Abstract: Mobile devices provide security based on geographic location. With such a technique, a mobile device may automatically check its current location against geographic information as to the location(s) in which it is permitted to operate. When the user attempts access to the device, the mobile device will prompt the user for his/her credential only if the geographic location matches an allowed location. The user gains access then by inputting information corresponding to the credential, e.g. username and password, of a valid user. In the examples, if the geographic location does not match an allowed location, the mobile device provides a warning to the user, and the user is not allowed to enter any credential information. Optionally, the mobile device may send an alert message about the device being taken outside a specified boundary, e.g. to report the situation to other personnel.

Abstract: A secure password generation method and system is provided. The method includes enabling by a processor of a computing system, password translation software. The computer processor generates and stores the random translation key. A first password is received and a second associated password is generated. The computer processor associates the second password with a secure application. The computer processor stores the random translation key within an external memory device and disables a connection between the computing system and the external memory device.

Abstract: Apparatus and method for computer-based or mobile-device-based electronic generation and verification of dynamic password, or one-time-password (OTP), that does not require initial synchronization, nor re-synchronization, between a client OTP generator and the corresponding OTP server, is provided. It employs the general OTP principles and methods to ensure the single-use of the password credential and the security strength of the OTP, and it utilizes instant dynamic parameter(s) communications for equivalent instant synchronization (EQ-sync). It can also be used to ensure integrity and authenticity of an online transaction request.

Abstract: In an embodiment, a secure module is provided that provides access keys to an unsecured system. In an embodiment, the secure module may generate passcodes and supply the passcodes to the unsecured system. In an embodiment, the access keys are sent to the unsecured system after the receiving the passcode from the unsecured system. In an embodiment, after authenticating the passcode, the secure module does not store the passcode in its memory. In an embodiment, the unsecured module requires the access key to execute a set of instructions or another entity. In an embodiment, the unsecured system does not store access keys. In an embodiment, the unsecured system erases the access key once the unsecured system no longer requires the access key. In an embodiment, the unsecured system receives a new passcode to replace the stored passcode after using the stored passcode. In an embodiments, a registration code is generated using non-determinism. In an embodiments, a key is generated using non-determinism.

Abstract: A storage device comprises a non-volatile storage media and a processor that is operative to receive, via an interface with one or more host devices, a first entered password needed for accessing data stored in the non-volatile storage media, generate a first number, combine the first entered password and the first number, generate a cryptographic key based on the combination of the first entered password and the first number, encrypt the received first entered password using the cryptographic key, and store the encrypted first entered password and the first number in the non-volatile media. The processor may be further operative to receive a request for authentication; provide a reply comprising the first number; receive a second number calculated based on a cryptographic combination of the first number and a second entered password, and authenticate the host device if the second number successfully decrypts the encrypted first entered password.

Abstract: A cloud service access and information gateway receives, from a user device, a request to access a cloud service. The cloud service access and information gateway determines an identity of a user making the request to access the cloud service and compares the identity of the user to a password vault control policy. The cloud service access and information gateway determines, based on the comparing, one or more sections of a split password vault to which the user has access. The split password vault comprises a first section storing a first set of log-in credentials and a second section storing a second set of log-in credentials.

Abstract: Technologies are generally described for authentication systems. In an example, an authentication system can be built among devices by sharing an image that is virtually torn into pieces. Each participant in the authentication system receives a piece of the image. The participants are authenticated when the pieces are later joined to form the original image.

Abstract: A method and system for providing security to a Network Job Entry (NJE) network. A first NJE node and a third NJE node are connected by a second NJE node. The second NJE node conducts a security check of NJE packets traveling between the first and third NJE nodes. The security check performed by the second NJE node includes checking the userid of the person or job that sent the NJE packet, as well as the NJE data type. The NJE data type may be classified by the type of operation being performed, such as a batch job, sysout, command, message, as well as what application is being used. In one preferred embodiment, the security check includes checking the security level of the source of the data being transferred, such as a sensitive application. The security check can be based on the size of the data packet, such that excessively large data packets from a particular user are not permitted to be transmitted outside a secure NJE network.

Abstract: A ciphering key management technique for use in a WLAN receiver is provided where a hash table is stored that has a first and a second table portion. The first table portion stores transmitter address data and the second table portion stores at least one cipher key. It is determined whether a transmitter address matches transmitter address data in the first table portion, and if so, a corresponding cipher key stored in the second table portion is determined for use in decrypting the received data. The hash table technique allows for a fast search for the correct cipher key. Embodiments are described that allow for dynamically adding and removing keys without blocking the search.

