Abstract: A biometric authentication device performs authentication of a user based on biometric information. In the biometric authentication device, a registry information storage stores pre-registered biometric information as registry information. An acceptance value determiner determines a verification acceptance value used for authentication, based on quality of the registry information with regard to reliability of characterizing an individual. An authentication information acquirer obtains biometric information of a user as authentication information. A similarity calculator compares the authentication information of the user with the registry information and calculates similarity between the authentication information and the registry information. An authenticator identifies whether the user is a registrant corresponding to the registry information, based on the similarity and the verification acceptance value.

Abstract: Embodiments of the present invention may provide a system and method for business data provisioning for a pre-emptive security audit. In one aspect, a method embodiment may comprise the steps of identifying the business resources as expressed in business terms, ensuring that applications dealing with (parts of) the business resources are aware of the link to the resource, transmitting the information about the used business resources throughout the call stack up to the UI, making use of the highest access enforcement point possible where it can be ensured that access to the protected resource is only done through either authorized users or trusted code, and having this access enforcement point taken over by a framework to ensure adequate protection even in extensibility scenarios.

Abstract: An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.

Abstract: An electronic lock box system includes a wireless portable transponder that communicates with an electronic lock box using a low power radio link. The portable transponder includes: a wide area network radio to communicate to a central clearinghouse computer, a motion sensor to activate its wide area network radio, and a connector to communicate with a secure memory device. The electronic lock box sends a hail message that is intercepted by the portable transponder; the hail message includes identification information. The portable transponder responds with a message that includes a time sensitive encryption key; the lock box authenticates this response message using its own time sensitive encryption key. If the messages are authenticated, the lock box sends an access event record to the portable transponder, and this access event record is stored in the secure memory device. If a wide area network is available, the portable transponder sends the access event record to the central clearinghouse computer.

Abstract: A method, a system, and a device for implementing device addition in a Wireless Fidelity (Wi-Fi) Device to Device (D2D) network are provided, which belong to the field of communication. The method includes: receiving, by a first D2D client device, a first add request message forwarded by a D2D master device, in which the first add request message carries an identifier of a new device to be added to the D2D network; receiving a first Personal Identification Number (PIN) code of the new device; and forwarding the received first PIN code to the D2D master device, in which the first PIN code of the new device is used for implementing that the D2D master device performs Wi-Fi Protected Setup (WPS) security configuration of the new device according to the first PIN code.

Abstract: An image processing apparatus capable of reducing the number of processing flows and also reduce time and effort required by a user in searching a desired processing flow. The image processing apparatus including an authentication unit adapted to execute user authentication, and an execution unit adapted to execute processing on image data with a plurality of processes as a sequential processing flow while cooperating a plurality of different functions with one another. Setting data personalized for a user authenticated by the authentication unit is obtained, and the plurality of processes is registered as a sequential processing flow. The processing flow is executed with a part of the processing flow replaced by processing personalized for the user set in the setting data, upon executing the registered processing flow.

Abstract: Methods, systems, and techniques for task-based access control are provided. Example embodiments provide a task-based access control system “TBACS,” which provides task-based permissions management using proxy task objects. In one example embodiment, the proxy task objects encapsulate activities, comprising one or more privileges, each associated with an object upon which the privilege can act. In some examples, proxy task objects may be used with a virtualization infrastructure to delegate permissions to delegate users, real or automated. Proxy task objects may also be associated with their own user interfaces for performance of the corresponding activities.

Abstract: Auditing a communication is disclosed. Credentials are received from a client. It is determined whether the client is authorized to communicate with a remote resource. If it is determined that the communication with the remote resource is allowed, a communication is forwarded from the local resource to the remote resource.

Abstract: A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.

Abstract: According to an embodiment, there is provided is an information processing apparatus including: a storage unit that stores therein information, which is set for a screen to be displayed on an information display unit, as to whether or not to permit an external input device to enter data to the information processing apparatus, and information as to whether or not to permit data entered from an external input device; an external-input-unit control unit that controls data entry to the screen from an external input device by utilizing information about a type of the external input unit and the information as to whether or not to permit the external input unit to enter data; and an input-key control unit that controls the data entry permitted by the external-input-unit control unit by consulting the information as to whether or not to permit data entered from the external input unit.

