Abstract: Techniques for secure authentication in virtual reality are provided. A virtual reality application executing on a virtual reality device can provide virtual reality environment. The virtual reality application may communicate with a server that provides a plurality of objects for display in the VR environment. The environment can include an object that, once selected, may initiate an authentication process. Once initiated, an authentication application may be launched on the VR device, so that a private authentication environment may be provided to the user. The user may be prompted to provide a biometric sample using one or more input devices coupled to the VR device. The biometric sample can then be sent to the authentication server, so that an authentication result may be determined from a comparison of the sample to a biometric template established during registration.

Abstract: Systems and methods for obtaining a SQL query, translating the SQL into a modified SQL query incorporating a privacy mechanism, and outputting the modified SQL query incorporating the privacy mechanism. In some embodiments, the modified SQL query incorporating the privacy mechanism is forwarded to a SQL database.

Abstract: A method for resolving ambiguity in computer data includes processing a record creation request transmitted from a computing device. The record creation request includes entity creation data and a login key. The login key includes a primary identifier and a password. The method also includes executing a matching algorithm with a selectable combination of the entity creation data at an entity database to identify a single entity record matching a selectable combination of the record creation request. The single entity record is linked to multiple different login keys. The method also includes updating one or more attributes of the single entity record with the entity creation data. Further, the method includes storing session data created during a session associated with the login key by using the login key to segregate the session data in the entity database, and linking the session data to the single entity record.

Abstract: A mobile device includes a display device; a processor; and a memory device configured to store instructions that, when executed by the processor, cause the processor to: present, by the display device, a user interface for accessing a mobile online banking application; receive a credential for authenticating and accessing the mobile online banking application; provide, by the display device, an option to create a mobile wallet during use of the mobile online banking application; and responsive to receiving an indication to create the mobile wallet, install a mobile wallet application on the mobile device for future mobile wallet transactions.

Abstract: An ID is managed, and access information including the ID is displayed on a first web browser. Thereafter, in response to reception of an access request by use of the access information from a second web browser, the predetermined web page is displayed on the second web browser, based on the ID included in the access request. Then, in response to completion of predetermined processing which is performed based on the predetermined web page, a first web page is displayed. In a case where display of a second web page, which is provided by a predetermined server, is requested by the user on the first web browser of the apparatus, the first web browser is controlled to perform a display for prompting an access to the predetermined server from another apparatus.

Abstract: The present disclosure relates a new generation “smart card” designed to create a severable invisible “bond” between the cardholder and the smart card itself where this trusted bond relationship is used to enhance and simplify the authentication process and during the use of the multi-purpose smart card. This new smart card is initiated and connected to a specific user using biometric information added to the card and the user using biometric information connects via a trusted bond with the card by pairing the biometric information which can be severed in one of multiple ways. The trusted bond with the smart card can be broken in one of multiple ways including disconnection from a network, distancing from the user, impact accelerometers, outside parameters, etc. The multi-function smart card also uses this established trusted bond with the user to simplify the authentication of the user for use of the card in encrypted computer network, ground security, or other retail and payment function.

Abstract: Various embodiments are generally directed to continuous authentication of a user to a digital service based on activity of a contactless card positioned proximate to a computing device on which the digital service operates. For example, a series of periodic status messages may be provided between a client device and the contactless card to verify whether the contactless card remains active, wherein authorization to access the digital service continues while the contactless card is active, and terminates when the contactless card is inactive.

Abstract: A method, system and computer program product for reducing the amount of helper data that needs to be stored using two innovative techniques. The first technique uses bit-error-rate (BER)-aware lossy compression. By treating a fraction of reliable bits as unreliable, it effectively reduces the size of the reliability mask. With the view of practical costs of production-time error characterization, the second technique enables economically feasible across-temperature per-bit BER evaluation for use in a number of fuzzy extractor optimizations based on bit-selection to reduce overall BER (with or without subsequent compression) using room-temperature only production-time characterization. The technique is based on stochastic concentration theory and allows efficiently forming confidence intervals for average across-temperature BER of a selected set of bits.

