Abstract: A PIN is automatically generated based on at least one rule when the user enters a password through a user device. In one example, the PIN is a truncated version of the password where each character in the truncated version is mapped onto a number. The mapping can be a truncation at the beginning or end of the password, or the mapping can be with any pattern or sequence of characters in the password. This PIN generation may be transparent to the user, such that the user may not even know the PIN was generated when the password was entered. When the user attempts to access restricted content, the user may enter the PIN instead of the password, where the user may be notified of the rule used to generate the PIN so that the user will know the PIN by knowing the password.

Abstract: Systems and methods are described for off-site user access control to communications services via a site-based communications network. Embodiments operate in context of sites, each having one or more site-based networks in communication with external networks via one or more on-site routers. User devices are provided with controlled access to those external networks via wired or wireless connections between those user devices and the site based networks. In some embodiments, on-site routers maintain route maps that indicate which user devices are authorized. Standard routing functions are used so that traffic from authorized devices is routed normally, while traffic from unauthorized devices is automatically forwarded to an off-site (e.g., cloud-based) authentication system. As devices become remotely authenticated, the off-site authentication system can remotely update route maps of the on-site routers to add those devices.

Abstract: During an ongoing wireless telephone call communication session between a pair of mobile devices, a local device responds to its user's activation of a virtual or actual button or key, or its user's verbal command, by automatically sending an over the air message (e.g., a SMS or text message or other network communication message) to the remote device. The message requests location information of the remote device. Upon obtaining location information from the remote device, a location of the remote device is automatically displayed on the local device. Other embodiments are also described and claimed.

Abstract: A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

Abstract: A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

Abstract: A secure demand paging system (1020) includes a processor (1030) operable for executing instructions, an internal memory (1034) for a first page in a first virtual machine context, an external memory (1024) for a second page in a second virtual machine context, and a security circuit (1038) coupled to the processor (1030) and to the internal memory (1034) for maintaining the first page secure in the internal memory (1034).

Abstract: Aspects herein describe brokering hosted resources in a virtual desktop infrastructure (VDI) using connection leases to reduce demand on connection brokers and to allow hosted services to be maintained even in the event of a broker outage. When a client device desires to connect to a hosted resource (e.g., a hosted desktop or a hosted application), the client device may present a lease token to the session host. The lease token is a self-sustaining package of data from which a session host can determine whether the requesting client device is authorized to access one or more resources hosted by that session host. The lease token may be cryptographically signed to ensure its contents have not been altered, and further that the lease token originated from a trusted source. Lease tokens may be stored independently from a connection broker, thereby still being usable if the connection broker goes offline.

Abstract: Mobile push user authentication for native client based logon is described. In one method, an authentication server receives from a user interface at a native client a password for native-client based logon to a remote server. The method determines whether a portion of the password includes a one-time password (OTP). When the password includes an OTP, the method validates the remaining portion of the password as a first authentication factor, and validates the OTP as a second authentication factor. When the password does not include an OTP, the method sends a mobile push notification to a registered device, validates the password as the first authentication factor, receives a response to the mobile push notification, and validates the response to the mobile push notification as the second authentication factor. The native-client based logon is authorized when the first authentication factor and the second authentication factor are validated.

Abstract: Systems, methods, and computer program products are provided for authenticating and efficiently re-authenticating a user with a financial institution in order to gain access to account information using a web-enabled device. The web-enabled device stores user profiles associated with the user including authentication information provided by the user during primary authentication. The device retrieves the authentication information upon secondary authentication, that is, validation of the user's identity, which in some embodiments, includes local validation of a personal identification number (“PIN”) and/or a remote control passcode (“RCP”). As such, the web-enabled device re-authenticates the user without requiring authentication communication with a financial institution server, and thereafter, the user interacts with an application running on the web-enabled device to retrieve desired account information from the financial institution server.

Abstract: A method for operating the arrangement for a laboratory room confined by a floor, a ceiling and walls connecting the floor with the ceiling, including inducing an air flow from an air inlet through a platform to an air outlet in a substantially laminar fashion. The arrangement includes a main base suspended on the floor; a tool base arranged on the main base; a platform arranged around the tool base, wherein the platform is permeable for air, and the platform is suspended at the walls; the air inlet arranged below the platform; the air outlet arranged above the tool base; and air guides for directing an air flow upwards.

Abstract: A computer implemented method, apparatus, and computer usable program code for accessing protected resources. Biometric data for a user is received from a biometric input device and an indication of an application requiring a password. Responsive to receiving the biometric data from the user, the user is authenticated using the biometric data and a profile. Responsive to the user being authenticated, the password is established with the application to allow access to the application, wherein the password is established without user input.

