Abstract: An apparatus and method for preventing falsification of a client screen is provided, in which a web server dynamically generates URIs and provides them to clients, thus preventing the falsification of client screens due to a web injection attack or a memory hacking attack. The apparatus includes a random web generation unit for converting an identical web page into random URIs that are randomly generated, at a request of a plurality of clients, generating different random web sources, and providing the different random web sources to the respective clients. A web falsification determination unit compares display web source eigenvalues respectively generated by the clients with respect to any one of the random web sources with a generative web source eigenvalue for the one of the random web sources, thus determining whether screens corresponding to the random web sources displayed on the respective clients have been falsified.

Abstract: An apparatus and a method for encrypting a username is described. In one embodiment, a hashed username is encrypted with an encryption function. An input size of the encryption function matches an output size of the encryption function. The password associated with the hashed username is replaced with a function of the encrypted username. The function includes a linear combination operator of the password and the encrypted username. The encrypted username is then swapped with the replaced password. The encryption, replacement, and the swapping are iterated for at least two rounds using a different key with each iteration.

Abstract: In one embodiment, there is provided a mobile communications device comprising: a processor; a communications subsystem operable to exchange signals with a wireless network; a storage element having application modules and data stored thereon, the data comprising at least user application data associated with the application modules and service data including data for establishing communications with the wireless network; and a security module operable to detect policy messages received by the device, and to perform a security action if a first policy message to enforce a first data protection policy is received and a subsequent policy message to enforce a second data protection policy is not received within a predetermined duration from the time at which the first policy message is received; wherein the security action comprises erasing or encrypting at least some of the data on the storage element.

Abstract: A method and apparatus for client authentication using a pseudo-random number generation system. The pseudo-random number generation utilizes a secret key as well as state information as input into the hash function to generate a pseudo-random number. The state information that is part of the input can be any number of prior generated pseudo-random numbers. The authentication allows for synchronization of the client and server by exchanging state information. The authentication is not dependent on any absolute time and consequently the client and servers are not required to maintain a reliable shared time base.

Abstract: The present invention generally relates to a computer security system for use in the identification and authentication of a user prior to an on-line transaction. In one aspect, a method for enrolling a user in a system configured to identify and authenticate the user is provided. The method includes collecting a username and password to identify the user. The method further includes extracting device data from a user machine to uniquely identify the machine. The method also includes generating a user profile based upon the device data and the username and password. Additionally, the method includes transmitting the user profile to a server machine to be stored. In another aspect, a computer-readable medium including a set of instructions that when executed by a processor cause the processor to enroll a user in a system configured to identify and authenticate the user is the provided. In yet a further aspect, a system for identifying and authenticating a user is provided.

Abstract: A method and system is provided for using an access list stored on a memory of a first computing device, the access list for controlling communication between the first computing device and a plurality of computing devices in a Bluetooth communication network.

Abstract: A cellular network system comprises a device identifier comparator and a connection enable indicator. A device identifier comparator for comparing a received device identifier with one of a plurality of stored device identifiers, wherein the one of the stored plurality of stored device identifiers is associated with a stored subscriber identifier. A connection enable indicator for indicating whether a connection from a cellular device associated with the received device identifier to a data network associated with the cellular network system should be enabled.

Abstract: A system, method and program product for utilizing a steganographic process to hide data element in a carrier object. A system is disclosed that includes: a pivot object generator that generates a pivot object having a key hidden therein, wherein the key is hidden in the pivot object based on an inputted salt; and a carrier object generator that generates a carrier object having a data element hidden therein using a steganographic hiding system, wherein the steganographic hiding system requires utilization of the key to extract the data element from the carrier object.

Abstract: Embodiments of the present disclosure provide a flexible way of accommodating typical user errors when attempting to gain access. One method prevents an error in an access protocol by determining if an access request contains an error that may be forgiveable, such as repeated entry of the same incorrect password or the use of all capital letters. If the access request contains an error, the access request will be classified as invalid. As such, the invalid access request will not count against the number of allowed access requests. Errors may include repeated passwords, obvious typographical error, etc. A message may also be provided or sent to the user that informs the user of their error.