Abstract: An access control system which relies at least in part on a non-networked path for permitting an entity access to a secured location; the entity identified by the system by means of a unique entity identifier accorded the entity; entry to said secured location secured by a barrier; said barrier identified by the system by means of a unique barrier identifier accorded the barrier; said system including a local access unit located local to the barrier; said system including a barrier controller for actuation of the barrier; said local access unit issuing an open signal to the barrier controller whereby the barrier permits the entity access to the secured location if and only if data contained in a token communicated from an un-trusted communications device to the local access unit is verified by the local access unit with respect to at least a first parameter by the local access unit.

Abstract: Methods, systems, computer-readable media, and apparatuses may provide creation and management of composite tokens for use with services in a virtual environment without the user having to re-authenticate each time the user accesses a different service. A composite identity server may receive a request to upgrade a first authentication token for a user. The composite identity server may redirect a user agent to an identity provider for authentication and, in response, may receive a second authentication token for the user. The composite identity server may send the second authentication token to a federated microservice and, in response, may receive one or more claims of the second authentication token designated for inclusion in a composite token. The composite identity server may generate a composite token including the one or more claims of the first authentication token and one or more claims of the second authentication token.

Abstract: Some embodiments relate to methods and systems for initiating and transferring cellular subscription service using associated cellular communication devices. Cellular service may be initiated for a first cellular communication device via a second cellular communication device. The first cellular communication device may be provisioned to operate in an independent mode. In other scenarios, cellular service may be transferred from the first cellular communication device operating in independent mode to a third cellular communication device, which may be provisioned to operate in independent mode.

Abstract: An interface protection circuit and a device interface are disclosed. The interface protection circuit includes a capacitor and a transient voltage suppressor (TVS) transistor. A first end of the capacitor is connected to a connection port, a second end of the capacitor is connected to a first end of the TVS transistor and an interface chip, and a second end of the TVS transistor is grounded.

Abstract: In an approach, a process intercepts a deployment resource associated with software prior to deploying the software to a node, where the deployment resource configures how the software is deployed and operates. A processor verifies authenticity of a digital signature present within the deployment resource. A processor, responsive to verifying the authenticity of the digital signature, deploys the software to the node in accordance with the deployment resource.

Abstract: A method, computer program product, and computing device for monitoring network activity associated with streaming a data load through a stream application including a plurality of stream operators deployed on a plurality of computing devices. One or more stream operators with one or more external connections may be identified from the plurality of stream operators. The identified one or more stream operators may be deployed based upon, at least in part, the one or more external connections.

Abstract: A computer-implemented method for verifying cardholder authenticity when provisioning a token is provided. The method uses an authentication server system having a processor and a memory. The method includes receiving, by the processor, a payment card account identifier provided by a payment requestor. The payment card account identifier for identifying a payment account associated with a cardholder. The method also includes determining a plurality of authentication data associated with the payment requestor, and performing an authentication process using the plurality of authentication data. The authentication process is configured to determine if the payment requestor is the cardholder. The method further includes determining an assurance level associated with the authentication process. The assurance level represents a level of confidence in the authentication process.

Abstract: Methods and devices for of conducting a payment transaction between a mobile terminal and a payment terminal in communication with a payment backend system involve: (a) sending a unique mobile terminal identifier from the mobile terminal to the payment backend system; (b) returning a cryptogram from the payment backend system to the mobile terminal, wherein the cryptogram comprises a unique transaction identifier in encrypted form; (c) transforming the cryptogram into a proximity payment token such that the proximity payment token contains the unique transaction identifier in encrypted form and transmitting the proximity payment token to the payment terminal via a proximity communication channel; (d) forwarding a transaction record including the unique transaction identifier in encrypted form and the amount of the payment transaction from the payment terminal to the payment backend system; and (e) decrypting the unique transaction data identifier in encrypted form and processing the payment transaction.