Abstract: A server may receive encryption key requests that each identify a sender of the encryption key request and at least one recipient of information that is to be encrypted with the requested encryption key. In response, an encryption key may be sent to the sender of the encryption key request. Information identifying the sender and the at least one recipient may be stored. The server may receive decryption key requests that each identify a sender of the decryption key request and a sender of encrypted information. In response, a decryption key may be sent to the sender of the decryption key request if and only if the sender of encrypted information and the sender of the decryption key request, as both identified by the information in the decryption key request, match, respectively, a sender of an encryption key request and an associated recipient, as both identified by the stored information.

Abstract: A system and method is presented for authentication, so as to control access to a resource. A set of objects (for example, a set of images) is established in advance between the user and the service for which the user is to be authenticated. During the authentication, the user, instead of inputting an alpha-numeric password, will be sent several sets (e.g., tables) containing the previously specified objects (e.g., images) in some arrangement (e.g., spatial pattern) among other objects (images). In order to authenticate, the user is shown additional tables, and must determine, as to each, whether it contains the same set of specified objects in the same spatial relationship as in the first table shown. After the user has correctly identified which tables reflect the specified objects in the requisite pattern, the user will be considered authenticated, and will then be granted access to the requested resource (for example, a bank account).

Abstract: A method and apparatus for interfacing a host computer with a hard drive cartridge is disclosed in one embodiment. The virtual device interface is divided between a kernel component in a driver stack of the kernel space and a user component configured to run in user space. The kernel component passes data commands from the operating system to a cartridge dock while separating other commands that are passed to the user component. The user component authenticates the kernel component and/or the hard drive cartridge. Use of the removable hard drive cartridge is also authorized by the user component.

Abstract: The present invention provides a method and system for automated test for human presence at a client device capable of receiving touch sensitive response. At a server, the method includes receiving and storing user profile information. Receiving request from client device to access a resource on a server. Generating a query based on the user profile information and the query requiring user to generate a touch sensitive response. Receiving the user generated response and authenticating the user if the touch sensitive response matches a predefined response for the query stored on the server.

Abstract: A mechanism is provided for managing access authorization to forums open to anonymous users within an organization. A token distributor application provides a unique token to each member of a community or organization. The application is trusted by all members to not store an association between the authenticated user and the token when a token is assigned. The only control exerted by the token distributor is to block users who have already obtained a token from receiving another token. The communication tool or collaboration space may accept creation of a new anonymous identity, such as a nickname, to any individual supplying a token assigned by the token distributor application. An administrator may ban users by token. A banned user cannot access the communication tool or collaboration space using a nickname associated with a banned token.

Abstract: In one embodiment of the present invention, a method of providing access management to a user is provided. This method includes running an application on a platform; linking a set of access permissions to the application by means of an apparatus; providing a user access to the application by means of an access manager; and allowing the user access to the application only after a predetermined number of access permissions from the set are satisfied. The apparatus may be a pager, a mobile phone, a feature phone, or a smart phone. The set of access permissions may comprise one or more questions that must be answered correctly. The questions may be selected to assist in the learning of an academic subject. The questions may be selected to assist in preparing the user for a standardized test.

Abstract: An information handling system includes a memory and a processor to execute instructions stored in the memory, which causes the processor to at least: send identification information to a second information handling system in response to an identification request broadcast from the second information handling system via a short-range communication; receive first authentication information for a local application and a remote service from the second information handling system; receive a copy of the local application; authenticate a user for the copy of the local application and for the remote service prior to the user logging on to the information handling system; receive second authentication information from the user to access the information handling system; authenticate the user to the information handling system; and automatically initiate a secure session between the copy of the local application and the remote service when the user is authenticated to the information handling system.

Abstract: A method, apparatus and computer program product are provided to permit location discovery, including location discovery in indoor settings. The method may identify a wireless signature present at a geographical location and determine whether the wireless signature corresponds to a previously observed wireless signature associated with the predefined geographical location. In instances in which the wireless signature fails to correspond to a previously observed wireless signature, the method may also receive an identification of a geographical location and associate, such as by means of a processor, the wireless signature with the identification of the geographical location. A corresponding computer program product and apparatus are also provided.