Abstract: A server device that includes a receiving unit, a browse page creation unit, a mail creation unit, and a mail transmission unit. The receiving unit receives an image transmitted from an electronic camera via a wireless network. The browse page creation unit creates a browse page for browsing the transmitted image from the electronic camera, the image having been received by the receiving unit. The mail creation unit creates a notification mail for introducing the browse page that has been created by the browse page creation unit to a person other than a user of the electronic camera. Furthermore, the mail transmission unit transmits the notification mail that has been created by the mail creation unit to a specified mail address.

Abstract: Technologies are generally disclosed for methods and systems for securing data. An example method may include storing, by a processing device, the data in a memory. The data may be encrypted and accessible only with the use of a decryption key. The method may further include receiving, by the processing device, one or more permission requests to access the data and requesting, by the processing device, the decryption key. In response to receiving the decryption key, the method may include authenticating, by the processing device, the decryption key to verify one or more permissions, and allowing, by the processing device, access to the data in accordance with the one or more permissions.

Abstract: A security level for an attendant at a Self-Service Terminal (SST) is automatically resolved. An operation is automatically processed on behalf of the attendant based on the resolved security level and a condition associated with the SST.

Abstract: This invention relates to a method (100) for creating, on a device (200), an authorized domain (102) for sharing a (103) of a content item (104) between a first person (105) and a second person (106). The method (100) alleviates the hassle of having end-users managing authorized domains. If the first person is bound (107) to the right (103), and the device is bound (108) to the first person (105), the device (200) grants (110) the second person (106) the right (103) in response to the device (200) associating (109) to the second person (106).

Abstract: Methods and apparatuses are described for proximity-based and user-based access control using wearable devices. A short-range frequency reader coupled to a target device detects a plurality of wearable devices in proximity to the reader, each wearable device comprising a short-range frequency antenna. The reader identifies, for each wearable device, a user wearing the wearable device. The reader determines, for each wearable device, a distance from the reader and an orientation in relation to the target device. The reader determines a level of access available to the target device based upon the identity of each user, the distance of each wearable device from the reader, the orientation of each wearable device in relation to the target device, and the distance of the wearable devices from each other in a three-dimensional space.

Abstract: Systems and methods for user identification and authentication are disclosed. In one embodiment, a method of authenticating a first party to a second party may include the following: (1) receiving, from one of an electronic device of a first party and an electronic device of a second party, a request to generate authenticating indicia; (2) using at least one of a plurality of computer processors, generating the authenticating indicia; (3) transmitting, over a network, the authenticating indicia to the electronic device of a first party and to the electronic device of the second party; (4) receiving, from an electronic device of the second party, an indication that the second party has confirmed that the first party is authentic; and (5) storing an identity of the first party, the second party, and the authenticating indicia in a database.

Abstract: An apparatus, computer-readable medium, and computer-implemented method for data tokenization are disclosed. The method includes receiving, at a database network router, a database access request directed to a tokenized database, the tokenized database containing one or more tokenized data values, applying one or more rules to the request, rewriting the request based on at least one of the one or more rules, such that data values being added to the database will be tokenized data values, and data values received from the database will be non-tokenized data values, and transmitting the rewritten request to the database.

Abstract: Techniques are provided for improving security in a single-sign-on context by providing, to a user's client system, two linked authentication credentials in separate logical communication sessions and requiring that both credentials be presented to a host system. Only after presentation of both credentials is the user authenticated and permitted to access applications on the host system.

Abstract: An automation control system is provided with an interface device configured to enable a user to monitor, control, or monitor and control processes of the automation control system. Upon power on or initialization of the interface device or when a previously logged in user is logged off, the interface device logs in a guest account associated with a user role having a defined set of access rights and provides access to monitor, control, or monitor and control the processes based upon the set of access rights.

Abstract: The presented invention discloses an electronic web-based election system and method for fully encrypted secure remote voting, wherein the voting data is fully encrypted, including within-the-database encryption, until the end of voting time period. Further disclosed a computer encryption system, wherein the voting result encryption application is additionally installed, such a system being configured to obtain encrypted voting results data and send such a data as a ciphertext to the election central server for encrypted ciphertext storage in the database to prevent everybody, including database administrators, from viewing the data. Method for secure data encryption and public keys computation based on voter's secret PIN code is further presented.