Abstract: Techniques are provided for basic input/output system (BIOS) protection using multi-factor authentication (MFA) based on digital identity values. One method comprises obtaining, by a BIOS of a hardware device, from a user device, (i) a request to access the BIOS, and (ii) a token based on a digital identity value for the user device; providing the token to an MFA chip on the hardware device, wherein the MFA chip evaluates the token and provides a verification result to the BIOS; and allowing the user device to access the BIOS based on the verification result. The digital identity value for the user device may be stored by the MFA chip during a fabrication of the MFA chip and/or a registration of the user device. The MFA chip may compare the digital identity value from the token received from the BIOS with the digital identity value for the user device stored by the MFA chip.

Abstract: A transaction processing system (130) is arranged to receive a transaction request from a user device (110), the transaction processing system (130) comprises a cookie retriever (141) arranged to obtain a cookie (112) stored in a browser application (111) of the user device (110) containing outcome data indicative of an outcome of at least one prior transaction, a processing setter (142) arranged to determine based on the outcome data which of a plurality of transaction processes (152) is to be applied by the transaction processing system (130) to the transaction request, and a transaction processor (143) arranged to process the transaction in accordance with the determined transaction process.

Abstract: An example terminal includes a communication circuitry configured to communicate with a server; and a data processor configured to request the server to include a second user in a relationship group of a first user and to extend, to the relationship group, a range of authorization for an Internet of Things (IoT) apparatus registered as an apparatus of the first user.

Abstract: A system and method for resuming a remote desktop for a networked client device. An access control system accepts login data from a user input to a networked client device, and/or user activity data collected by an agent running on the desktop. The networked client device may include a client application. A data center allows access to an activated desktop to the networked client device. The access control system suspends the desktop when the user is inactive in operating the client device. The access control system resumes the desktop on the networked client device in relation to a predicted start time. The predicted start time is based on login data from past logins by the user on networked client devices.

Abstract: Authorization for access to an application server and associated communication service can be desirably managed. When a device attempts to access an application server and service, an authorization server generates an encrypted token, comprising device identifier information, and communicates the token to the device. The device communicates the token to the application server. The application server communicates the token to the authorization server. The authorization server determines whether the device is validated to access the application server and service based on the encrypted token, private decryption key, and initialization vector, and based on subscriber-related information. The authorization server does not share the private decryption key or initialization vector with the application server. If validated, the authorization server communicates validation-related information, including a permitted portion of subscriber-related information, to the application server.

Abstract: It is provided a method for enabling access control for access to a physical space secured by a lock device. The method is performed in a security device and comprises the steps of: obtaining at least one image captured using a first camera of a portable key device, the at least one image being captured in a vicinity of the lock device; receiving a template decryption key from a lock device over a short-range communication link; obtaining a credential associated with the lock device; matching the at least one image with a plurality of templates, each template being associated with a lock device, which comprises obtaining the plurality of templates by decrypting encrypted templates using the template decryption key; and wherein a positive match is a necessary condition for opening the lock device.

Abstract: Disclosed is a file security method for reinforcing file security. The method may include: by a first communication device, detecting an access to a file stored in a virtual drive; by the first communication device, requesting a decryption key of the file to a second communication device and receiving the decryption key; and by the first communication device, decrypting the access-detected file by using the decryption key.

Abstract: An authentication system for detecting a phishing attack by a Man in Middle (MIM) on an end-user. The system includes a communicating device of the end-user and an authentication server for determining if a MIM (spoofing) or the end-user is communicating with the authentication server. The communicating device includes a bearer sensitive one-time password (BOTP) generator for generating a specific BOTP specifically associated with the communicating device where the BOTP is derived using a unique differentiating observable attribute (UDOA) of the communicating device. The communicating device sends the BOTP to the authentication server which uses the perceived UDOA of the received BOTP and calculates an authenticator server BOTP. The authentication server also determines if the received BOTP matches the BOTP calculated by the authenticating server and terminates/rejects the session if the BOTPs do not match. A similar system and method may be utilized to authenticate a digital object.