Abstract: A multifunction peripheral that can set appropriate criteria of security levels for another device, and improves usability while lowering a risk of data alteration, information leakage and the like by including a holding part 11 holding therein security criteria set for the image processing functions in one-to-one correspondence; a receiver 12 that receives, from an external terminal, a request for an access that is necessary for executing at least one of the image processing functions; an acquisition part 13 that acquires, from the external terminal, security information that is a security indicator regarding the access from the external terminal; a judgment part 15 that judges whether or not one of the security criteria set for the at least one of the image processing functions is met, based on the acquired security information; an access controller 16 that permits the access if the judgment part 15 judges affirmatively, and prohibits the access or permit the access with a limitation if the judgment part 15

Abstract: Embodiments of the present invention relate to a service opening method and system, and a service opening server. The method includes: receiving a service request from a third-party application, where the service request carries type and parameter information of the requested service; querying, according to the type information of the service, a service directory to obtain an access address and authentication type information of the requested service; when it is determined that the invoking of the service needs an authorization of an end user, obtaining an authorization notification message of the end user according to the type information of the service and the parameter information of the service; and forwarding, the service request to a capability server, and forwarding, to the third-party application, a service response message returned by the capability server. The control of the end user on the authorized service is ensured to the greatest extent.

Abstract: According to one embodiment, an information processing apparatus includes an input to input a password, a biological authentication device including a storage unit for storing biological information and identification information, and an authentication controller. The authentication controller sets and holds identification information to be stored in the storage unit of the biological authentication device, and permits a password input using the input to be substituted by authentication using the biological authentication device when the identification information held by itself and the identification information stored in the storage unit of the biological authentication device match.

Abstract: An electronic mobile device that includes a controller including at least one processor, for controlling operation of the mobile device, a display coupled to the controller, and a navigational input mechanism coupled to the controller and responsive to user manipulation thereof. The controller, in one input mode, moves a selection marker on a user interface screen on the display in response to user manipulation of the navigational input mechanism, and in a second input mode, authenticates a user of the device in dependence on a sequence of input events resulting from user manipulation of the navigational input mechanism matching a predetermined passcode sequence.

Abstract: An automatic lock and automatic unlock method for a computer system and the associated computer system are provided. The method includes steps of detecting whether a user is in a predetermined range when a computer system is in an unlock status and recording a duration during which the user is not in the predetermined range, controlling the computer system to enter a lock status when the duration is greater than a predetermined time, determining whether the user has an effective authority when the computer system is in the lock status and the user is detected in the predetermined range, and controlling the computer system to enter the unlock status when the user has the effective authority.

Abstract: A method of verifying a password and methods of encryption and decryption using a key generated from a one-time pad. In one embodiment, the method of verifying includes: (1) receiving a password attempt, (2) retrieving a pointer from memory, (3) searching a one-time pad based on the pointer to retrieve a password, (4) comparing the password attempt with the password and (5) generating a new pointer if the password attempt matches the password.

Abstract: A telecommunications apparatus has secure operation based on geographic location. A positioning mechanism determines a geographic location for the telecommunications apparatus. A processor identifies a secure domain and determines an availability of an application programming interface for the based on the geographic location, wherein at certain geographic locations access to the application programming interface is restricted, and at other geographic locations access to the application programming interface is unrestricted.

Abstract: In one embodiment, a method comprises receiving, by a user identifier circuit, a button pressure signature specifying a sequence of button pressure values sampled while a corresponding identified button of a user input device is pressed by a user; the user identifier circuit identifying the user of the user input device based on the button pressure signature; and the user identifier circuit outputting a message identifying the identified button and the identified user.

Abstract: In the case where an attribute of a general-purpose file to be processed is an attribute inhibiting printing, an MFP selects a transmission function, which is one of output functions of the MFP, as a function that can be performed (selected) in response to an output instruction, and displays a screen for transmission. In the case of an attribute permitting a document assembly function, the MFP determines that a bind function is a function that can be performed (selected), and displays a screen for the function. In the case of an attribute inhibiting the document assembly function, the MFP determines that a function of adding information to a file, which is one of the output functions of the MFP that does not implement the document assembly function, is a function that can be performed (selected), and displays a screen for the function.

Abstract: A method of controlling a mobile terminal by displaying simultaneously a plurality of menu icons comprising at least one restricted use icon and at least one non-restricted use icon; performing a user authentication procedure responsive to user selection of the at least one restricted use icon; and unlocking the mobile terminal responsive to user selection of the at least one non-restricted use icon or responsive to completion of the user authentication procedure.

