Abstract: A mechanism for the flow of access by derivation is provided. An access point may be any object, such as files or functions, to which the access recipient is granted access rights by the access provider. Access is typically represented by a relationship object referencing the access provider function, the access recipient function, and the access point object, and a set of access rights. This membership access relationship object is typically represented as a subtype of the access relationship. When a membership access relationship is created, typically a new associated persona function is generated, representing the new identity created for the access recipient function while serving as a member of the access point function. When a persona function is invited to be a member in another function, that in turn generates a membership and a second persona that is derived from the first persona, resulting in identity derivation.

Abstract: A processor-based system, including systems without keyboards, may receive user inputs prior to booting. This may done using the graphics controller to generate a window which allows the user to input information. The system firmware may then compare any user inputs, such as passwords, and may determine whether or not to actually initiate system booting.

Abstract: A customer initiated password reset system resets user passwords on a variety of network entities, such as internal systems, allowing simultaneous reset with a minimum number of user specified passwords that nonetheless satisfy the password specifications of these internal systems. Thereby, the user avoids the tedium of logging into each of these systems, changing their password, logging out, etc., for each system with the likelihood of creating unique passwords for each system that have to be remembered. By further incorporating a score metric based upon how many character sets are touched, a required degree of complexity can be measured and enforced against the password specifications. Advantageously, a table-based approach to enforcing password reset against the multiple password specifications facilitates making and fielding updates.

Abstract: A method for unlocking an electronic device, a first image in a first area and a second image in a second area selected on a touch panel of the electronic device are received. The method combines the first image and the second image to obtain a selected combination image, and unlocks the electronic device upon the condition that the selected combination image is stored in a storage unit of the electronic device.

Abstract: Biometric authorization is provided for a passive secure data card. An additional layer of security may be provided in the form of a biometric password. Session timing may be enforced to limit opportunities of third parties to snoop transmitted information while providing ample time to complete the card transaction. Biometric retries may be enforced to limit opportunities of third parties to hack the biometric security.

Abstract: A method of determining whether a response received from an electronic device is generated by a person or by an automated software. The method receives a set of capabilities of the electronic device for detecting a group of actions that include at least a gesture or a device movement. The method selects a set of actions based on the device capabilities. The method sends a request to the electronic device for performing the set of actions in the plurality of actions. The method, based on a result of the set of actions performed on the electronic device, determining whether the set of actions are performed by a human.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, and computer-readable media are described herein for a virtual machine manager, wherein the virtual machine manager is configured to selectively employ different views with different permissions to map guest physical memory of a virtual machine of the apparatus to host physical memory of the apparatus, to regulate access to and protect different portions of an application of the virtual machine that resides in different portions of the physical memory. Other embodiments may be described and/or claimed.

Abstract: Disclosed are various embodiments for providing managed security credentials to network sites for authentication. Multiple accounts of a user are maintained for multiple network sites. A secured resource of a network site is to be accessed by a computing device. One of the accounts is identified according to a domain name of the network site. The account is associated with a different network site having a different domain name from the domain name. The computing device is automatically authenticated with the network site using a security credential associated with the account.

Abstract: Various embodiments described and illustrated here include one or more of systems, methods, software, and data structures that may be used to implement policies for hardware access and monitoring control in concert with a premises security system that controls ingress and egress of a facility. One embodiment includes identifying when certain devices are removed or decoupled from a computer and preventing one or more users of that computer from leaving a facility within which the computer is located.

Abstract: A system and method for validation and enforcement of application security, wherein the user credentials and the integrity of a target application are verified before the target application is permitted to execute.

Abstract: An image forming apparatus provided with an interface for a portable information recording medium, has an access control part carrying out access control, for respective ones of a plurality of resources which the image forming apparatus has, based on access control information defining whether or not usage thereof by a user is allowed, wherein the access control part carries out access control based on the access control information stored in the portable information recording medium.