Abstract: Implementations are provided herein relating to audiovisual matching. Audio and video channel data is merged to create a single multi-channel fingerprint used to match media content. Audio channel data is used to generate audio fingerprints. Video channel data is used to generate a video fingerprints. Multi-channel fingerprints can then be generated based on the audio channel fingerprints and video channel fingerprints. In this sense, entropy can be increased while the multi-channel fingerprint can be less resistant to noise.

Abstract: Methods are detailed for online fraud prevention. In one approach state information of a first and a second device is monitored, both of which are associated with one user. During a multi-factor authentication procedure which utilizes at least one of the first and the second devices for authorizing a transaction by an Internet domain, a security server participates in a supplemental security procedure which is conditional on the monitored state information. In another approach the second device receives a message that is ostensibly related to multi-factor authorization by an Internet domain, and in response sends a query about state information of the first device. Based on the response to the query that indicates the state information, the second device performs a supplemental security procedure.

Abstract: A structured query language (SQL) relational database management system (SQL RDBMS) may integrate a biometric subsystem to process and manage biometric data separately from the demographic data stored in normalized SQL tables of the SQL RDBMS. The SQL RDBMS may be operatively connected to the biometric subsystem by means of SQL extensions. The SQL RDBMS may execute queries with demographic and/or biometric constraints, wherein the demographic data is retrieved directly from normalized SQL tables on the RDBMS, while the biometric data is retrieved in the form of scores or probabilities from the biometric subsystem. The SQL RDBMS may return a query result set containing demographic data associated with corresponding biometric data, allowing the authentication of biometric clients.

Abstract: Access restriction is performed on access to a page on which information is posted from a terminal of a subject. It is determined whether positions of terminals used by the subject and a manager, who is associated with the subject in advance, accord with each other. A relaxation operation is received from the terminal of the manager, when it is determined that the positions accord with each other. The access restriction by a restriction unit is relaxed, when the relaxation operation is received. A characteristic word of the page accessed by the terminal of the subject for which the access restriction is relaxed is acquired. The acquired characteristic word is transmitted to the terminal of the manager to display the characteristic word. A recovery operation is received from the terminal of the manager. The access restriction performed by the restriction unit is recovered, when the recovery operation is received.

Abstract: A secure external access method provides an external system with access to a device automation system implementing automatic control of one or more devices in an automation environment. The external access method enables external system access to devices only when the devices have been authorized for external access and the external system has the proper authentication credential. External access endpoints are dynamically defined by the web service automation applications and are unique to each installed instance of the web service automation application.

Abstract: A method, non-transitory computer readable medium, and network traffic management apparatus that receives an authentication request from a user of a client computing device, the request comprising credentials for the user. A connection is established with a selected one of a plurality of active directory servers using a stored Internet Protocol (IP) address for the selected active directory server. At least a portion of a fully qualified domain name of the selected active directory server is received in response to an anonymous lightweight directory access protocol (LDAP) query sent to the selected active directory server using the established connection. The user of the client computing device is authenticated using the at least a portion of the fully qualified domain name and the credentials.

Abstract: Techniques for improving security of an electronics device are disclosed. In one aspect of the present disclosure, security of a device may be improved by generating a working key based on a hardware secret key and at least one security parameter of the device, e.g., with a key derivation function. The security parameter(s) may be related to software to be authenticated on the device and/or other aspects of security for the wireless device. The security parameter(s) may indicate whether the software is authorized and/or at least one operating function authorized for the software. At least one security function may be performed for the device based on the working key. For example, the working key may be used to encrypt, sign, decrypt, or verify data for the device. The working key may be used directly or indirectly by the software for the at least one security function.

Abstract: A flow control apparatus for controlling fluid flow in a petroleum reservoir. The flow control apparatus has a flow control mechanism, a controller operable to control the flow control mechanism to adjust fluid flow through the flow control mechanism, the controller comprising a processor operable to execute according to a control algorithm, and a non-volatile memory connected to the controller. The non-volatile memory includes instructions to cause the controller to execute an authentication mechanism operable to authenticate a control computer and to prevent operation of the controller until the authentication mechanism authenticates the control computer.

Abstract: A method includes receiving data related to an individual, the data comprising a plurality of elements of personally-identifying information (PII). The method further includes building, via the plurality of elements of the PII, a compositional key for the individual. In addition, the method includes storing the compositional key and a biometric print for the individual as a biometric record in a biometric repository. The method also includes, via the compositional key, providing a plurality of federated entity (FE) computer systems with access to the biometric repository.

Abstract: Protecting the security of an entity by using passcodes is disclosed. A user's passcode device generates a passcode. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system, which authenticates the passcode by at least generating a passcode from a passcode generator, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator. In these embodiments, there are asymmetric secrets stored on the passcode device and by the administrator. This adds more security so that if the backend servers are breached, the adversary cannot generate valid passcodes. In some embodiments, the passcode depends on the rounded time.