Abstract: A method, apparatus and computer program product for providing challenge protected user queries on a local system is presented. A query is presented to a user. A response to the query is received and a determination is made whether the response is administratively less desirable than a threshold. When the response is administratively less desirable than said threshold, then a challenge is provided to the user. The response is accepted when the user responds correctly to the challenge and the response is not accepted when the user fails to correctly respond to the challenge.

Abstract: Systems and methods for facilitating unlocking a device connected locally to a client, utilizing a server located remotely from the client and the device, are provided in accordance with various aspects of the subject technology. In one aspect, a system includes a proxy configured to receive, at the client, at least one string descriptor request from the server over a network, where the at least one string descriptor request is associated with switching an interface of the device from a first interface type to a second interface type. The system further includes a stub driver configured to receive the at least one string descriptor request from the proxy, and to direct the at least one string descriptor request to the device.

Abstract: A device for controlling access to a computer system, the device comprising at least one multifunctional port capable of being connected to various categories of peripherals and an access interface capable of being connected to the computer system, wherein the device comprises access management means connected between the multifunctional port and the interface, the access management means being physically configured to authorize the interface access by means of a peripheral connected to the multifunctional port, only if said peripheral belongs to a category of peripherals specifically and permanently associated with the multifunctional port to which same is connected.

Abstract: In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed.

Abstract: A method and device for monitoring calls to an application program interface (API) function includes monitoring for a memory permission violation of a computing device caused by the API function call. If a memory permission violation occurs, control of the computing device is transferred to a virtual machine monitor to intervene prior to execution or the API function. The virtual machine monitor may perform one or more actions in response to the API function call.

Abstract: An architecture for multi-core and many-core processor systems includes a set of resource managers having a hierarchy of at least one level. The resource managers act as trusted proxies for the operating system (OS) kernel to manage resources for applications. The application may include a trusted secure specification defining resource and access privileges of the associated application.

Abstract: A named object view of a report is generated from an electronic data file. Objects in the file to be published are identified in the file. A named object view of the report associated with the file is generated by displaying published identified objects according to associated viewing rights. A viewer at a client is presented with the named object view of the report, according to the viewing rights, such that the viewer's attention is focused on the published objects.

Abstract: Methods, systems and computer program products are provided for providing a level of anonymity to patient records/information. A unique user identification (ID) associated with a current user is received at an interface of a computer database environment. A first role code associated with a first role of the current user is received at the interface of the computer database environment. The current user is allowed access to a defined set of patient records/information in the computer database environment. The defined set of patient records/information being defined based on the user ID and the first role code of the current user.

Abstract: According to one embodiment, an apparatus may intercept a request to access a resource represented by a resource token. The apparatus may receive a hard token representing identification information of a device. The apparatus may determine, based at least in part upon the hard token and the resource token, at least one token-based rule specifying compliance criteria required to consume the resource. The apparatus may receive at least one token representing compliance information of the device in response to a request for compliance information of the device. The apparatus may then compare the compliance information against the compliance criteria to determine that the device is capable of consuming the resource. The apparatus may then generate a compliance token representing the determination that the device is capable of consuming the resource, and communicate the compliance token to facilitate the provisioning of a container to the device.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process's token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: An electronic device includes a display, a fingerprint sensor, and a processing unit. The display invites a user for a first input fingerprint. The fingerprint sensor receives the first input fingerprint of the user. If the first input fingerprint matches a first pre-stored fingerprint, the display invites the user to give a second input fingerprint. The fingerprint sensor receives the second input fingerprint. If the second input fingerprint matches a second pre-stored fingerprint, the processing unit allows the user to enter the electronic device. A user authentication method for the electronic device is also provided.

Abstract: A computer device and method are provided to handle COM objects. A COM creating unit intercepts a request for creation of an elevated COM object by a first user process, determines whether the first user process is entitled to access the COM object, and creates the COM object without elevated privileges. A COM implementing unit intercepts a second user process that implements the COM object, confirms that the second user process is entitled to access the COM object and elevates the privilege level of the second user process to implement the elevated COM object.