Abstract: A Wi-Fi router with an integrated configuration touch-screen, and method to use this integrated touch screen to provide enhanced security features. The Wi-Fi router, which has a wired or optical network interface, may be factory pre-configured with hard to anticipate passwords and encryption codes, thus making even its default Wi-Fi settings difficult to attack. Besides displaying interactive menus on the touch-screen, the router may also generate touch sensitive dynamic alphanumeric virtual keypads to enable administrators to interact with the device without the need of extra computers or software. Inexperienced administrators secure in the knowledge that they may access and change even difficult to remember security settings at any time through the built-in touch-screen controller and simplified user interface, are encouraged to set up secure Wi-Fi systems. The device may optionally include security software that, upon touch of a button, can provide new randomized or otherwise obfuscated router settings.

Abstract: A method and system for protection of and secure access to a computer system or computer network. The method includes the steps of receiving a first login account identifier, such as a user name from a user in communication with the computer system or network. A determination is made if the user is recognized and enrolled from the first login account from the first login account identifier. If the user is recognized, a grid of randomly generated visual images is displayed including one visual image from an image category which has been preselected by the user upon enrollment. An image category identifier is randomly assigned to each visual image in the grid. An image category identifier, second login account identifier, such as a password, is entered and received. If the login account identifier and the image category is validated, access is permitted to the computer system or network.

Abstract: Techniques are provided for the controlled scheduling of the authentication of devices in a lossy network, such as a mesh network. An authenticator device that is configured to authenticate devices in a lossy network receives an authentication start message from a particular device to be authenticated. The authenticator device determines a schedule for engaging in an authentication procedure for the particular device based on an indication of current network utilization.

Abstract: In a case where a plurality of users are made correspondent to one IC card, user changeover is performed without a logout process. When the IC card is passed over a card reader while a user is logging in, it is judged whether or not the passed card is the IC card used in a login process of the user who is logging in. If NO, a logout process of the user who is logging in is performed, and a user login process using the newly passed IC card is performed. On the other hand, if YES, it is further judged whether or not the plurality of users are made correspondent to the passed IC card. If YES, selection of the user who intends to newly log in is accepted.

Abstract: A method and system for performing a security authentication. A name of a user, N sequences of digits, and encrypted values respectively corresponding to the digits in the N sequences are transmitted to a destination device. Each sequence includes a same M unique digits and begins with a different digit, wherein N?2 and M?3. N encrypted values of the transmitted encrypted values are received, wherein an Ith received encrypted value of the N received encrypted values corresponds to one of the digits selected by the user, at an electronic device, from a respective Ith sequence of the N sequences (I=1, 2, . . . , N). N digits respectively corresponding to the received N encrypted values are determined. The determined N digits form a number matching a PIN associated with the name of the user, which authenticates the user to access a resource.

Abstract: The present disclosure proposes a secure way to generate the OTP code by way of a web browser. A user does not need any electronic device on hand to obtain OTP for 2FA login. A new Rubbing Encryption Algorithm (REAL) is proposed as the base technology. Implementation method of such web-based OTP token is presented and analyzed. It operates through a web-browser with a multiple REAL keys. It can be integrated into many secure Internet commerce applications as well. A system is provided for secure access to a software program or website. The system has a first entity with a computing device with a processor and a memory. The first entity provides a plurality of data items. The system also has a second entity with at least one display for displaying the plurality of data items. The data items are arranged in a predetermined format. The display also displays a prompt for a user identification and a prompt for a code. The second entity has a member with a transparent portion.

Abstract: A mobile communication terminal having a password notification function and a method for notifying a user of a password in the mobile communication terminal that allow the transmission of a stored password or a newly generated random password to a previously selected medium by entering a secondary password when an input password is not identical to the stored password. The method includes checking whether a password notification function is set; requesting input of a stored password, receiving an input password, and checking whether the input password is identical to the stored password. If the input password is not identical to the stored password, the method further includes requesting input of a stored secondary password, checking whether an input secondary password is identical to the stored secondary password, and sending a password if the input secondary password is identical to the stored secondary password.

Abstract: According to one embodiment, an electronic apparatus comprises a communication module and a connection control module. The communication module is configured to execute close proximity wireless transfer. The connection control module is configured to start an operation of establishing a connection between the communication module and an external device which is in close proximity to the communication module if an identifier of the external device wirelessly transmitted from the external device is included in a connection permission list. The connection control module is configured to display a password entry screen if the identifier is not included in the connection permission list, and to add, if a password entered on the password entry screen matches with a registered password, the identifier to the connection permission list and start the operation of establishing the connection between the communication module and the external device.