Abstract: A drug distribution system and method utilizes a central pharmacy and database to track all prescriptions for a sensitive drug. Information is kept in the database regarding all physicians allowed to prescribe the sensitive drug, and all patients receiving the drug. Abuses are identified by monitoring data in the database for prescription patterns by physicians and prescriptions obtained by patients and/or caregivers. Further verification is made that the physician is eligible to prescribe the drug by consulting a separate database, and optionally whether any actions are taken against the physician. Multiple controls beyond those for normal drugs are imposed on the distribution depending on the sensitivity of the drug.

Abstract: A communication device includes a signature encryption unit that encrypts input information with a secret key and transmits the information to a server device if the communication device belongs to a group, and a signature decryption unit that downloads, from the server device, encrypted n?1 pieces of the input information transmitted from other communication devices and decrypts the encrypted n?1 pieces of input information with the secret key if the communication device belongs to a group. The communication device transmits session key generation information to the server device via the signature encryption unit, generates a session key using n?1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device, transmits a cipher text encrypted with the session key via the signature encryption unit to the server device, and decrypts n?1 cipher texts acquired via the signature decryption unit with the session key.

Abstract: A secure storage system having authentication and cryptographic data protection is made by providing a mass-data memory and a security element communicatively coupled with the mass-data memory. This mass-data memory and the securing element are controlled by respective different control commands such that different drivers can be installed to operate the mass-data memory and the security element. A secured hardware data interface is provided between the mass-data memory and the security element, and the security element provides security-critical information concerning the data of the mass-data memory.

Abstract: An electronic lockbox uses a rotary actuator with multiple positions to achieve multiple locking states. Multiple positions of the actuator are detected, using optical sensors. The locking mechanism includes an outer sleeve and an inner cylindrical barrel that are coupled with torsion springs. The lockbox has a shackle and a key bin that are retained by the inner barrel when in the locked state, and the barrel can be rotated to either release the shackle or to release the key bin that typically holds a building's key.

Abstract: At least one processor of a central authority separate from a computing process may establish a first trust relationship between the computing process and a central authority separate from the computing process. The establishing may include authenticating the computing process, which may include providing a signed token to the computing process, receiving a request for the certificate from the computing process including the signed token and policy ID data, determining that the computing process is eligible for the certificate according to a policy that associates the certificate with the policy ID data, and validating the signed token. In response to the establishing, the at least one processor may obtain the certificate. The certificate may be signed by a third-party certificate authority with which the central authority has a second trust relationship separate from the first trust relationship. The at least one processor may provide the certificate to the computing process.

Abstract: The present disclosure discloses methods and systems for controlling a smart lock. The method may include establishing a secure connection with a network, obtaining security control information through the secure connection, obtaining an operation input; performing a security verification based on the security control information and the operation input, and performing a corresponding operation based on the operation input when the security verification is passed.

Abstract: A method of controlling a moving object using an identification device may include recognizing the identification device by the moving object; identifying and authenticating a user with the recognized identification device; and providing a service to the authenticated user.

Abstract: A drug distribution system and method utilizes a central pharmacy and database to track all prescriptions for a sensitive drug. Information is kept in the database regarding all physicians allowed to prescribe the sensitive drug, and all patients receiving the drug. Abuses are identified by monitoring data in the database for prescription patterns by physicians and prescriptions obtained by patients and/or caregivers. Further verification is made that the physician is eligible to prescribe the drug by consulting a separate database, and optionally whether any actions are taken against the physician. Multiple controls beyond those for normal drugs are imposed on the distribution depending on the sensitivity of the drug.

Abstract: A method and system for transmitting and receiving data packets between two network nodes via one or more end-to-end connections. An interface is provided for selecting one or more possible end-to-end connection(s) or established end-to-end connection(s). The method and system may further comprise receiving a policy, wherein one or more selected end-to-end connections are established based, at least in part, on the policy. The policy may also restrict or promote selection of certain established end-to-end connection(s) via the interface provided. The selected and established end-to-end connection(s) are used for transmitting and receiving data packets.