Abstract: An apparatus and method for unlocking a user equipment. The apparatus may include a first input unit, a second input unit, a controller, and a memory. The first input unit may be configured to set up a first password and to receive a first input. The second input unit may be configured to set up a second password and to receive a second input. The controller may be configured to compare the first input with the first password, compare the second input with the second password, and initiate an unlock operation of the user equipment based on a result of the comparisons. The memory may be configured to store at least the first password and the second password.

Abstract: A method, system and computer-usable medium for providing secure access to an application over an unsecure network. A transparent identification member can be physically placed by a user against a login interface, the transparent identification member possessing a filter for filtering and displaying a pattern unique to the login interface. Thereafter, the user can be automatically permitted to authenticate an unsecure network and securely access an application over the unsecure network, in response to placing the transparent identification member against the login interface and providing a user input at a physical location on the login interface corresponding to the pattern unique to the login interface, thereby providing a secure authentication for the user to perform secure transactions over the unsecure network and preventing phishing by others with respect to the user and the unsecure network.

Abstract: Apparatus, systems and methods are provided for facilitating user authentication in a computing system based on pictorial discernment of images displayed to a user. Multiple images are displayed to a user, with each image having one or more distinguishing characteristics. Each symbol of the user's password is associated with a particular characteristic included in one of the displayed images. The user is properly authenticated if they select the images having the characteristics corresponding with the symbols of the user's password.

Abstract: The present invention generally relates to a computer security system for use in the identification and authentication of a user. In one aspect, a method for identifying and authenticating a user is provided. The method includes establishing a trust between a server machine and an agent on a user machine. The method further includes establishing a session key to encrypt communications between the server machine and the agent. The method also includes receiving a username and password for use in validating the user. Additionally, the method includes creating an executable binary for the extraction of device data from the user machine to uniquely identify the machine. In another aspect, a computer-readable medium including a set of instructions that when executed by a processor causes the processor to identify and authenticate the user is provided. In a further aspect, a system for identifying and authenticating a user is provided.

Abstract: A system for enhancing security of a personal identification number is configned for performing a method that includes receiving, from a first entity having an input permission, a first data structure into a HSM, wherein the first data structure maps a first many-to-one mapping between a first and a second PIN numeral system. The method also includes determining whether the content of the first data structure is valid, storing the first data structure in the HSM if the first data structure is valid and marking the stored first data structure as inactive. The method further includes activating the first data structure if a second data structure is input into the HSM by a second entity having an activation permission, wherein the first entity is different from the second entity, the first data structure is identical to the second data structure. The method additionally includes converting from the first to the second PIN numeral system responsive to the activated first data structure.

Abstract: An embodiment of the invention provides a method for detecting fraudulent use of a moderator passcode in a conference calling system. The method sets a threshold number of moderator passcodes permitted in a conference call. The total number of moderator passcodes entered into the conference call is determined and compared to the threshold number with a processor. The conference call is allowed to continue if the threshold number exceeds the total number of moderator passcodes entered into the conference call. If, however, the total number of moderator passcodes exceeds the threshold number of moderator passcodes, the processor performs validation actions and/or alert actions.

Abstract: An embodiment of the invention is directed to a data processing system having a plurality of users, a portion of which were previously assigned permissions respectively corresponding to system resources. The embodiment includes acquiring data from a first data source, containing information pertaining to the portion of users and their permissions, and further includes acquiring data from a second data source, containing information pertaining to attributes of each user of the plurality. A set of permissions is determined for a given role, from both first and second data sources. First and second criteria are determined for assigning users to the given role, from information in the first and second data sources, respectively. A particular user is selected for admission to the given role only if the particular user is in compliance with both the first criterion and second criterion.