Abstract: Structures and methods are disclosed for selectively capturing (“peeling”) and replicating (“cloning”) OTP tokens from one device to another while maintaining OTP state. Embodiments described herein provide for sending, from a first device to a second device, state information including for example, a key, a current OTP sequence value and a time to expiry value corresponding to selected tokens to be cloned. The second device thereafter uses the state information to generate OTP sequences corresponding to the selected tokens in time-synchronization with corresponding authentication entities. Additionally, embodiments described herein provide for restoring the OTP sequence corresponding to the selected tokens on the first device following a loss of synchronization of the selected tokens on the first device.

Abstract: A facility for performing a local human verification ceremony to obtain user verification is provided. Upon determining that user verification is needed to perform an action on a computer system, the facility presents a CAPTCHA challenge requesting verification that the user wants the action performed on the computer system. Upon receiving a response, the facility compares the received response to an expected correct response. If the received response is the correct response, the facility authorizes the action to be performed.

Abstract: A time clock 10, capable of outputting a datum to an USB memory 100 connected thereto, includes a controller authenticating whether or not the USB memory 100 is valid an external apparatus as an output destination to which the datum is output, and determining whether or not the datum is output on the basis of the authentication result. Further, the controller 25 authenticates an external apparatus on the basis of an authentication datum stored in the USB memory 100. The controller 25 performs the authentication on the basis of an identification datum of the time clock and an identification datum included in the authentication datum stored in the external apparatus.

Abstract: An entertainment device comprises communication means operable to receive media data from a media data source, storage means operable to store the received media data, in which the storage means limits the duration of access to the media data which was received from the media data source.

Abstract: A simple, customizable and intuitive virtual combination unlock method and system. More specifically, an unlock system and method is disclosed which includes a virtual combination lock, where the virtual combination lock includes several rows of user-selectable images such as pictures or icons as the virtual combination wheels. In certain embodiments, the images are accessed via the user's database. To unlock the device, the user touches and drags pre-selected images into alignment with each other. Security can be adjusted by changing the number of images that need to be aligned to unlock the device.

Abstract: A secure password generation method and system is provided. The method includes enabling by a processor of a computing system, password translation software. The computer processor generates and stores the random translation key. A first password is received and a second associated password is generated. The computer processor associates the second password with a secure application. The computer processor stores the random translation key within an external memory device and disables a connection between the computing system and the external memory device.

Abstract: A system for password generation and control is provided. The system includes a client and a server system. A password component is operable on the client system for automatically on a re-occurring basis generating a password for an application operable by the client system based upon at least two inputs accessible from the client system. A password manager component is operable on the server system to generate the password using the at least two inputs to enable access to the application the client system.

Abstract: A system, method and computer program product for a user to verify that a network resource address is trusted. At least one entity registration is stored at a server. Each entity registration comprises an identity of an entity and entity addressing information associated with the identity of the entity. The existence of at least one entity whose identity is included in the at least one entity registration is confirmed. A query comprising a target addressing information is received from a client. If the target addressing information matches the entity addressing information, the identity of the entity associated with the entity addressing information is determined and a result comprising the identity of the entity associated with the entity addressing information matching the target addressing information is transmitted to the client. If no entity addressing information matches the target addressing information, an indication of such is transmitted to the client.

Abstract: A user accessing a protected resource is authenticated using multiple channels, including a mobile device of the user. A user attempting to access a protected resource is authenticated by receiving a request from a mobile device of the user to access the protected resource; receiving a public key from the mobile device of the user; providing a provision token to the mobile device, wherein the provision token is used by the user to access the protected resource using a second device; and confirming the provision token to a provider of the protected resource to authorize the user to access the protected resource. The user then communicates with the provider using a second device to authorize the provisioning token. A transaction signing protocol is also provided.

Abstract: According to one embodiment, a device includes a cell array including an ordinary area, a hidden area, and an identification information record area in which identification information which defines a condition for accessing the hidden area is recorded. An authentication circuit performs authentication. A sensing circuit recognizes information recorded in the identification information storage area, determines the information recorded in the identification information record area when an access request selects the hidden area, validates an access to the hidden area when determined that the identification information is recorded, and invalidates an access to the hidden area when determined that the identification information is not recorded.

Abstract: A payment processing system for accepting manually-entered payment-card numbers. Rather than entering a payment-card account number into an application module, the card number is instead captured and stored within a tokenizer prior to being sent to the application module. The tokenizer then returns a random token to the calling application as a pointer to the original payment-card number. The token has no algorithmic relationship with the original payment-card number, so that the payment-card number cannot be derived based on the token itself. Since the token is not considered cardholder data, the token may be used in an application module without the module or its connected hardware from being subject to regulatory standards compliance. Some embodiments involve browser-based schemes, and some embodiments involve PIN-entry device-based schemes.

