Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: A work equipment system includes a control module coupled to a display to present a virtual control on the display upon receipt of an activation code. The activation code is provided in an activation tag on an activation display. An activation tag reader is coupled wired or wirelessly to the control module and is configured for reading the activation tag and sending a signal representative of the activation code to the control module.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: Systems, methods, and machine-readable media transitioning between two power states based on user-related signals are provided. A computing device in a first power state may monitor multiple sensors and receive first sensor signals from a first group of the sensors. One or more radio frequency (RF) signals may be received from one or more nearby communication devices. The first sensor signals may be used to determine that the computing device has been picked up and, in response, an application processor maybe activated. The application processor may select a second power state based on the first power state and the first sensor signals. The second power state includes a power on state when the first power state is a suspended power state and the first sensor signals indicate that the computing device has been picked up while being touched on a screen. The computing device is transitioned to the second power state.

Abstract: Described herein are methods and systems for updating digital certificates on a computer and testing to confirm that the update was performed correctly. The testing may involve confirming that a server's common name (CN) and/or a server's subject alternative name (SAN) matches the domain name server (DNS) name utilized to access the server, confirming that, for all the certificates sent in chain, each certificate's expiration date is less than or equal to the expiration date of that certificate's parent certificate, confirming that the certificates' authority key identifier (AKI), subject key identifier (SKI), and/or authority information access (AIA) are in compliance, and comparing available cipher suites to a list of pre-approved cipher suites.

Abstract: The present disclosure includes a method comprising encrypting sensitive data, generating a token comprising a data identifier, tokenizing the encrypted sensitive data, and/or storing the encrypted sensitive data in association with the token to a token vault. Tokenizing may comprise mapping the encrypted sensitive data to the token. The method may further comprise storing the token to a cloud application, wherein the cloud application comprises a software application that functions within a cloud computing environment.

Abstract: Secure element authentication techniques are described. In implementations, a confirmation is received that an identity of a user has been physically verified using one or more physical documents. One or more credentials that are usable to authenticate the user are caused to be stored in a secure element of a mobile communication device of the user, the secure element implemented using tamper-resistant hardware.

Abstract: A method of automatically tracking the portions of a 3D medical imaging volume, such as the voxels, that have already been displayed according to use-defined display parameters, notating those portions, and providing the user with information indicating what portions of the imaging volume have been displayed at full resolution.

Abstract: The present disclosure pertains to data security, and more specifically, to a method and system of user authentication using an electronic digital signature of the user. An exemplary method includes obtaining biometric data of the user, calculating a biometric key based on the biometric data, identifying encrypted confidential information of the user in an electronic database and decrypting the identified confidential information of the user using the calculated biometric key. Furthermore, the method includes calculating a cryptographic key using a first portion of the decrypted confidential information of the user; generating an electronic digital signature of the user based on the cryptographic key; verifying the electronic digital signature using a second portion of the decrypted confidential information; and authenticating the user to access the data if the electronic digital signature is verified.

Abstract: A method and a system for implementing a digital signature in a mobile operating system.

Abstract: Systems and methods for a secure mobile framework to securely connect applications running on mobile devices to services within an enterprise are provided. Various embodiments provide mechanisms of securitizing data and communication between mobile devices and end point services accessed from a gateway of responsible authorization, authentication, anomaly detection, fraud detection, and policy management. Some embodiments provide for the integration of server and client side security mechanisms, binding of a user/application/device to an endpoint service along with multiple encryption mechanisms. For example, the secure mobile framework provides a secure container on the mobile device, secure files, a virtual file system partition, a multiple level authentication approach (e.g., to access a secure container on the mobile device and to access enterprise services), and a server side fraud detection system.

Abstract: A PIN is automatically generated based on at least one rule when the user enters a password through a user device. In one example, the PIN is a truncated version of the password where each character in the truncated version is mapped onto a number. The mapping can be a truncation at the beginning or end of the password, or the mapping can be with any pattern or sequence of characters in the password. This PIN generation may be transparent to the user, such that the user may not even know the PIN was generated when the password was entered. When the user attempts to access restricted content, the user may enter the PIN instead of the password, where the user may be notified of the rule used to generate the PIN so that the user will know the PIN by knowing the password.