Abstract: Users are enabled to conduct financial transactions in a secured manner without the need to use traditional financial instruments, such as credit cards, debit cards, prepaid cards, ATM cards, checks, cash, etc. In addition, user's identity is kept confidential in the financial transactions.

Abstract: Systems, methods, and computer readable media for encapsulating multiple Windows® based credential providers (CPs) within a single wrapping CP are described. In general, CP credentials and fields from two or more encapsulated or wrapped CPs may be enumerated and aggregated in such a way that the order of fields from each CP is preserved, fields that may be used only once are identified and appear only once, and fields are given a new unique field identifier. The union of all such fields (minus duplicates of any one-use-only fields) may be used to generate a mapping so that the wrapping CP and CP credential may “pass-through” calls from the operating system's logon interface to the correct wrapped CP and CP credential. The disclosed techniques may be used, for example, to provide single sign-on functionality where a plurality of sign-on credentials may be used (e.g., user name/password and smart card PIN).

Abstract: A system and method for facilitating identification of an attacking computer in a network is provided. A user attempting to login to a network application may be presented with a screen prior to the login which lists preconditions of gaining access to the application. If a user concurs with the preconditions, a security module is downloaded to the user's computer and executed which gathers various configuration settings and transmits the gathered information to a predetermined destination. The security module may also attempt to place a call to a predetermined destination over a modem in the computer to cause registration of caller-ID data when answered at the predetermined destination. Once the security check is completed, login may proceed with the network application. Any data gathered by the security module may be stored for later recall and use to identify the computer in the event of an attack.

Abstract: Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

Abstract: A computer-implemented method may include presenting to a user an image, receiving a manipulated image by the user and providing access to a computing service based on a comparison of the manipulated image to a predefined arrangement of the image. In one exemplary implementation, presenting to the user the image may include presenting to the user a figure, receiving the manipulated image may include receiving a manipulated figure by the user and providing access to the computing service may include providing access to the computing service based on a comparison of the manipulated figure to a predefined arrangement of the figure.

Abstract: A communication terminal of the present invention includes a first communication unit used for communication including at least a voice call, an operation input unit for acquiring instruction input from a user, a second communication unit for performing communication with a predetermined object apparatus equipped with a function capable of receiving access via at least an external network, and a control unit that, when a voice call channel is established to another communication terminal, and an access permission instruction is inputted by the user, performs setting with respect to the object apparatus to permit the access from the another communication terminal via the external network, and transmits, to the another communication terminal, access information for performing the access to the object apparatus via the external network.

Abstract: A method of maintaining a blacklist for gesture-based passwords is provided. A data store of index values corresponding to gestures is maintained on a blacklist server. Upon receiving a new gesture based password, an electronic device converts the password to an index value and forwards that index value to the blacklist server. The blacklist server increases an occurrence of the received index value by one in a data store and if the increase results in a blacklist threshold being exceeded, the index value is inputted to the blacklist. A notification can be sent back to the electronic device if the forwarded index value is on the blacklist or is inputted to the blacklist.

Abstract: A method, a computer readable medium and a system of multi-domain login and messaging are provided. The method for multi-domain login comprises inputting a local password by an agent, accessing a password vault with the local password, and retrieving at least one hidden password from the password vault, and logging the agent into at least one agent application using the at least one hidden password. The method for multi-domain messaging comprises retrieving information of an agent from a database, retrieving at least one skill group to which the agent belongs from the information, retrieving a message linked to the at least one skill group, and sending the message to the agent.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; ascertaining, in response to said determining, which of one or more items that are at least conditionally accessible through the computing device are active; and providing one or more selective levels of access to the one or more items based, at least in part, on said ascertaining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: The systems, methods and apparatuses described herein provide a computing environment for authenticating a user. An apparatus according to the present disclosure may comprise a non-volatile storage, a user interface, and a password engine. The password engine is configured to retrieve two or more predetermined prompts from the non-volatile storage, present the two or more predetermined prompts on the user interface to a user in a random order, receive a first set of input(s) in response to the two or more predetermined prompts, create an encryption keyword from the received first set of input(s) according to an original order of the two or more predetermined prompts stored in the non-volatile storage, and use the encryption keyword to authenticate the user.