Abstract: Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set.

Abstract: Authentication codes associated with an entity are generated. A stored secret associated with an entity is retrieved. At a first point in time, a first dynamic value associated with a first time interval is determined. A first authentication code based on the first dynamic value is determined. At a second point in time, a second dynamic value associated with a second time interval is determined. A second authentication code based on the second dynamic value is determined. The first and second authentication codes are derived from the stored secret and the amount of time between the first and second points in time is different from the length of the first time interval.

Abstract: In accordance with embodiments of the present disclosure, a method may include generating a random number to be associated with an information handling resource. The method may also include generating a challenge string based at least on the random number. The method may additionally include encrypting the challenge string using a first shared secret. The method may further include receiving a one-time password generated by a vendor associated with the information handling resource, the one-time password generated by decrypting the challenge string using the first shared secret, parsing the random number from the decrypted challenge string, and digitally signing the decrypted challenge string with a digital signature using a second shared secret. The method may also include granting user access to the information handling resource in response to verifying, using the second shared secret, that the digital signature matches the random number.

Abstract: A system for entering a secure Personal Identification Number (PIN) into a mobile computing device includes a mobile computing device and a peripheral device that are connected via a data communication link The mobile computing device includes a mobile application and a display and the mobile application runs on the mobile computing device and displays a grid on the mobile computing device display. The peripheral device includes a display and an encryption engine, and the peripheral device display displays a grid corresponding to the grid displayed on the mobile computing device display. Positional inputs on the mobile computing device grid are sent to the peripheral device and the peripheral device decodes the positional inputs into PIN digits and generates an encrypted PIN and then sends the encrypted PIN back to the mobile computing device.

Abstract: Systems and methods for stateless system management are described. Examples include a method wherein a user sends the management system a request to act upon a managed system. The management system determines whether the user is authorized for the requested action. Upon authorization, the management system looks up an automation principal, which is a security principal native to the managed system. The management system retrieves connecting credentials for the automation principal, and connects to the managed system using the retrieved credentials. Once the managed system is connected, the management system performs the requested action on the managed system, and sends the result back to the user.

Abstract: A technique provides authentication codes to authenticate a user to an authentication server. The technique involves generating, by an electronic apparatus (e.g., a smart phone, a tablet, a laptop, etc.), token codes from a cryptographic key. The technique further involves obtaining biometric measurements from a user, and outputting composite passcodes as the authentication codes. The composite passcodes include the token codes and biometric factors based on the biometric measurements. Additionally, the token codes and the biometric factors of the composite passcodes operate as authentication inputs to user authentication operations performed by the authentication server. In some arrangements, the biometric factors are results of facial recognition (e.g., via a camera), voice recognition (e.g., via a microphone), gate recognition (e.g., via an accelerometer), touch recognition and/or typing recognition (e.g., via a touchscreen or keyboard), combinations thereof, etc.

Abstract: A payment device—payment device reader combination obtains issuer token data that was generated by an issuer entity from: input data, and an issuer application cryptogram based on the input data and a session key. The issuer token data is disassembled by the payment device—payment device reader combination to obtain the input data and the issuer application cryptogram, and the payment device—payment device reader combination computes a payment device application cryptogram based on the input data and the session key. This is compared, by the payment device—payment device reader combination, to the issuer application cryptogram. If the payment device application cryptogram matches the issuer application cryptogram, at least one action is allowed to take place on the payment device.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: A user inserts a received random sequence into the user's password or PIN. The user enters and transmits this randomized password to a service provider. The service provider extracts the password to determine whether to authenticate the user.

Abstract: A method and apparatus for preventing accidental disclosure of confidential information via visual representation objects is described. In one embodiment, the method includes establishing pattern information with respect to confidential information, wherein the confidential information is used to authenticate users, monitoring a visual representation object having an input focus associated with a user interface, wherein the visual representation object receives input data, comparing the input data with the pattern information to identify at least one unobscured portion of the confidential information and producing indicia of detection of the at least one unobscured portion of the confidential information on the visual representation object.

Abstract: A method for imputing different usernames and passwords using an input device with a display to use different protected assets that requires the inputting of a preselected username into a username enter box and the inputting of a preselected password into a password entry box immediately prior to use. The method includes the steps of designating two or more username keys on said input device, each said username key being assigned with a unique letter or number located on said input device and to a unique username made of a plurality of alpha-number characters, designating two or more password keys on the input device each being assigned with a letter or number located on said input device and to a unique password made of a plurality of alpha-number characters. Next the protected asset is then accessed and the username key and keyword key assigned to the asset is imputed.