Abstract: Systems and methods are described for off-site user access control to communications services via a site-based communications network. Embodiments operate in context of sites, each having one or more site-based networks in communication with external networks via one or more on-site routers. User devices are provided with controlled access to those external networks via wired or wireless connections between those user devices and the site based networks. In some embodiments, on-site routers maintain route maps that indicate which user devices are authorized. Standard routing functions are used so that traffic from authorized devices is routed normally, while traffic from unauthorized devices is automatically forwarded to an off-site (e.g., cloud-based) authentication system. As devices become remotely authenticated, the off-site authentication system can remotely update route maps of the on-site routers to add those devices.

Abstract: During an ongoing wireless telephone call communication session between a pair of mobile devices, a local device responds to its user's activation of a virtual or actual button or key, or its user's verbal command, by automatically sending an over the air message (e.g., a SMS or text message or other network communication message) to the remote device. The message requests location information of the remote device. Upon obtaining location information from the remote device, a location of the remote device is automatically displayed on the local device. Other embodiments are also described and claimed.

Abstract: A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

Abstract: A secure demand paging system (1020) includes a processor (1030) operable for executing instructions, an internal memory (1034) for a first page in a first virtual machine context, an external memory (1024) for a second page in a second virtual machine context, and a security circuit (1038) coupled to the processor (1030) and to the internal memory (1034) for maintaining the first page secure in the internal memory (1034).

Abstract: A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.

Abstract: Aspects herein describe brokering hosted resources in a virtual desktop infrastructure (VDI) using connection leases to reduce demand on connection brokers and to allow hosted services to be maintained even in the event of a broker outage. When a client device desires to connect to a hosted resource (e.g., a hosted desktop or a hosted application), the client device may present a lease token to the session host. The lease token is a self-sustaining package of data from which a session host can determine whether the requesting client device is authorized to access one or more resources hosted by that session host. The lease token may be cryptographically signed to ensure its contents have not been altered, and further that the lease token originated from a trusted source. Lease tokens may be stored independently from a connection broker, thereby still being usable if the connection broker goes offline.

Abstract: Systems, methods, and computer program products are provided for authenticating and efficiently re-authenticating a user with a financial institution in order to gain access to account information using a web-enabled device. The web-enabled device stores user profiles associated with the user including authentication information provided by the user during primary authentication. The device retrieves the authentication information upon secondary authentication, that is, validation of the user's identity, which in some embodiments, includes local validation of a personal identification number (“PIN”) and/or a remote control passcode (“RCP”). As such, the web-enabled device re-authenticates the user without requiring authentication communication with a financial institution server, and thereafter, the user interacts with an application running on the web-enabled device to retrieve desired account information from the financial institution server.

Abstract: Mobile push user authentication for native client based logon is described. In one method, an authentication server receives from a user interface at a native client a password for native-client based logon to a remote server. The method determines whether a portion of the password includes a one-time password (OTP). When the password includes an OTP, the method validates the remaining portion of the password as a first authentication factor, and validates the OTP as a second authentication factor. When the password does not include an OTP, the method sends a mobile push notification to a registered device, validates the password as the first authentication factor, receives a response to the mobile push notification, and validates the response to the mobile push notification as the second authentication factor. The native-client based logon is authorized when the first authentication factor and the second authentication factor are validated.

Abstract: A method for operating the arrangement for a laboratory room confined by a floor, a ceiling and walls connecting the floor with the ceiling, including inducing an air flow from an air inlet through a platform to an air outlet in a substantially laminar fashion. The arrangement includes a main base suspended on the floor; a tool base arranged on the main base; a platform arranged around the tool base, wherein the platform is permeable for air, and the platform is suspended at the walls; the air inlet arranged below the platform; the air outlet arranged above the tool base; and air guides for directing an air flow upwards.

Abstract: A computer implemented method, apparatus, and computer usable program code for accessing protected resources. Biometric data for a user is received from a biometric input device and an indication of an application requiring a password. Responsive to receiving the biometric data from the user, the user is authenticated using the biometric data and a profile. Responsive to the user being authenticated, the password is established with the application to allow access to the application, wherein the password is established without user input.

Abstract: A server device that includes a receiving unit, a browse page creation unit, a mail creation unit, and a mail transmission unit. The receiving unit receives an image transmitted from an electronic camera via a wireless network. The browse page creation unit creates a browse page for browsing the transmitted image from the electronic camera, the image having been received by the receiving unit. The mail creation unit creates a notification mail for introducing the browse page that has been created by the browse page creation unit to a person other than a user of the electronic camera. Furthermore, the mail transmission unit transmits the notification mail that has been created by the mail creation unit to a specified mail address.