Abstract: A method for controlling an analysis system is presented. The method comprises receiving, by an encryption unit, authentication data of a user. In the case of a successful authentication, a user-specific security code is generated by the encryption unit. The security code is outputted by the encryption unit to the authenticated user. The security code and the user-ID are received by an authentication unit coupled to the analysis system via a user-interface coupled to the authentication unit. The security code is decrypted by the authentication unit. If the decrypted security code matches with the user-ID, the user is authenticated at the authentication unit and an authentication signal is generated by the authentication unit for permitting the user to initialize at least one function of the analysis system.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; ascertaining, in response to said determining, which of one or more items that are at least conditionally accessible through the computing device are active; and providing one or more selective levels of access to the one or more items based, at least in part, on said ascertaining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: The invention provides a network system which can prevent an illegal access to a network or the like set in a specific area and improve security of the network. The network system permits the entering of the user into a security area in accordance with security information (user ID) read out of a contactless IC in a carrying ID card by an entering/leaving room managing apparatus and registers an MAC address of a notebook computer carried by the user when he enters the security area to a managing server as ID information corresponding to the user ID. When a leaving request of the user is received through the entering/leaving room managing apparatus, the network system deletes the registered ID information and restricts connection between the notebook computer and the network on the basis of a registration situation of the ID information to the managing server.

Abstract: A method and apparatus to prove user assertions. A client request to authenticate a user assertion pertaining to user personal data may be received. The requested authentication may be generated for the client, the authentication proving the user assertion without revealing other information about the user. The requested authentication may be sent to the client.

Abstract: Embodiments of the present invention may detect an access attack by analyzing the passwords from successive access requests in an access session or by analyzing successive access attempts to determine patterns in the access information. For example, the analysis may consist of examining the access information to determine cycling in passwords of the access information. Cycling passwords may consist of password that are varied in a predictable or repetitive manner such as “aaaa”, “aaab”, “aaac”, “aaad”, etc. In addition, the usernames and passwords from successive access requests in an access session are analyzed to determine patterns in both the usernames and passwords. The analysis may consist of examining the access information to determine the use of identical passwords for various usernames. The analysis may also detect the cycling of passwords across multiple usernames.

Abstract: This invention relates to a method and a system for generating user passcodes for each of a plurality of transaction providers from a mobile user device. A method and system for activating a plurality of passcode generators on a user device configured with a passcode application installed on the user device is provided. Each of the passcode generators may correspond to a different user account or transaction provider, such that each passcode generator provides a user passcode configured for the corresponding account or transaction provider. One or more of the passcode generators may include a passcode generating algorithm and a passcode key. Access to one or more of the passcode generators may require providing a PIN or a challenge.

Abstract: The present disclosure presents techniques for determining when to obscure an accelerometer signal from an accelerometer of a mobile device. The techniques include determining whether a user has been prompted to provide sensitive input data to the mobile device using an input device of the mobile device. When the user has been prompted to provide sensitive input data, the technique includes obscuring a portion of an accelerometer signal outputted from an accelerometer, and receiving the sensitive input data from the user at the input device while the accelerometer signal is obscured. In some embodiments, the accelerometer signal can be obscured by (i) switching the accelerometer 216 off, (ii) inserting a random noise signal into the accelerometer signal, (iii) masking the low-order bits of the accelerometer signal, (iv) passing the accelerometer signal through a filter, (v) actuating a vibrator of the mobile device, and/or (vi) otherwise degrading the accelerometer signal.