Abstract: A method and system for protection of and secure access to a computer system or computer network. The method includes the steps of receiving a first login account identifier, such as a user name from a user in communication with the computer system or network. A determination is made if the user is recognized and enrolled from the first login account from the first login account identifier. If the user is recognized, a grid of randomly generated visual images is displayed including one visual image from an image category which has been preselected by the user upon enrollment. An image category identifier is randomly assigned to each visual image in the grid. An image category identifier, second login account identifier, such as a password, is entered and received. If the login account identifier and the image category is validated, access is permitted to the computer system or network.

Abstract: A system is for a proof of knowledge enrollment or authentication. The system includes a processor having an input, an output and a routine; and a display having an image from the output of the processor. The routine is structured to input from the input of the processor a plurality of different position selections and/or a plurality of different path selections on the image. The routine is further structured to authenticate the proof of knowledge as a function of the plurality of different position selections and/or the plurality of different path selections on the image.

Abstract: A method for generating a changing authentication input or password for a user is provided for accessing a computing device such as a smartphone or computer. Using objects displayed in sequential positions on a graphic display, and input strings of text or alphanumeric characters the user has related to each object, a password can be generated by placing the input strings in an order the same as the sequence. The password can be varied easily for each access attempt by changing the objects displayed and/or the sequence.

Abstract: A method and system for providing security to a Network Job Entry (NJE) network. A first NJE node and a third NJE node are connected by a second NJE node. The second NJE node conducts a security check of NJE packets traveling between the first and third NJE nodes. The security check performed by the second NJE node includes checking the userid of the person or job that sent the NJE packet, as well as the NJE data type. The NJE data type may be classified by the type of operation being performed, such as a batch job, sysout, command, message, as well as what application is being used. In one preferred embodiment, the security check includes checking the security level of the source of the data being transferred, such as a sensitive application. The security check can be based on the size of the data packet, such that excessively large data packets from a particular user are not permitted to be transmitted outside a secure NJE network.

Abstract: The present disclosure relates to computer-implemented methods and systems for intelligent task management. An example method may include identifying one or more authorized entities. The method may further include broadcasting at least one task associated with a user to one or more devices associated with the one or more authorized entities. The method may further include receiving from the one or more authorized entities, via the one or more devices, an indication of acceptance of the at least one task. The method may further include selecting at least one trusted entity among the one or more authorized entities. The method may further include issuing at least one digital certificate to the at least one trusted entity to perform the at least one task.

Abstract: A verification method including a set flow and the identification flow is provided. The set flow includes: displaying an original outline pattern; executing a coloring operation on the original outline pattern in response to a user encryption coloring event to generate and display a colored outline pattern; storing the colored outline pattern. The identification flow includes: displaying an original outline pattern; executing a coloring operation on the original outline pattern in response to a user verification coloring event to generate and display a to-be identified colored outline pattern; determining whether the to-be identified colored outline pattern is equal to the colored outline pattern; if yes, triggering the verification pass event; if not, triggering the verification fail event.

Abstract: Determining execution rights for a process. A user selects a process for execution. A driver intercepts the execution and communicates with a service or its remote agent. Configuration data is accessed to determine an execution role specifying whether the process should be denied execution or should execute with particular rights to access or modify system resources. The execution role is provided to the driver, and the driver allows or denies execution of the process in accordance with the provided execution role.

Abstract: Methods and systems for message administration are described. In one embodiment, an application request for an application associated with an administration tool may be accessed. The application request may be associated with a user. The application may be deployed on a system machine. A particular access level of a plurality of access levels may be identified for the user on the administration tool. The particular access level may identify functionality of the administration tool available to the user. A determination of whether to allow processing of the application request based on the particular access level may be made. When the application request meets the particular access level, communication with the system machine from the administration tool may be made based on the application request. The system machine may be capable of processing the application request. Additional methods and systems are disclosed.

Abstract: Methods and apparatus include securely launching a web browser from a privileged process of a workstation to minimize enterprise vulnerabilities. The workstation includes a restricted-capability web browser pointed toward a web server. An executable file is wrapped about the browser and imposes restrictions, such as preventing the writing to a registry or installing ActiveX controls. It also has functionality to prevent users from linking to web locations in other than an https protocol or following links beyond an original host. Upon indication of a forgotten password/credential, the restricted-capability web is launched browser toward a web server. Upon authentication of identity, the user changes their password/credential for later logging-on to the workstation, but in a capacity without the limited functionality or the imposed browser restrictions.