Abstract: Technologies are generally disclosed for methods and systems for securing data. An example method may include storing, by a processing device, the data in a memory. The data may be encrypted and accessible only with the use of a decryption key. The method may further include receiving, by the processing device, one or more permission requests to access the data and requesting, by the processing device, the decryption key. In response to receiving the decryption key, the method may include authenticating, by the processing device, the decryption key to verify one or more permissions, and allowing, by the processing device, access to the data in accordance with the one or more permissions.

Abstract: A security level for an attendant at a Self-Service Terminal (SST) is automatically resolved. An operation is automatically processed on behalf of the attendant based on the resolved security level and a condition associated with the SST.

Abstract: This invention relates to a method (100) for creating, on a device (200), an authorized domain (102) for sharing a (103) of a content item (104) between a first person (105) and a second person (106). The method (100) alleviates the hassle of having end-users managing authorized domains. If the first person is bound (107) to the right (103), and the device is bound (108) to the first person (105), the device (200) grants (110) the second person (106) the right (103) in response to the device (200) associating (109) to the second person (106).

Abstract: Methods and apparatuses are described for proximity-based and user-based access control using wearable devices. A short-range frequency reader coupled to a target device detects a plurality of wearable devices in proximity to the reader, each wearable device comprising a short-range frequency antenna. The reader identifies, for each wearable device, a user wearing the wearable device. The reader determines, for each wearable device, a distance from the reader and an orientation in relation to the target device. The reader determines a level of access available to the target device based upon the identity of each user, the distance of each wearable device from the reader, the orientation of each wearable device in relation to the target device, and the distance of the wearable devices from each other in a three-dimensional space.

Abstract: Systems and methods for user identification and authentication are disclosed. In one embodiment, a method of authenticating a first party to a second party may include the following: (1) receiving, from one of an electronic device of a first party and an electronic device of a second party, a request to generate authenticating indicia; (2) using at least one of a plurality of computer processors, generating the authenticating indicia; (3) transmitting, over a network, the authenticating indicia to the electronic device of a first party and to the electronic device of the second party; (4) receiving, from an electronic device of the second party, an indication that the second party has confirmed that the first party is authentic; and (5) storing an identity of the first party, the second party, and the authenticating indicia in a database.

Abstract: An apparatus, computer-readable medium, and computer-implemented method for data tokenization are disclosed. The method includes receiving, at a database network router, a database access request directed to a tokenized database, the tokenized database containing one or more tokenized data values, applying one or more rules to the request, rewriting the request based on at least one of the one or more rules, such that data values being added to the database will be tokenized data values, and data values received from the database will be non-tokenized data values, and transmitting the rewritten request to the database.

Abstract: Techniques are provided for improving security in a single-sign-on context by providing, to a user's client system, two linked authentication credentials in separate logical communication sessions and requiring that both credentials be presented to a host system. Only after presentation of both credentials is the user authenticated and permitted to access applications on the host system.

Abstract: An automation control system is provided with an interface device configured to enable a user to monitor, control, or monitor and control processes of the automation control system. Upon power on or initialization of the interface device or when a previously logged in user is logged off, the interface device logs in a guest account associated with a user role having a defined set of access rights and provides access to monitor, control, or monitor and control the processes based upon the set of access rights.

Abstract: The presented invention discloses an electronic web-based election system and method for fully encrypted secure remote voting, wherein the voting data is fully encrypted, including within-the-database encryption, until the end of voting time period. Further disclosed a computer encryption system, wherein the voting result encryption application is additionally installed, such a system being configured to obtain encrypted voting results data and send such a data as a ciphertext to the election central server for encrypted ciphertext storage in the database to prevent everybody, including database administrators, from viewing the data. Method for secure data encryption and public keys computation based on voter's secret PIN code is further presented.

Abstract: Implementations are provided herein relating to audiovisual matching. Audio and video channel data is merged to create a single multi-channel fingerprint used to match media content. Audio channel data is used to generate audio fingerprints. Video channel data is used to generate a video fingerprints. Multi-channel fingerprints can then be generated based on the audio channel fingerprints and video channel fingerprints. In this sense, entropy can be increased while the multi-channel fingerprint can be less resistant to noise.