Abstract: A secure (e.g., protected) storage drive for use with an associated computer device is disclosed. The secure storage drive allows access only when properly authenticated to the computer device attempting to access the secure storage drive. Additionally, other levels of authentication may be required prior to allowing access. For example, access may only be allowed if both the computer device and a user authenticated to the computer device are recognized by the secure storage drive. If access to the secure storage drive is not permitted, then the secure storage drive may remain hidden and not accessible to the operating system of the computer device. Accordingly, if hidden, no command of the operating system of the computer device can access, alter, or erase data on the secure storage drive.

Abstract: In a method for limiting access to a digital item, a count for the digital item is stored, wherein the count is a number of accesses permitted for the digital item. A password for accessing the digital item is received. A plurality of password hashes is generated by utilizing one-way hash functions based on the number of accesses of the count and the password to generate the plurality of password hashes based on the count. The plurality of password hashes is stored in a password hash file.

Abstract: Systems and methods may provide for detecting a browser request for web content. Additionally, interaction information associated with a plurality of sources may be determined in response to the browser request, and a risk profile may be generated based on the interaction. The risk profile may include at least a portion of the interaction information as well as recommended control actions to mitigate the identified risk. In one example, the risk profile is presented to a user associated with the browser request as well as to a security control module associated with the platform.

Abstract: A login interface provided by a firmware setup utility is configured to display a two-dimensional barcode, such as a quick response (“QR”) code. The barcode is scanned by a mobile device configured to retrieve a timestamp encrypted within the barcode. The mobile device creates a passcode by re-encrypting the timestamp using a firmware setup password and a master key. The passcode is provided to the firmware setup utility, which retrieves the timestamp and compares it to a stored timestamp. If the timestamp values match, access to the firmware setup utility is permitted.

Abstract: In a networked environment, a client side application executed on a client device may transmit a request to an authorization service for access to a resource. The authorization service may authenticate the user of client device and/or the client device based on user credentials and/or a device identifier. In response to authenticating the user and/or the client device, the authorization service may send to the client side application a request for confirmation that the client device complies with a distribution rule associated with the resource, where the distribution rule requires a specific application or specific type of application to be installed, enabled and/or executing on the client device as a prerequisite to accessing the resource. If the client device complies with the distribution rule, the client side application accesses the resource. Accessing the resource may include receiving an authorization credential required for access to the resource.

Abstract: A system and method of identity verification at a point-of-identification verification (POV) using biometric-based identity recognition and an identity verifying score based upon a presenter's initial identification presentment and their subsequent action in the system. The system also provides tracking and evaluates verifier activity within the system through biometric-based identity recognition and a performance score based upon their actions and the results of their actions within the system. System users register at least one biometric identifier and personal and/or business identity-verifying data. Users present a biometric sample obtained from their person and their system ID number to conduct identification transactions. This data is used to authenticate the user's identity to a percentage of reliability and allows a user with consistently positive ID verifications to establish a higher ID score, strengthening their credibility within the system.

Abstract: Methods and apparatus for authenticating computing device users are disclosed. An example method includes, providing, on a display device of a computing device, a graphical user interface (GUI) including a user authentication display portion and receiving, from a remote authentication server, visual content and functional content corresponding with the user authentication display portion. The method further includes receiving, via the user authentication display portion, a set of user credentials and communicating the received user credentials to the remote user authentication server. The method still further includes receiving, from the remote user authentication server; an authorization message indicating whether or not authentication of the user credentials was successful. In the event authentication of the set of user credentials was successful, the user is granted access to the computing device.

Abstract: Implementations are provided herein relating to audiovisual matching. Audio and video channel data is merged to create a single multi-channel fingerprint used to match media content. Audio channel data is used to generate audio fingerprints. Video channel data is used to generate a video fingerprints. Multi-channel fingerprints can then be generated based on the audio channel fingerprints and video channel fingerprints. In this sense, entropy can be increased while the multi-channel fingerprint can be less resistant to noise.

Abstract: An authentication method between a server and a client is provided. The authentication method includes transmitting, to the client, an inquiry message including a first modified secret key generated based on a first secret key and a first blinding value, receiving, from the client, a response message including a response value generated based on the first blinding value, a second secret key, and an error value, calculating the error value from the response value, and determining whether authentication of the client has succeeded based on the error value.

