information and initiating a search of a registry for a matching entry that matches the encrypted hash of the identification.

Abstract: A method of separating identity IPs for identification of applications from the locator IPs for identifying the route is provided. A virtual service layer (VSL) protocol stack uses the IP addresses assigned by network administrators to the application endpoints to support the TCP/IP stack as the identity IP addresses that are not published to the underlay network for routing. On the other hand, the VSL stack uses the IP addresses assigned by the underlay network to the VSL enabled endpoints and VSL enabled routers as the locator IP addresses for routing packets. The VSL stack formats application flow packets with identity headers as identity packet and encapsulates identity packet with the locator header to route the packet. The separation of the identity and locator identifications are used to eliminate the network middleboxes and provide firewall, load balancing, connectivity, SD-WAN, and WAN-optimization, as a part of the communication protocol.