Abstract: An authentication processing apparatus, which includes: an authentication processing section that performs authentication using an authentication method selected from authentication methods provided; a storage section that stores authentication information indicating whether or not the authentication succeeds; a determination section that, when an operation on electronic information associated to one or more authentication methods is performed, determines whether the operation on the electronic information is permitted or not, on the basis of the one or more authentication methods associated to the electronic information and the stored authentication information; and an authentication request section that, when the determination section determines that the operation on the electronic information is not permitted, detects from among the one or more authentication methods associated to the electronic information an authentication methods for which it is not indicated in the authentication information that an au

Abstract: A data processing apparatus and method are provided for managing access to a display buffer. The data processing apparatus has a display buffer for storing an array of display elements for subsequent output to a display controller, with each display element having a security permission indication associated therewith identifying whether that display element is a secure display element or a non-secure display element. At least one processing unit is provided for executing a non-secure process and a secure process, each process issuing access requests when seeking to access display elements in the display buffer, and each access request specifying a location in the display buffer. Interface logic is associated with the display buffer for receiving each access request and is arranged for at least each access request issued by the non-secure process to determine the security permission indication associated with the display element currently stored at the location specified by that access request.

Abstract: Methods and systems are provided for decentralizing user data access rights control activities in networked organizations having diverse access control models and file server protocols. A folder management application enables end users of the file system to make requests for access to storage elements, either individually, or by becoming members of a user group having group access privileges. Responsibility for dealing with such requests is distributed to respective group owners and data owners, who may delegate responsibility to authorizers. The application may also consider automatically generated proposals for changes to access privileges. An automatic system continually monitors and analyzes access behavior by users who have been pre-classified into groups having common data access privileges. As the organizational structure changes, these groups are adaptively changed both in composition and in data access rights.

Abstract: In some embodiments, the invention involves protecting a platform using locality-based data and, more specifically, to using the locality-based data to ensure that the platform has not been stolen or subject to unauthorized access. In some embodiments, a second level of security, such as a key fob, badge or other source device having an identifying RFID is used for added security. Other embodiments are described and claimed.

Abstract: A scope hierarchy corresponding to a resource to which a type of access is requested is identified, the scope hierarchy including multiple scope levels each of which has an associated access control list. An access control list associated with a lower scope level can further restrict access permitted to the resource by an access control list associated with a higher scope level. Based at least in part on one or more of the access control lists associated with the multiple scope levels, a determination is made as to whether the requested type of access to the resource is permitted.

Abstract: The invention relates to a configuration method for a control unit of a machine, the control unit having a data memory and being mounted in a machine control system having at least one already configured control unit with a data memory, the to-be-configured control unit communicating via a data connection with the already configured control unit of the machine control system and retrieving therefrom configuration data for its own configuration.

Abstract: A terminal that performs secure boot processing when booting, thereby booting reliably even if, during updating of a software module, the power is cut off or the update is otherwise interrupted. The terminal comprises a CPU, a software module storage unit, a certificate storage unit, an updating unit for updating the software module and certificate, a security device provided with a configuration information storage unit for storing the configuration information of the software module, an alternate configuration information storage unit for storing the configuration information of a software module in the configuration before the update, and a boot control unit for verifying and executing the software module by using the certificate. The terminal verifies the certificate of the software module by comparing the configuration information stored by the configuration information storage unit with the configuration information stored by the alternate configuration information storage unit.

Abstract: Described herein are systems and methods for fallback operation within WLANs that rely on remote authentication procedures. When a primary network node authentication process fails, fallback access control parameters associated with a secondary network node authentication process are exchanged between a network node and an authentication server, wherein the secondary network node authentication process allows the network node to access other resources of a computer network.

Abstract: An apparatus and method for unlocking a mobile device using pattern recognition are provided. The apparatus includes a touch sensor unit sensing a predetermined pattern touch-input to a liquid crystal display (LCD) unit, a pattern recognition unit recognizing information about the input pattern sensed by the touch sensor unit, a pattern comparison unit comparing information about the input pattern recognized by the pattern recognition unit with information about a predetermined pattern set by a user, and a controller controlling supply of power to the LCD unit to enable the user to use the mobile device if the input pattern and the predetermined pattern are equal to each other as compared by the pattern comparison unit.

Abstract: A method is disclosed for a peripheral portable desktop device. The peripheral portable desktop device is coupled with a workstation. In a second mode of operation, a portion of the peripheral portable desktop device is operatively coupled with the workstation for operation therewith to provide an ancillary function. In a first mode of operation data within the peripheral portable desktop device is used to support a personal desktop on the workstation.