Abstract: The technology disclosed herein provides a system for allowing users to login into one or more devices without a password. Implementations of the system include one or more biometric data collection devices (shoe, glasses, watch) and a device configured to store one or more user identification data, receive a request for user verification, request user's biometric data from one or more of the biometric data collection devices, generate a personal unclonable function (PUF) value based on combination of at least one of the user identification data and the user's biometric data, and verify the user's identity by comparing the PUF value to the user's PUF benchmark.

Abstract: The present disclosure is related to implementations of computing systems. In particular, it is related to the use of an array of PUFs to enhance security of distributed elements that use security systems.

Abstract: A system for preventing an excess user authentication token utilization condition in an enterprise computer environment, the system including an excess user authentication token utilization condition predictor operable for calculating a number of additional group memberships of each of the enterprise users that can be expected to result in an excess user authentication token utilization condition, a group membership estimator operable, for each the enterprise user, for estimating a number of additional group memberships of the enterprise user that will be created by an anticipated activity, and an anticipated excess user authentication token utilization condition alerter operable, before initiation of the anticipated activity, for providing an alert if the anticipated activity can be expected to result in an excess user authentication token utilization condition.

Abstract: Embodiments of the present disclosure relate to a memory system and an operating method thereof. According to the embodiments of the present disclosure, the memory system may generate a nonce based on a physical address of a target area of a memory device using a cryptographic algorithm, and request the memory device to authenticate the nonce. When the authentication for the nonce succeeds, the memory controller may set an authority to perform a read, write or erase operation on the target area. Through this operation, the memory system can prevent data leakage or damage by a user who has no access authority.

Abstract: The present disclosure relates generally to implementing biometric authentication, including providing user interfaces for: a biometric enrollment process tutorial, aligning a biometric feature for enrollment, enrolling a biometric feature, providing hints during a biometric enrollment process, application-based biometric authentication, autofilling biometrically secured fields, unlocking a device using biometric authentication, retrying biometric authentication, managing transfers using biometric authentication, interstitial user interfaces during biometric authentication, preventing retrying biometric authentication, cached biometric authentication, autofilling fillable fields based on visibility criteria, automatic log-in using biometric authentication, retrying biometric authentication at a credential entry user interface, providing indications of error conditions during biometric authentication, providing indications about the biometric sensor during biometric authentication, and orienting the device to

Abstract: A method of selecting a distributed framework includes identifying, by a selection device coupled to a memory, at least a first remote device of a plurality of remote devices, wherein identifying the at least a first remote device further comprises and evaluating a secure proof generated by the at least a first remote device, and identifying the at least a first remote device as a function of the secure proof, assigning, by the selection device, a confidence level of the at least a first remote device, and selecting, by a selection device, a distributed framework from the plurality of remote devices as a function of the confidence level, and assigning a task to the distributed framework.

Abstract: An approach to creating a tamper-resistant field programmable gate array (FPGA) and remotely reprogramming the tamper-resistant FPGA. In one aspect, determining if an encryption key is stored in a physical unclonable function (PUF) of the FPGA. Further, responsive to the encryption key not being stored in a PUF, writing an encryption key in tamper resistant memory associated with a back end of the line (BEOL) of the FPGA. In another aspect, writing a program key and a look-up table (LUT) in the tamper resistant memory.

Abstract: A communication device is installed in between a client terminal and a web server which performs communication with the client terminal. The communication device includes a memory, and processing circuitry coupled to the memory and configured to of information included in communication between the web server and the client terminal, perform obfuscation with respect to information related to web application, and send communication, which includes information obfuscated at the performing, to destination.

Abstract: Disclosed are techniques and apparatuses that are configured to receive an indication that a web browsing session executing on an enterprise server needs additional information based on a request for additional information being sent to a client device. The request may include an identifier of the web browsing session and an identifier of an enterprise server that initiated the web browsing session. A globally unique identifier related to the web browsing session and an identifier of the enterprise server is stored in a common data store. The web browsing session may be paused when the web browsing session requests additional information from a client device. The client device may respond with the additional information. The system may provide the identifier of the enterprise server to a load balancing component so the identified web browsing session executing on the enterprise server may continue to be used.