Abstract: An information processing system including an information processing device connected to a first communication network, a terminal device connected to the first communication network, and a server device connected to a second communication network. The server device includes a receiving unit, a first request unit, and a providing unit. The receiving unit receives an instruction from the terminal device to provide the information processing device with a predetermined service. The first request unit presents a test to the information processing device to authenticate whether or not the information processing device is being operated by a human. The providing unit provides the information processing device with the service in accordance with the instruction. The terminal device includes an instruction unit and a response unit. The instruction unit sends the instruction to the server device. The response unit makes a response to the test on behalf of the information processing device.

Abstract: An access control system and method with location validation are provided. The method can include receiving a request from an authentication factor, identifying a location module associated with the authentication factor, identifying a location of the location module, and determining whether the location module is within a predetermined distance from the authentication factor or a control system, including an access panel of the control system, that received the request from the authentication factor. When the location module is within the predetermined distance from the authentication factor or the control system that received the request from the authentication factor, the method can include granting the request received from the authentication factor.

Abstract: A system and method whereby the identity of a person, entity, device or the like attempting to gain access to a secured resource may be securely authenticated includes a means for receiving from a service client a request for access to a secured resource; means for generating and communicating to the purported authorized user a challenge string adapted to provide a basis for authenticating the identity of the requester; a means for receiving from the service client a response string corresponding to the challenge string; and a means for evaluating the response string to authenticate the identity of the requester. The secured resource has a common identifier by which it may be generally identified outside of the authentication system, but the request for access lacks sufficient information content for the service client to be able to determine the common identifier.

Abstract: An information terminal device is provided that may use the input functionality of a touch panel to remove the restriction on the use thereof, for example, release the key lock. The information terminal device (1) is an information terminal device including a display (11) and a touch panel (12), including: a pattern storage memory (43) configured to store a release pattern that is to be entered into the touch panel (12) to remove the restriction on the use of the information terminal device, the release pattern being designated by a user as a graphic pattern; a comparison unit (44) configured to determine whether an entered pattern entered into the touch panel matches the release pattern; and a controller (34) configured to remove the restriction on the use of the information terminal device if the comparison unit (44) determines that the entered pattern matches the release pattern.

Abstract: Embodiments of the present disclosure provide a method and system for guided implicit authentication. The system first receives a request to access the controlled resource from a user. The system then determines whether the user request is inconsistent with regular user behavior by calculating a user behavior measure derived from historical contextual data of past user events. Next, the system allows the user to provide information associated with regular user behavior and/or current contextual data. The system further updates the user behavior measure based on current contextual data.

Abstract: An authentication method and system provides for a user requesting authentication where the authentication request includes Personally Identifiable Information (PPI) such as geolocation data. The user's device requesting authentication alters or encrypts the PII in order to prevent the PII's unintentional discovery by third parties or to comply with jurisdictional requirements for the safeguarding of PII. The receiving party saves the altered or encrypted PII for later use. In order to use the PII and perform calculations for authentication, the receiving party requests a trusted third party with knowledge of the methodology or key used to alter or encrypt the PII to perform calculations on the original values of the PII without saving the PII. The trusted third party returns a computed value to the receiving party where it is used to determine whether the user will be authenticated.

Abstract: A microprocessor includes a model specific register (MSR) having an address, fuses manufactured with a first predetermined value, and a control register. The microprocessor initially loads the first predetermined value from fuses into the control register. The microprocessor also receives a second predetermined value into the control register from system software of a computer system comprising the microprocessor subsequent to initially loading the first predetermined value into the control register. The microprocessor prohibits access to the MSR by an instruction that provides a first password generated by encrypting a function of the first predetermined value and the MSR address with a secret key manufactured into the first instance of the microprocessor and enables access to the MSR by an instruction that provides a second password generated by encrypting the function of the second predetermined value and the MSR address with the secret key.

Abstract: A method for injecting a security token into an authentication protocol response is disclosed. An authentication protocol response from a node requesting access to a network is intercepted. It is determined if the node complies with a health policy of the network. A security token is inserted into the authentication protocol response based on the compliance node.