Abstract: Techniques for user authentication are disclosed. In some situations, the techniques include receiving, from a client device, an authentication request to access a network resource, the request including a user identifier, obtaining a security credential associated with the user identifier contained in the received request, generating an authorization code based on the obtained security credential, providing to the client device instructions to obtain first information corresponding to the generated authorization code, receiving, from the client device, the first information provided in response to the provided instructions, and, when the first information received from the client device corresponds to at least a portion of the generated authorization code, authorizing the client device to access the network resource.

Abstract: A first information handling system (“IHS”) receives identification information of a first user of a second IHS. The first IHS initiates a network session in response to authenticating the identification information of the first user. Within the network session, the first IHS receives identification information of a second user of the second IHS. The first IHS authenticates the identification information of the second user.

Abstract: A pre-installation environment used by an operating system includes a pre-installation kit, a running unit, and a write inhibiting unit. The running unit is used for running the pre-installation kit, and generating an inhibiting signal when running to call the executable files for configuring network environment. The write inhibiting unit is used for inhibiting information generated by running the executable files from being written into a log file in response to the inhibiting signal.

Abstract: Methods of operating memory systems and memory systems are disclosed, such as a memory system having a memory array storing a code generating program to instruct a processor to generate a code, and a register to store a code generated by the processor, where the register is configured to allow a write operation to the memory array in response to a match of a code stored in the register and where the match is controlled in response to a request from a utility program being executed by the processor.

Abstract: A system of the present invention uses an identity provider to provide the authentication services for multiple service providers. An identity provider communicates with one or more service providers. A user that wishes to gain access to a service provider is authenticated through the use of the identity provider. A user desiring to access a service provider is first authenticated by the identity provider. The identity provider determines if the user meets the desired class level and provides various information related to the authentication. When the user attempts to access a second service provider that is associated with the same identity provider, the second service provider accesses the identity provider and determines that the user was recently authenticated. The identity provider then transmits the relevant information regarding the authentication process to the second service provider, which can then allow or deny the user access to the second service provider.

Abstract: To support authentication of a mobile device, an application server obtains an application identifier and password and creates an encrypted value by encrypting a combination of the password and a time-based value. The application server transmits the application identifier and encrypted value over a communication network to the mobile device as a credential, and the mobile device sends the credential over the network to a secure server providing an application assistance service. The secure server independently computes an encrypted value by encrypting the combination of the password and the time-based value. If the encrypted value from the received credential matches the encrypted value computed by the secure server, that server grants access to the assistance service for the mobile device.

Abstract: A secure storage system is disclosed. The secure storage system comprises a crypto engine and a storage device. The crypto engine comprises a random number generator; a hash function; a general encryption engine; and a data encryption engine. The secure storage system further includes a storage device coupled to the crypto engine. The storage device includes a storage array. The storage array includes a public partition, a secure partition and a system partition. The public partition is accessible to the public. The secure partition is accessible through the password authentication. The system partition is accessible only by the secure storage system. The password authentication is two-level instead of one, to avoid hash collision or insider tampering. The secure partition is accessed with “access gating through access key” instead of “access control through comparison.” The password can be changed without reformatting the secure storage.

Abstract: A biometric authentication device performs authentication of a user based on biometric information. In the biometric authentication device, a registry information storage stores pre-registered biometric information as registry information. An acceptance value determiner determines a verification acceptance value used for authentication, based on quality of the registry information with regard to reliability of characterizing an individual. An authentication information acquirer obtains biometric information of a user as authentication information. A similarity calculator compares the authentication information of the user with the registry information and calculates similarity between the authentication information and the registry information. An authenticator identifies whether the user is a registrant corresponding to the registry information, based on the similarity and the verification acceptance value.

