Abstract: The present invention concerns a system (10) and a process for authenticating a PIN code of a user in an interactive information system in order to run an application. It comprises input means (15) for PIN code entry, security manager means (13) for comparing the PIN code of the user upon a request for user authentication from the application, with a registered PIN code, and giving authorization to run said application if the PIN code of the user matches with the registered PIN code, and display means (17) for displaying any graphics including a PIN entry field. The request for user authentication is provided on the display means via the Pin entry field with the look and feel of said application. The system further comprises emitting means for entering crypted digits, the security manager means (13) being arranged to give authorization to run the application after full entry of said crypted digits and if the PIN code of the user is identical to the registered PIN code.

Abstract: A method and apparatus for providing password security to an electronic device. Access rights to an electronic device are determined by decrypting and decoding an encrypted password given to one or more individuals. When an individual enters a given encrypted password into the electronic device, a decrypting function decrypts the password to generate an decrypted password. The decrypted password contains information as to whether access should be granted to the individual, and if so, to what extent. For example, the decrypted password may comprise a time and date field which indicates a date and time at which access will not be granted.

Abstract: Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set.

Abstract: A secure access system includes at least one lock, at least one electronic key with stored information assigned to a user and a system administration for administering user access privileges. A method for remotely updating the user's expired access privileges includes establishing communication between the user and the system administration from a location remote from the system administration, receiving a remote privilege code from the system administration, communicating the remote privilege code to the lock, and, if authorized, the lock validating the privilege code to renew the user's access privileges. The validated privilege code can also be made effective to access other different locks within the system.

Abstract: Technologies for redirecting traffic associated with a target entity for purposes of lawful intercept are presented herein. According to one aspect, a request to monitor data packets associated with a target entity for purposes of lawful intercept is received. Once the request is received, the target entity is added to a lawful intercept list and assigned a lawful intercept IP address from a range of lawful intercept IP addresses. Each lawful intercept IP address may have a corresponding routing policy for routing data packets associated with the corresponding lawful intercept IP address to a lawful intercept capture system. The data packet is then routed to the lawful intercept capture system based on the routing policy of the lawful intercept IP address. The lawful intercept capture system captures the data packet and forwards the data packet to a next hop network entity associated with the data packet.

Abstract: An authentication scheme for unlocking a computing system may require a shortened password in some cases. For example, the computing system may be configured to determine a time that a user has been locked out of a computing device and to determine which of a plurality of time spans that the time falls within. The computing system may also prompt the user for a required password including a full password or a subset of the full password depending on the determined time span. The computing system may be further configured to display a visual indicator corresponding to the determined time span or a required password length on a visual display. A length of the required password for login may be progressively longer for each of the plurality of time spans as a time period that a respective time span covers increases.

Abstract: A speaker-verification digital signature system is disclosed that provides greater confidence in communications having digital signatures because a signing party may be prompted to speak a text-phrase that may be different for each digital signature, thus making it difficult for anyone other than the legitimate signing party to provide a valid signature.

Abstract: Systems and methods for stateless system management are described. Examples include a method wherein a user sends the management system a request to act upon a managed system. The management system determines whether the user is authorized for the requested action. Upon authorization, the management system looks up an automation principal, which is a security principal native to the managed system. The management system retrieves connecting credentials for the automation principal, and connects to the managed system using the retrieved credentials. Once the managed system is connected, the management system performs the requested action on the managed system, and sends the result back to the user.

Abstract: A technique provides authentication codes to authenticate a user to an authentication server. The technique involves generating, by an electronic apparatus (e.g., a smart phone, a tablet, a laptop, etc.), token codes from a cryptographic key. The technique further involves obtaining biometric measurements from a user, and outputting composite passcodes as the authentication codes. The composite passcodes include the token codes and biometric factors based on the biometric measurements. Additionally, the token codes and the biometric factors of the composite passcodes operate as authentication inputs to user authentication operations performed by the authentication server. In some arrangements, the biometric factors are results of facial recognition (e.g., via a camera), voice recognition (e.g., via a microphone), gate recognition (e.g., via an accelerometer), touch recognition and/or typing recognition (e.g., via a touchscreen or keyboard), combinations thereof, etc.

Abstract: An optical medium containing virtual write protect information can be recorded in drives and systems without first changing the write protection from on to off by receiving valid user input The virtual write protection may also be enabled or disabled by additional information on the disc.