Abstract: A method of playing content across a network includes receiving, at a media player, an input from a user selecting media located on a network, sending a request across a network comprised of devices employing a common security protocol, the request to identify peer devices on the network, receiving a response across the network from a peer device, and accessing the media from a content memory of the peer device. A method of tracking valid peers on a secure media network, includes receiving, at a media player, an input from a user selecting media located on a peer device on the network, performing an authentication test of the peer player, determining if a latency associated with the peer player meets a criteria, and updating a latency log on the media player to include the peer player.

Abstract: In a mobile communication system, a radio device is configured to transmit notification information transmitted from a distribution server, to a mobile station, by use of broadcast communication. The distribution server 10 includes a key transmitter unit 12 configured to transmit a public key of the distribution server 10 to the mobile station UE; the radio device RNC, Node B includes a notification information transmitter unit 22, 42, 42A configured to transmit, to the mobile station UE, the notification information transmitted from the distribution server 10; and the mobile station UE includes an authentication unit 36 configured to authenticate the validity of the received notification information in reference to an electronic signature for the notification information.

Abstract: The variable domain data access control system and method described herein use the same variable domain to describe a data security model and a variable domain data model, such as a product configuration model. A variable domain is a set of resource data that can be described using a logical relationship data structure. The variable domain utilizes logical relationship expressions, such as a Boolean logic language, to define resource data in terms of parts, rules and/or attributes, and any other property that can be accessed for viewing, manipulation, or other purposes. The data security model represents an access control list (ACL) that includes security attributes as resource data and uses the same data structure and logical relationship expressions as an associated variable domain data model. An application, such as a configuration engine, can be used to create controlled access to the variable domain data model using the data security model.

Abstract: An authentication controller coupled to a first communication port of a portable media device is allowed to provide authentication on behalf of an accessory device coupled to a second communication port of the portable media device. In one embodiment, a cross transport connector includes a connector configured to couple with an accessory and a connector configured to couple with a portable media device such that the accessory can be coupled to the second communication port of the portable media device. The cross-transport connector also includes an authentication controller. The authentication controller may request authentication from the media device over the first communication port of the portable media device. The request may also include an identifier of the second port, to which authenticated permissions obtained via the first port may be transferred.

Abstract: Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

Abstract: A method may be for detecting potentially suspicious operation of an electronic device configured to operate in the course of activity sessions. The method may include within the device, a metering, from an initial instant of the number of activity sessions having a duration below a first threshold, and a comparison of this number with a second threshold.

Abstract: Example embodiments disclosed herein relate to an automated test to tell computers and humans apart. Building blocks are assembled to generate an image for a test. When the building blocks are configured in at least one orientation, the image includes a line. One or more of the building blocks can be rotated to generate the at least one orientation. The test can be sent to a device. The test is not oriented in the at least one orientation.

Abstract: A computer-implemented method for altering the state of a computing device via a contacting sequence is described. A contacting sequence is detected on a display of the computing device in a first state. The contacting sequence is compared to at least one contacting sequence stored in a database. A determination is made whether the detected contacting sequence matches at least one contacting sequence stored in the database. If the detected sequence matches at least one contacting sequence stored in the database, the first state of the computing device is altered to a second state.

Abstract: Provided is an application program launching method and system for improving security of an embedded Linux kernel by distributing superuser privileges. The method includes: searching security set information on an application program selected by a user; changing a user account for a processor of the application program to a user ID associated with the application program in the security set information; setting a capability for the processor according to setting information for the capability in the security set information; changing a basic directory for the processor according to a basic directory in the security set information; and launching the application program.

Abstract: Servers are configured to operate in two or more threshold security planes with each such threshold security plane implementing at least a portion of a corresponding threshold security protocol involving at least a subset of the servers. The servers are implemented on at least one processing device comprising a processor coupled to a memory. Multiple ones of the servers may be implemented on a single processing device, or each of the servers may be implemented on a separate processing device. At least one of the servers may be part of at least two of the threshold security planes. A given request for a protected resource is processed through each of the planes in order for a corresponding user to obtain access to the protected resource. By way of example, the security planes may comprise two or more of an authentication plane, an access control plane and a resource plane.