Abstract: A password-encrypted key (PEK) is generated from a user-supplied password or other identifying data and then used to encrypt the user's password. The encrypted password is stored in a user record on a server. At login a would-be user's password is again used to make a key, which is then used to decrypt and compare the stored encrypted password with the would-be user's password to complete the login. The successful PEK is stored in a temporary session record and can be used to decrypt other sensitive user information previously encrypted and stored in the user record as well as to encrypt new information for storage in the user record. A public/private key system can also be used to maintain limited access for the host to certain information in the user record.

Abstract: Upon receiving an account creation request from a client, the server determines a count of new account requests, each having a respective password, received during a predefined time period, that satisfy a requirement that the respective password is a function of the password in the received account creation request, and determines a popularity value associated with the password. The server associates a spam score, based at least in part on the count and the popularity value, with the account creation request, and compares the spam score with certain predefined thresholds. If the spam score is above a first threshold, the server may refuse the account creation request. If the spam score is within a certain range, the server may limit the access to the account associated with the account creation request. If the spam score is below a second threshold, the server may enable normal use of the account.

Abstract: Various embodiments of the invention provide enhanced authentication solutions, including without limitation methods, systems and software programs for authenticating an entity and/or for facilitating such authentication. In accordance with certain embodiments, an entity (such as a user, a computer, etc.) attempts to authenticate in order to use a resource (such as a server, an application, etc.). Merely by way of example, the entity may provide a username or some other identifier to a computer responsible for authenticating the entity. In response, the authenticating computer may transmit a challenge, such as an authentication code. In particular embodiments, the challenge may be used to derive an authentication reply, which in turn may be used to derive and/or create a password (in one set of embodiments, the authentication reply itself may be the password).

Abstract: Apparatus, methods, and computer program products for providing portable communication identity services are provided. A request is received to access a portable communication identity from a communications device. User information is received that is input by a user of the communications device, and the user information is authenticated. Capabilities of the communications device are accessed, and the portable communication identity is transmitted in accordance with the capabilities of the communications device.

Abstract: A method for preparing a chip card for electronic signature services. According to said method, data is exchanged between a chip card user and a signature portal, an asymmetric pair of keys and a signature PIN that is associated with the asymmetric pair of keys being generated on the chip card by means of a software application which can be executed on the chip card, and the chip card communicating the signature PIN to the user.

Abstract: Provided are a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same. The method includes receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server, authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal, and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server. The interface server provides an interface for a network to the application service providing server.

Abstract: A system for secure information storage and delivery includes a vault repository that includes a secure vault associated with a user, wherein the secure vault is configured to receive at least one data entry. A mobile vault server coupled to the vault repository creates a mobile vault on a mobile device based on the secure vault and is capable of authenticating the mobile device based on user authentication information. The mobile vault server includes a mobile device handler that communicates with the mobile device. A synchronization utility determines whether the at least one data entry on the secure vault is transferable to or storable on the mobile vault. and transfers the data entry from the secure vault to a corresponding data entry on the mobile vault if the at least one data entry on the secure vault is determined to be transferable to or storable on the mobile vault.

Abstract: The present invention provides a secure JTAG interface to an application-specific integrated circuit (ASIC). In the preferred embodiment the invention operates through the combined efforts of a Security Module (SM) comprising a state machine that controls the security modes for the ASIC, and a Test Control Module (TCM) which contains the JTAG interface. The TCM operates in either a restricted mode or an unrestricted mode, depending on the state of the SM state machine. In a restricted mode, only limited access to memory content is permitted. In an unrestricted mode, full access to memory content is permitted.

Abstract: A computer implemented method for detecting and preventing spam account generation is disclosed. Upon receiving an account creation request from a client, the server analyzes the request and associates a spam score with the account creation request, based at least in part on a number of new account requests associated with the cookie received during a predefined time period, and compares the spam score with certain predefined thresholds. If the spam score is above a first threshold, the server may refuse the account creation request. If the spam score is within a certain range, the server may limit the access to the account associated with the account creation request. If the spam score is below a second threshold, the server may put no limit on access to (i.e., enable normal use of) the account.