Abstract: An electronic device, system and method for automatically managing wireless connections with a plurality of other devices are provided. The electronic device may be a security token access device and may be adapted to wirelessly pair and optionally securely pair with other devices. Connection information, which may comprise security information, is maintained at the electronic device for each connected device. When a connected device becomes stale, the electronic device implements one or more steps to manage the stale device's connection.

Abstract: Techniques for distributed and secure content delivery are provided. Requests for content are routed to a centralized service where the requestors are authenticated for access to the content. The centralized service generates access statements for the requesters. The requestors are redirected to particular distributed content services having access to the desired content. The distributed content services verify the access statements and vend the desired content to the requestors.

Abstract: One embodiment of the present invention provides a system that facilitates encrypting data. During operation, the system receives unencrypted data to be encrypted. Next, the system preprocesses the unencrypted data to create preprocessed unencrypted data, wherein preprocessing the unencrypted data involves generating a salt (wherein the salt facilitates in determining if the subsequently encrypted data has been altered) and concatenating the salt and the unencrypted data to create the preprocessed unencrypted data. Next, the system encrypts the preprocessed unencrypted data to create the encrypted data. Because the salt has already been applied to the plaintext data, it does not need to be reapplied during the encryption phase as is typically done in encryption. Finally, the system stores a copy of the salt with the encrypted data.

Abstract: Authenticating an end user for a client application using a directory service can include receiving end user identity information and security information at the client application, sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information. The received authentication token can be compared with the security information. If the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.

Abstract: A method and apparatus for preventing accidental disclosure of confidential information via visual representation objects is described. In one embodiment, the method includes establishing pattern information with respect to confidential information, wherein the confidential information is used to authenticate users, monitoring a visual representation object having an input focus associated with a user interface, wherein the visual representation object receives input data, comparing the input data with the pattern information to identify at least one unobscured portion of the confidential information and producing indicia of detection of the at least one unobscured portion of the confidential information on the visual representation object.

Abstract: A method for imputing different usernames and passwords using an input device with a display to use different protected assets that requires the inputting of a preselected username into a username enter box and the inputting of a preselected password into a password entry box immediately prior to use. The method includes the steps of designating two or more username keys on said input device, each said username key being assigned with a unique letter or number located on said input device and to a unique username made of a plurality of alpha-number characters, designating two or more password keys on the input device each being assigned with a letter or number located on said input device and to a unique password made of a plurality of alpha-number characters. Next the protected asset is then accessed and the username key and keyword key assigned to the asset is imputed.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: A system and method providing sharable content item links with link sharer specified use restrictions. The method includes: receiving, from a device used by a link sharer, a request to share a server-stored content item as a sharable link; causing a user interface to be presented at the device that allows the link sharer to specify one or more restrictions on how the sharable link is used to access to the content item; receiving, through the user interface presented at the device, a specification of at least one of the restrictions; receiving, from a device used by a link submitter, a request to access the content item at the sharable link; determining whether the at least one restriction prevents the link submitter from the requested access; and granting the requested access only after determining that the at least one restriction does not prevent the link submitter from the requested access.

Abstract: A method for sharing a common computing system among multiple users is disclosed. A user can perform a login process during which an input data, such as a user name or a password can be entered by the user to access a session. The user name and/or the password are then serialized into an object or a set of objects. If the serialized object or objects are authentic, a session is created and the session properties of the session are defined. Any applications that are subsequently executed during the session remain active after the session is switched out.

Abstract: A device and a method for graphical passwords. A device displays an initial image comprising a plurality of graphical elements, each graphical element having at least two variants; receives user input to select a variant of a number of the graphical elements, thereby generating a modified image; and generates the secret value from at least the selected variants of the graphical elements. The graphical elements are advantageously seamlessly integrated in the images, thereby making the system resistant to shoulder surfing attacks.

Abstract: A password input system and a method inputting a password are provided. The password input system includes a signal receiving unit, a processing unit and a storage device. The signal receiving unit receives input signals comprising key-pressing signals and key-releasing signals respectively corresponding to the key-pressing signals and each key-pressing signal corresponds to an alphanumeric symbol. The processing unit, according to a predetermined key-releasing rule, sequentially groups the alphanumeric symbols corresponding to the key-pressing signals into groups. Each group is regarded as a password element and the password elements together form a multi-key input password set. The storage device stores the multi-key input password set.