Abstract: A simple, customizable and intuitive virtual combination unlock method and system. More specifically, an unlock system and method is disclosed which includes a virtual combination lock, where the virtual combination lock includes several rows of user-selectable images such as pictures or icons as the virtual combination wheels. In certain embodiments, the images are accessed via the user's database. To unlock the device, the user touches and drags pre-selected images into alignment with each other. Security can be adjusted by changing the number of images that need to be aligned to unlock the device.

Abstract: A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.

Abstract: Embodiments of the present invention provide a method for voice approval, where the method includes: receiving voice approval request information sent by an enterprise application server; establishing a voice communication connection with the terminal according to the contact information of the approver terminal; sending approval content audio information corresponding to the voice approval request information to the approver terminal; receiving feedback information, and obtaining approval result information according to the feedback information; and sending the approval result information to the enterprise application server. Embodiments of the present invention also provide a device and system for voice approval. In the embodiments of the present invention, the enterprise application server and the enterprise gateway are combined and improved to enable an approver to approve, in voice mode, an approval request raised by an applicant, thereby increasing the approval efficiency.

Abstract: A method of authorising a user in communication with a workstation is disclosed. According to the method, a system automatically determines a plurality of available user information entry devices in communication with the workstation. The system then determines predetermined user authorization methods each requiring data only from available user information entry devices. The user then selects one of the determined authorization methods for use in user authorization. Optionally, each authorization method is associated with a security level relating to user access to resources. Once the authorization method is selected, the user provides user authorization information in accordance with a determined user authorization method and registration proceeds.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: When a user uses one of a plurality of image forming apparatuses from one of a plurality of terminals, an authentication server determines, on a user by user basis, whether he/she is permitted to use each image forming apparatus, and detects if any of the image forming apparatuses is in a troubled state and incapable of executing a prescribed function. If one image forming apparatus is in a troubled state and the user requests another, trouble-free image forming apparatus to execute a job utilizing a function of the trouble-free image forming apparatus, the authentication server permits execution of the job if the user is permitted to use the image forming apparatus in the troubled state. Thus, the user can get a print even if a usually used image forming apparatus is unavailable.

Abstract: In one or more implementations, a computing device receives an indication that a device is attempting to pair with the computing device. If a user is not currently authenticated with respect to the computing device, inputs received by the device are restricted from being used by the computing device for uses other than authenticating the user.

Abstract: A system for authenticating the user of a computing device comprises an authorized user directory. Each record is uniquely associated with an authorized user and includes at least a computing device ID value that is a globally unique value assigned to the authorized user's computing device, a group of unique depictions such as photographs, an identification of a key depiction. Portions of each image form fiducials recognizable by the user. The record further includes trace pattern verification data representing continuous trace strokes between pairs of the fiducials within the key depiction. To authenticate, the group of images are displayed to the user. The user must first select the key image and secondly trace continuous trace strokes between the pairs of fiducials to match the trace pattern verification data.

Abstract: A non-transitory computer readable medium may include executable instructions which, when executed by a processor, cause the processor to authenticate a user, and to retrieve a user profile based on the user. The instructions further cause the processor to apply the user profile to restrict an operation of a non-destructive testing (NDT) device.

Abstract: A mobile electronic device operates in accordance with at least two different application configurations. The device starts by operating in accordance with the first configuration after it receives a first access credential. The first configuration includes a hidden security application. When the device executes the hidden security application, a user may enter a second access credential via the second security application. When the device receives the second access credential, it then switches to a second application configuration.

Abstract: A user is presented with one or more user-level permissions in a human understandable language, where the one or more user-level permissions represent one or more application-level permissions requested from an application for accessing one or more resources. A security profile is generated having one or more operating system (OS)-level permissions based on at least one of the user-level permissions authorized by the user. The security profile is enforced to restrict the application to accessing the one or more resources based on the OS-level permissions.

Abstract: An anti-malware approach uses a storage drive with the capability to lock selected memory areas. Platform assets such as OS objects are stored in the locked areas and thus, unauthorized changes to them may not be made by an anti-malware entity.