Abstract: A possibly pre-infected system is inspected for the existence of tracked application-specific accounts. In a tracked application-specific account is found, the system is further audited to verify that only authorized processes are using the account and that the authorized account creation application is installed on the host computer system.

Abstract: Systems and methods are described for off-site user access control to communications services via a site-based communications network. Embodiments operate in context of sites, each having one or more site-based networks in communication with external networks via one or more on-site routers. User devices are provided with controlled access to those external networks via wired or wireless connections between those user devices and the site based networks. In some embodiments, on-site routers maintain route maps that indicate which user devices are authorized. Standard routing functions are used so that traffic from authorized devices is routed normally, while traffic from unauthorized devices is automatically forwarded to an off-site (e.g., cloud-based) authentication system. As devices become remotely authenticated, the off-site authentication system can remotely update route maps of the on-site routers to add those devices.

Abstract: Methods and systems are disclosed for implementing a secure application execution environment using Derived User Accounts (SAE DUA) for Internet content. Content is received and a determination is made if the received content is trusted or untrusted content. The content is accessed in a protected derived user account (DUA) such as a SAE DUA if the content is untrusted otherwise the content is accessed in a regular DUA if the content is trusted.

Abstract: A role-based access control (RBAC) modeling and auditing system is described that enables a user to access and/or create security roles that can be applied to users of a first software application. When a security role having a particular set of permissions has been accessed or created, the system can present a simulated user interface (UI) that indicates information that can be viewed and/or actions that can be performed by a user to whom the security role has been assigned when interacting with the first software application. The system may further provide “run as” functionality that enables a simulated UI to be generated for a particular user and that can display the security role(s) associated with the particular user. The system may be embodied in a second software application, such as a tool that is associated with the first software application.

Abstract: A full spectrum cyber identification determination process for accurately and reliably determining and reporting any identification determination from a full spectrum of possible cyber identification determinations.

Abstract: There is provided a method of securing multimedia data for streaming over a network comprising receiving the multimedia data from a server, transforming the multimedia data into secure multimedia data using a security key associated with the multimedia data, storing the security key associated with the multimedia data, streaming the secure multimedia data to the destination server. The method further comprises receiving decoding solution requests associated with the multimedia data from one or more multimedia players for playing the multimedia data and transmitting the security key associated with the multimedia data to each of the multimedia players.

Abstract: One embodiment of the present invention provides a system that improves security during web-browsing. During operation, the system can receive a URL from a user. Next, the system can determine an IP address for the URL by querying a DNS server. The system can then determine a public-key associated with the URL. Next, the system can encrypt a string using the public-key to obtain an encrypted-string. The system can then send the encrypted-string to a remote-system which is associated with the IP address. Next, the system can receive a response from the remote-system. The system can then determine whether the DNS server has been compromised using the string and the response. If the system determines that the DNS server has been compromised, the system can alert the user, and in doing so, improve security during web-browsing.

Abstract: Systems and methods are disclosed for privacy-preserving flexible user-selected anonymous and pseudonymous access at a relying party (RP), mediated by an identity provider (IdP). Anonymous access is unlinkable to any previous or future accesses of the user at the RP. Pseudonymous access allows the user to associate the access to a pseudonym previously registered at the RP. A pseudonym system is disclosed. The pseudonym system allows a large number of different and unlinkable pseudonyms to be generated using only a small number of secrets held by the user. The pseudonym system can generate tokens capable of including rich semantics in both a fixed format and a free format. The tokens can be used in obtaining from the IdP, confirmation of access privilege and/or of selective partial disclosure of user characteristics required for access at the RPs. The pseudonym system and associated protocols also support user-enabled linkability between pseudonyms.

Abstract: A method, a system, and computer readable medium comprising instructions for image capture to enforce remote agent adherence. The method comprises a first computer receiving an authentication request. The method also comprises a client component executing on the first computer detecting the authentication request and the client component, based on detecting the authentication request, causing a digital image to be captured. The method also comprises the first computer transmitting the digital image to a second computer, the second computer analyzing the digital image, and the second computer authenticating the digital image based on the analysis.

Abstract: An electronic key registration system includes a controller of a communication subject, an initial electronic key that communicates with the communication subject and has an initial encryption key generation code, an additional electronic key that communicates with the communication subject, and an information center including an additional encryption key. The initial electronic key holds an initial encryption key generated from the initial encryption key generation code and a logic. The controller holds the logic and identification information of the communication subject. The controller acquires the initial encryption key generation code from the initial electronic key, generates an initial encryption key from the initial encryption key generation code and the logic held by the controller, and stores the initial encryption key. The information center sends the additional encryption key to the additional electronic key or the controller through a network.