Abstract: Generally speaking, systems, methods and media for authenticating a user to a server based on previous authentications to other servers are disclosed. Embodiments of a method for authenticating a user to a server may include receiving a request to authenticate the user to the server and determining whether authenticating the user requires matching an authentication plan. If a plan is required, the method may also include accessing a stored authentication plan with authentication records each having expected information relating to user access to a different server. The method may also include receiving an indication of the user's current authentication plan from an authentication store where the plan has authorization records each having current information relating to user access. Embodiments of the method may also include comparing the stored authentication plan with the received current authentication plan to determine whether they match and, in response to a match, authenticating the user.

Abstract: Systems and methods for limiting access to data in a portable data storage device. An exemplary method may use an electronic computing device to prevent access to the data and includes the step of providing the portable storage device with a first software program that has a current expiration time value. The first software program is able to compare the current expiration time value against a time based parameter and activate a security mechanism protecting the data stored in the portable data storage device based on the comparison. The method also includes the step of providing an electronic computing device with a second software program. The second software program is able to identify the portable data storage device and reset the current expiration time value of the first software program to a later time value when the electronic computing device is electronically communicating with the portable data storage device.

Abstract: A portable device includes a touch screen that includes a display screen and that generates touch screen data in response to a user's interaction with the touch screen. A processor executes a security application for authenticating the user to the portable device that provides first display data to the touch screen for displaying a security prompt on the display screen. Touch screen data is received from the touch screen in response to the user's interaction with the touch screen and is processed to determine when an authentication shape is recognized as being indicated by the touch screen data. The user is authenticated to the portable device when the authentication shape is recognized as being indicated by the touch screen data.

Abstract: A method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.

Abstract: A system which includes a programmable multimedia controller is provided in which flexible user access is provided through a combination of user profiles and usernames/pas swords. A configuration for a given device which may form part of the system or may interoperate with the system may be shared by multiple similar devices. A sharable device configuration is stored by a master device and can be shared by other devices of the same type as the master device.

Abstract: An approach for facilitating a one-time password (OTP) authentication procedure is described. A dedicated validation appliance receives a one-time password authentication request via an application programming interface, which is a single point of access to the dedicated validation appliance. The dedicated validation appliance then determines a validity of the request based on the correlating of a submitted OTP against OTP values independently generated by the dedicated validation appliance based on a large secret key exclusive to a client device that initiated the request. The single point of access to the dedicated validation appliance as well as exclusive sharing of the secret key with only another dedicated validation appliance or one-time with the client device reduces the likelihood of attackers discovering the secret keys.

Abstract: Methods and systems are provided for controlling access to an electronic device. The electronic device, for example, may include, but is not limited to, a processor, a memory communicatively coupled to the processor, wherein the memory is configured to store a password for accessing the electronic device, and a communication interface communicatively coupled to the processor, wherein the processor is configured to receive a request to access the electronic device from the communication interface, and transmit an encrypted version of the password for accessing the electronic device via the communication interface.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: A system and method for providing, as a service over a computer network (especially a packet-switched computer network) to a body of merchants connected to the computer network, verification of consumer identification based on data provided over the computer network by scanning devices attached to the computers operated by consumers.

Abstract: Access control for a memory device is provided. In one embodiment, a portable memory device is provided comprising a storage medium comprising a private area and circuitry operative to (a) receive, from a host device, a password to unlock the host device, (b) compare the password with a password stored in the portable memory device, and (c) if the passwords match, allow the host device to access the private area. In another embodiment, a portable memory device is provided comprising a storage medium comprising a private area and a public area. The public area stores computer-readable program code to facilitate interaction with the access control features of the portable memory device. Methods for use with such memory devices are also provided. Other embodiments are disclosed, and each of the embodiments can be used alone or together in combination.

Abstract: A first storage device provides a host device with access to a private memory area by communicating a password between the first storage device and a second storage device via the host device using a double-encryption scheme. In one embodiment, a host device receives a twice-encrypted password from a first storage device, sends the twice-encrypted password to a second storage device, receives a once-encrypted password from the second storage device, decrypts the once-encrypted password to obtain the password, and sends the password to the first storage device. In another embodiment, a first storage device sends a twice-encrypted password to a host device, receives the password from the host device after the twice-encrypted password is decrypted by a second storage device and the host device, and provides the host device with access to the private memory area only if the password matches one that is stored in the first storage device.