Abstract: Methods are detailed for online fraud prevention. In one approach state information of a first and a second device is monitored, both of which are associated with one user. During a multi-factor authentication procedure which utilizes at least one of the first and the second devices for authorizing a transaction by an Internet domain, a security server participates in a supplemental security procedure which is conditional on the monitored state information. In another approach the second device receives a message that is ostensibly related to multi-factor authorization by an Internet domain, and in response sends a query about state information of the first device. Based on the response to the query that indicates the state information, the second device performs a supplemental security procedure.

Abstract: Access restriction is performed on access to a page on which information is posted from a terminal of a subject. It is determined whether positions of terminals used by the subject and a manager, who is associated with the subject in advance, accord with each other. A relaxation operation is received from the terminal of the manager, when it is determined that the positions accord with each other. The access restriction by a restriction unit is relaxed, when the relaxation operation is received. A characteristic word of the page accessed by the terminal of the subject for which the access restriction is relaxed is acquired. The acquired characteristic word is transmitted to the terminal of the manager to display the characteristic word. A recovery operation is received from the terminal of the manager. The access restriction performed by the restriction unit is recovered, when the recovery operation is received.

Abstract: A structured query language (SQL) relational database management system (SQL RDBMS) may integrate a biometric subsystem to process and manage biometric data separately from the demographic data stored in normalized SQL tables of the SQL RDBMS. The SQL RDBMS may be operatively connected to the biometric subsystem by means of SQL extensions. The SQL RDBMS may execute queries with demographic and/or biometric constraints, wherein the demographic data is retrieved directly from normalized SQL tables on the RDBMS, while the biometric data is retrieved in the form of scores or probabilities from the biometric subsystem. The SQL RDBMS may return a query result set containing demographic data associated with corresponding biometric data, allowing the authentication of biometric clients.

Abstract: A method, non-transitory computer readable medium, and network traffic management apparatus that receives an authentication request from a user of a client computing device, the request comprising credentials for the user. A connection is established with a selected one of a plurality of active directory servers using a stored Internet Protocol (IP) address for the selected active directory server. At least a portion of a fully qualified domain name of the selected active directory server is received in response to an anonymous lightweight directory access protocol (LDAP) query sent to the selected active directory server using the established connection. The user of the client computing device is authenticated using the at least a portion of the fully qualified domain name and the credentials.

Abstract: A secure external access method provides an external system with access to a device automation system implementing automatic control of one or more devices in an automation environment. The external access method enables external system access to devices only when the devices have been authorized for external access and the external system has the proper authentication credential. External access endpoints are dynamically defined by the web service automation applications and are unique to each installed instance of the web service automation application.

Abstract: Techniques for improving security of an electronics device are disclosed. In one aspect of the present disclosure, security of a device may be improved by generating a working key based on a hardware secret key and at least one security parameter of the device, e.g., with a key derivation function. The security parameter(s) may be related to software to be authenticated on the device and/or other aspects of security for the wireless device. The security parameter(s) may indicate whether the software is authorized and/or at least one operating function authorized for the software. At least one security function may be performed for the device based on the working key. For example, the working key may be used to encrypt, sign, decrypt, or verify data for the device. The working key may be used directly or indirectly by the software for the at least one security function.

Abstract: Protecting the security of an entity by using passcodes is disclosed. A user's passcode device generates a passcode. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system, which authenticates the passcode by at least generating a passcode from a passcode generator, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator. In these embodiments, there are asymmetric secrets stored on the passcode device and by the administrator. This adds more security so that if the backend servers are breached, the adversary cannot generate valid passcodes. In some embodiments, the passcode depends on the rounded time.

Abstract: A flow control apparatus for controlling fluid flow in a petroleum reservoir. The flow control apparatus has a flow control mechanism, a controller operable to control the flow control mechanism to adjust fluid flow through the flow control mechanism, the controller comprising a processor operable to execute according to a control algorithm, and a non-volatile memory connected to the controller. The non-volatile memory includes instructions to cause the controller to execute an authentication mechanism operable to authenticate a control computer and to prevent operation of the controller until the authentication mechanism authenticates the control computer.