Abstract: A computing device is described which has at least one application access record storing references to content items stored at the computing device. At least one local store stores other content items. A processor of the computing device executes at least one application, the application having ability to access the content items referenced in the application access record and restricted from accessing the other content items. An operating system of the computing device is configured to search the local store to identify at least one of the other content items on the basis of criteria, and to suggest the identified other content item(s) to a user of the computing device for access by the application.

Abstract: HTTP requests and responses may be transmitted between cloud-based application instances. Each outgoing HTTP request may include authentication credentials and an “X-Snc-Integration-Source” header that identifies the source of the request. A table of approved users may be maintained, including each user's authentication credentials and one or more source instances from which they are expected to generate HTTP requests. When the HTTP request is received, the HTTP request will be parsed to identify the authentication credentials and the source of the request. The table of authorized users is then referenced to determine if the authentication credentials and the source of the request match those of an authorized user. If the authentication credentials and the source of the request match those of an authorized user, access will be granted. If the authentication credentials and the source of the request do not match those of an authorized user, access will be denied.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for rapid assessment of cloud frameworks to evaluate those considered for use in an enterprise context. The invention may quickly and consistently identify gaps or weaknesses of cloud frameworks or resources, assess the potential negative impact of such gaps or weaknesses, and facilitate the communication of quantifiable data to responsible parties in order to facilitate the implementation of necessary controls or actions. Embodiments of the invention are highly adaptable and dynamic in fashion such that they can be quickly and easily updated based on the changing needs of the enterprise.

Abstract: Secure communications are provided between a user computing device and a server computing device. An enrollment request is received from a user computing device that is configured via a distributed client software application and is processed. The enrollment request is usable to enroll the user computing device in a network and includes an encrypted partial initial biometric vector associated with a user. An authentication request is processed that is subsequently received that includes an encrypted partial second biometric vector and that is associated with a user of the user computing device. A comparison of the encrypted partial initial biometric vector and the encrypted partial second biometric vector is performed, and a value representing the comparison is generated and transmitted to the user computing device. The user computing device is authenticated where the value is above a minimum threshold.

Abstract: A system includes at least one processor to receive training data and generate at least one machine learning rule based on the training data to apply when a condition occurs, continually monitor at least one resource associated with a computing network for the condition in the computing network that may trigger an authorization control modification, the condition comprising one of an active project that uses the at least one resource, a security alert level change, a resource locality change, metadata associated with the condition, a skill assessment, and a business state analysis, determine that the condition has occurred in the computing network, and dynamically and automatically modify a user authorization control for at least one particular user responsive to the machine learning rule.

Abstract: Techniques detecting usage of copyrighted video content using object recognition are provided. In one example, a computer-implemented method comprises determining, by a system operatively coupled to a processor, digest information for a video, wherein the digest information comprises objects appearing in the video and respective times at which the objects appear in the video. The method further comprises comparing, by the system, the digest information with reference digest information for reference videos, wherein the reference digest information identifies reference objects appearing in the reference videos and respective reference times at which the reference objects appear in the reference videos. The method further comprises determining, by the system, whether the video comprises content included in one or more of the reference videos based on a degree of similarity between the digest information and reference digest information associated with one or more of the reference videos.

Abstract: An apparatus is provided which comprises: a phase detector to receive a reference clock and a feedback clock; and one or more switchable heat elements controllable by an output of the phase detector, wherein the one or more switchable heat elements are coupled to a physically unclonable function circuit.

Abstract: A computer-implemented method for a token-based authorization in a data processing environment may be provided. The data processing environment comprises at least a user system, an application, an authentication server and an access control server. The method comprises accessing the application via a user system request, redirecting the user access request to an authentication server, authenticating the user, wherein authentication credentials comprise a request for a restricted entitlement, wherein the restricted entitlement represents a subset of existing entitlements managed by the access control server for a resource. The method comprises also sending an access token from the authentication server to the application, requesting execution of an operation comprising invoking the operation by the application providing the access token comprising restricted entitlements, invoking the access control server, and providing the scope of the token comprising the subset of the existing entitlements.