Abstract: One embodiment is directed to a method for managing cryptographic information. The method includes initiating cryptographic information loading application on a general purpose mobile device (GPMD) and establishing a connection between the GPMD and a server that includes cryptographic information. Authentication input is received from a user of the GPMD. Data identifying the GPMD and the authentication input is sent from the GPMD to the server for authentication of the GPMD and the user. The GPMD also sends data identifying an electronic device into which cryptographic information is to be loaded. In response, the GPMD receives cryptographic information for the electronic device at the GPMD from the server. The GPMD then sends the cryptographic information from the GPMD to the electronic device for loading therein.

Abstract: A lock code recovery system for selectively sending a lock code to a proximate personal electronic device is provided. A recognizable code is associated with the proximate personal electronic device. The lock code recovery system includes a user input device for receiving feedback and a control module. The control module is in communication with the user input device, and has a memory with an application and at least one recognizable code stored thereon. The application has the lock code associated with the application for at least activating or deactivating the application. The control module includes control logic for monitoring the user input device for feedback indicating the lock code associated with the application should be sent to the proximate personal device.

Abstract: A method and system for protecting identity information comprises determining identity information required by a resource utilized by a user, determining strength of the identity information used by the user to access the resource, and performing an action in view of the strength.

Abstract: In a method for issuing a digital certificate by a certification authority (B), a device (A) sends a request message to the certification authority (B) for issuing the certificate, the certification authority (B) receives the request message and sends a request for authenticating the device (A) to the device (A), the device (A) sends a response to the certification authority (B) in response to the received request, and the certification authority (B) checks the received response and generates the certificate and sends the certificate to the device (A), if the response was identified as correct.

Abstract: Various embodiments of a system and method for secure password-based authentication are described. The system and method for secure password-based authentication may include an authentication component configured to request and receive authentication from an authenticating system according to a secure password-based authentication protocol. The authentication component may be configured to participate in an attack-resistant password-based authentication protocol such that an attacker who has compromised the authorizing system and/or a communication channel between the authentication component and the authenticating system may not determine a user's password and/or impersonate the user. In one embodiment, the authentication component may be configured to provide its attack-resistant password-based authentication functionality to an application (e.g., through a stand-alone application, plugin, or application extension).

Abstract: A method for managing offline authentication. The method may include 1) identifying an attempt, by a user, to access a client device, wherein accessing the client device requires the user to be authenticated, 2) determining whether the client device is offline, 3) in response to determining that the client device is offline, authenticating the user using offline authentication, wherein offline authentication does not require an active network connection with a remote authentication service, 4) upon successful authentication of the user using offline authentication, allowing the user to access the client device, 5) monitoring the network-connection state of the client device, 6) detecting that the client device is online, and then 7) in response to detecting that the client device is online, locking the client device in order to require the user to reauthenticate using online authentication, wherein online authentication requires the active network connection with the remote authentication service.

Abstract: An e-mail system is disclosed that overcomes many deficiencies of, but is backward compatible with, existing e-mail systems. Embodiments of the system may include various features, including but not limited to: (1) secure transfer of e-mail messages, without the need for users to replace existing e-mail clients or to change e-mail addresses; (2) tracking of all actions performed in connection with an e-mail transmission; (3) the ability for a recipient to view information about an e-mail message, optionally including information about how other addressees have responded to it, before deciding whether to retrieve the e-mail message; (4) the aggregation of entire e-mail conversations into a single threaded view; (5) the ability to include both private and public messages in a single e-mail communication; (6) sender control over downstream actions performed in connection with an e-mail message; (7) flexible control over cryptographic methods used to encrypt emails messages for storage.

Abstract: A portable storage device has a storage peripheral interface connecting to a computer. An encrypted data storage is available to the computer connected to the interface. The encrypted data storage includes a first part accessible after an authentication. A controller has a first operation mode performing encryption and decryption of data of the first part after the authentication of a first combined credential. The encryption and the decryption rely on a cipher key derived from a second combined credential. The first combined credential and the second combined credential are derived from at least a computer signature of the computer connected to the interface and a user credential of a user of the computer connected to the portable storage device.

Abstract: The disclosure provides a system and method of authenticating a user to a network. For the method, if a request for a resource initiated by the device is related to a restricted resource, then the method: redirects the request to the authentication server; initiates an authentication process at the server to request a user account and a password from the device to authenticate the device if it has not been authenticated; automatically provides the device with access to the restricted resource if the device previously had been authenticated to access the restricted resource; and provides a signal to the device indicating whether it has been authenticated to allow the device to update its graphical user interface to indicate an access status for the restricted resource. If the request relates to a non-restricted resource, then the method automatically provides the device with access to the non-restricted resource.