Abstract: A method includes receiving data related to an individual, the data comprising a plurality of elements of personally-identifying information (PII). The method further includes building, via the plurality of elements of the PII, a compositional key for the individual. In addition, the method includes storing the compositional key and a biometric print for the individual as a biometric record in a biometric repository. The method also includes, via the compositional key, providing a plurality of federated entity (FE) computer systems with access to the biometric repository.

Abstract: A secure (e.g., protected) storage drive for use with an associated computer device is disclosed. The secure storage drive allows access only when properly authenticated to the computer device attempting to access the secure storage drive. Additionally, other levels of authentication may be required prior to allowing access. For example, access may only be allowed if both the computer device and a user authenticated to the computer device are recognized by the secure storage drive. If access to the secure storage drive is not permitted, then the secure storage drive may remain hidden and not accessible to the operating system of the computer device. Accordingly, if hidden, no command of the operating system of the computer device can access, alter, or erase data on the secure storage drive.

Abstract: In a method for limiting access to a digital item, a count for the digital item is stored, wherein the count is a number of accesses permitted for the digital item. A password for accessing the digital item is received. A plurality of password hashes is generated by utilizing one-way hash functions based on the number of accesses of the count and the password to generate the plurality of password hashes based on the count. The plurality of password hashes is stored in a password hash file.

Abstract: A login interface provided by a firmware setup utility is configured to display a two-dimensional barcode, such as a quick response (“QR”) code. The barcode is scanned by a mobile device configured to retrieve a timestamp encrypted within the barcode. The mobile device creates a passcode by re-encrypting the timestamp using a firmware setup password and a master key. The passcode is provided to the firmware setup utility, which retrieves the timestamp and compares it to a stored timestamp. If the timestamp values match, access to the firmware setup utility is permitted.

Abstract: Systems and methods may provide for detecting a browser request for web content. Additionally, interaction information associated with a plurality of sources may be determined in response to the browser request, and a risk profile may be generated based on the interaction. The risk profile may include at least a portion of the interaction information as well as recommended control actions to mitigate the identified risk. In one example, the risk profile is presented to a user associated with the browser request as well as to a security control module associated with the platform.

Abstract: In a networked environment, a client side application executed on a client device may transmit a request to an authorization service for access to a resource. The authorization service may authenticate the user of client device and/or the client device based on user credentials and/or a device identifier. In response to authenticating the user and/or the client device, the authorization service may send to the client side application a request for confirmation that the client device complies with a distribution rule associated with the resource, where the distribution rule requires a specific application or specific type of application to be installed, enabled and/or executing on the client device as a prerequisite to accessing the resource. If the client device complies with the distribution rule, the client side application accesses the resource. Accessing the resource may include receiving an authorization credential required for access to the resource.

Abstract: A system and method of identity verification at a point-of-identification verification (POV) using biometric-based identity recognition and an identity verifying score based upon a presenter's initial identification presentment and their subsequent action in the system. The system also provides tracking and evaluates verifier activity within the system through biometric-based identity recognition and a performance score based upon their actions and the results of their actions within the system. System users register at least one biometric identifier and personal and/or business identity-verifying data. Users present a biometric sample obtained from their person and their system ID number to conduct identification transactions. This data is used to authenticate the user's identity to a percentage of reliability and allows a user with consistently positive ID verifications to establish a higher ID score, strengthening their credibility within the system.

Abstract: Methods and apparatus for authenticating computing device users are disclosed. An example method includes, providing, on a display device of a computing device, a graphical user interface (GUI) including a user authentication display portion and receiving, from a remote authentication server, visual content and functional content corresponding with the user authentication display portion. The method further includes receiving, via the user authentication display portion, a set of user credentials and communicating the received user credentials to the remote user authentication server. The method still further includes receiving, from the remote user authentication server; an authorization message indicating whether or not authentication of the user credentials was successful. In the event authentication of the set of user credentials was successful, the user is granted access to the computing device.

Abstract: Implementations are provided herein relating to audiovisual matching. Audio and video channel data is merged to create a single multi-channel fingerprint used to match media content. Audio channel data is used to generate audio fingerprints. Video channel data is used to generate a video fingerprints. Multi-channel fingerprints can then be generated based on the audio channel fingerprints and video channel fingerprints. In this sense, entropy can be increased while the multi-channel fingerprint can be less resistant to noise.