Abstract: Generally speaking, systems, methods and media for authenticating a user to a server based on previous authentications to other servers are disclosed. Embodiments of a method for authenticating a user to a server may include receiving a request to authenticate the user to the server and determining whether authenticating the user requires matching an authentication plan. If a plan is required, the method may also include accessing a stored authentication plan with authentication records each having expected information relating to user access to a different server. The method may also include receiving an indication of the user's current authentication plan from an authentication store where the plan has authorization records each having current information relating to user access. Embodiments of the method may also include comparing the stored authentication plan with the received current authentication plan to determine whether they match and, in response to a match, authenticating the user.

Abstract: Systems and methods for limiting access to data in a portable data storage device. An exemplary method may use an electronic computing device to prevent access to the data and includes the step of providing the portable storage device with a first software program that has a current expiration time value. The first software program is able to compare the current expiration time value against a time based parameter and activate a security mechanism protecting the data stored in the portable data storage device based on the comparison. The method also includes the step of providing an electronic computing device with a second software program. The second software program is able to identify the portable data storage device and reset the current expiration time value of the first software program to a later time value when the electronic computing device is electronically communicating with the portable data storage device.

Abstract: In accordance with the teachings of the present invention, a system and method for transporting an ancillary data packet in the active area of a video stream are provided. In particular embodiments of the present invention, the method includes coupling a playback server and a digital video projector with a DVI link; placing an ancillary data packet of link encryption metadata in a false line of video in an active area of a frame of video at the playback server, a remainder of the active area comprising true lines of video; transmitting the ancillary data packet from the playback server to a digital video projector through the DVI link; extracting the ancillary data packet from the frame of video at the digital video projector; and displaying the remainder of the active area of the frame of video at the digital video projector.

Abstract: A method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.

Abstract: To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

Abstract: The present invention discloses an authentication method and a key device and relates to the information security field. The authentication method comprises initiating user authentication, generating a dynamic code and then a first verification code on the basis of the dynamic code, and outputting the dynamic code, by a key device; and receiving a second verification code entered by a user via a host, and collating the second verification code with the first verification code, by the key device, and if a match is found, the user access is authorized to the key device; otherwise, the user access is prohibited. The key device comprises a trigger module, a generator module, an output module, a communication module, a collator module, a controller module and a security module. According to the present invention, better security is achieved by reducing the possibility of sensitive information disclosure and misuse in case of password theft for the key device.

Abstract: A system and method for providing, as a service over a computer network (especially a packet-switched computer network) to a body of merchants connected to the computer network, verification of consumer identification based on data provided over the computer network by scanning devices attached to the computers operated by consumers.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: One of the objects of the present invention is to provide a communication system in which biometrics can be utilized without leaking to a third person so that a strict personal authentication can be conducted. The communication system includes, storing a correspondence table in a card, storing a reference password which is formed by converting a part of biometrics of an authorized user in the card by using the correspondence table, reading a part of biometrics of a user by the card, converting a part of the biometrics of the user into a password by the card using the correspondence table, and checking the password against the reference password by the card, wherein the card and the user are authenticated if a the password and the reference password match in the step of checking.

Abstract: A system and method for changing safety-relevant data for a control device is provided wherein an authorized user inputs new or altered safety-relevant data, which is received on a data processing installation. A first checksum for the safety-relevant data is established and stored along with the safety-relevant data in at least one data record on the data processing installation. An enable code may also be stored in the at least one data record. This enable code may be produced by a code generator and encrypted by a key module. The data processing installation then reads back the safety-relevant data from a memory in the data processing installation, thereby allowing a comparison of the received safety-relevant data and the read back safety-relevant data. A second checksum is generated in a case where the comparison resulted in no differences. The second checksum may also be stored in the at least one data record.

Abstract: Aspects of this disclosure are directed to outputting, for display at a presence-sensitive display, a first set of two or more selectable objects in a first arrangement of locations, the computing device operating in a first instance of a limited access state. At least one of the selectable objects includes an element of a predetermined passcode. The computing device may receive an indication of a first gesture to select one of the selectable objects and an indication of a second gesture to designate the selected object as an element of a candidate passcode. The computing device may transition to an access state based at least in part on a comparison between the candidate passcode and the predetermined passcode. The computing device may transition to a second instance of the limited access state, and may output a second set of two or more selectable objects in a second, different arrangement.