Abstract: Methods, systems, and computer programs for verifying a password are disclosed. For example, the password can be verified on a mobile device to control user access to the mobile device. In some implementations, a mobile device includes a user interface, a main processor, and a co-processor. The user interface receives a submitted password value from a user. The main processor calls the co-processor to provide a hash chain input value based on the submitted password value. The main processor evaluates a hash chain based on the hash chain input value provided by the co-processor. Evaluating the hash chain generates a submitted password verification value. The submitted password verification value is compared to a stored password verification value stored on the mobile device. Access to mobile device functionality may be permitted or denied based on a result of the comparison.

Abstract: In one example embodiment, an information processing apparatus determines whether a target ID is a unique ID or a partial randomization ID that includes a first part being replaced by a different number and a second part being generated based on the unique ID. In response to the target ID being the partial randomization ID, the information processing apparatus generates an access key based on the second part of the partial randomization ID and a key. The information processing apparatus executes a mutual authentication process using the generated access key.

Abstract: To provide an authentication technology acquiring high security with a simple configuration. In an information processing device utilizing a user's input operation for authentication, an input frame is displayed to the user, the user is prompted to input a keyword to within the input frame, a magnitude of the input by the user is judged, and the inputted keyword is judged, results of the judgments are used as authentication information for the authentication. A magnitude of the input may be a size of the input frame and a size of a character, which are designated by the user.

Abstract: An embodiment for securely accessing services of a service provider based on single sign on. The user device is authenticated by an authentication server if the computed hash of the first random number r is same as the received hash of the first random number r sent by a user device. Thereafter, the second random number y, the user id and an element Q are encrypted using a service provider password and send to the service provider. The user device computes a first discrete exponential function Z using the element Q and the second random number y and sends along with the user id to the service provider. The service provider computes a second discrete exponential function Z? using the element Q and the second random number y received from the authentication server and provides the user device access to the services if Z is equal to Z?.

Abstract: A system and method for integrating the Internet front end-sign on processes of the various systems of a financial institution which allows a customer to view and access its various financial accounts with the institution. During the initial sign up for the online access to its accounts, a customer creates his/her User ID and password online during the same session. Once the customer has signed on (password) and verified ownership of at least one account, the system displays all of the customer's accounts that are available for access via the Internet website. The online ownership verification uses only a single account of the customer and the ownership verification criteria associated with the account. The account used for verifying a customer is first determined based on the accounts selected by the customer for accessing online. From the selected accounts, the system of the present invention creates a verification hierarchy with respect to the accounts.

Abstract: Systems and methods for authenticating a user of a service are disclosed. A host of a service provides a user interface that can be accessed via a display of a terminal. Upon successfully transmitting a first set of credentials, the host requests a random image to be generated by an authentication server. The authentication server transmits the random image to the host, as well as to a mobile device that is associated with the user of the service. The mobile device receives a picture message including the image. The user interface displays a list of images on the display. The user matches the received image with an image among the list of images, wherein a successful match follows in the user being granted access to the service. Consequently, an additional layer of security using a visual identification of a user is provided.

Abstract: A computer system is provided comprising a non-volatile storage medium and a processor. The processor acquires authentication information from a first removable storage device, stores the authentication information into the non-volatile storage medium, and forbids data access of the computer system when detecting that a second removable storage device has been inserted and identification data of the second removable storage device is different from the authentication information.

Abstract: A mobile phone of the type including a connection, able to allow the connection to a webpage with a particular URL, the connection to said webpage requiring the entry of a particular identifier specific to said webpage, a first storage able to store, in a database, the particular identifiers, each associated with a corresponding webpage. The mobile phone also includes a trigger able to systematically and automatically trigger, after the entry of a particular identifier, the implementation of a selector for choosing a primary identifier shared by all webpages requiring that a particular identifier be entered, if no primary identifier has been chosen yet, and a second storage able to store a security datum depending on the primary identifier after the entry of the primary identifier.

Abstract: An apparatus and a method for storing an encrypted username and password. In one embodiment, a username is encrypted. A password associated with the username is encrypted. A user identifier associated with the username is encrypted. The encrypted username, the encrypted password, and the user identifier are stored in one or more database.