Abstract: An apparatus and a method for generating a unique user identification code for a user of a biometric security system are presented. No biometric information is stored either within the security system or on a device, and the method enables a unique user identification code to be generated to allow multi-system identification of the same user. The method includes receiving a public key from the system, obtaining a characteristic from the user, generating a biometric value from the characteristic, creating the identification code by combining and encrypting the generated biometric value and the system supplied public key, and transmitting the identification code to the system for authentication.

Abstract: The subject disclosure is generally directed towards an automated mechanism in a computer network or system that controls resource access to any resource designated as needing multiparty authorization. In one aspect, a resource that needs multiparty authorization before access is allowed is identified, along with policy that specifies an authorizer (or multiple authorizers) for the resource. An access control list may contain metadata that indicates the need for multiparty authorization. Authorization may be provided via a token, which may be cached for future use.

Abstract: A method includes transmitting a User ID and a full Password of a user of a client device to a server via the client device, and then establishing a network connection between the client device and the server after the User ID and the full Password. The method also includes receiving, from the server via the client device, an encrypted secret PIN (ESPIN) and a challenge for corresponding positions of a Partial Password, entering the Partial Password via the client device, and computing a secret PIN (SPIN) from the ESPIN via the client device in response to a correct entry of the Partial Password. The Additional Factor is unlocked using the SPIN, and the unlocked Additional Factor is transmitted to the server to request authentication of the user of the client device. The client device includes a processor and memory having instructions for the above method.

Abstract: The OTP generator 104 may alternatively be electrically connected to the client-side computing device 102, for example, via a Universal Serial Bus (USB) interface. Further, the OTP generator 104 may alternatively be a server or other type of module that is accessible over the network 110, or it may be a software component resident on the client-side computing device 102. As another alternative, the OTP generator 104 may be distributed over multiple devices, one of which may be the client-side computing device 102.

Abstract: Techniques for user authentication are disclosed. In some situations, the techniques include receiving, from a client device, an authentication request to access a network resource, the request including a user identifier, obtaining a security credential associated with the user identifier contained in the received request, generating an authorization code based on the obtained security credential, providing to the client device instructions to obtain first information corresponding to the generated authorization code, receiving, from the client device, the first information provided in response to the provided instructions, and, when the first information received from the client device corresponds to at least a portion of the generated authorization code, authorizing the client device to access the network resource.

Abstract: A mechanism is provided for establishing a trust relationship between two products. A resource device receives a registration request from an application device to access a resource on the resource device by an application and users of the application on the application device. The resource device sends a registration response using a redirection uniform resource identifier (URI) provided with the registration request, where the registration response includes an authorization code and a symmetric key in response to authenticating the registration request. The resource device receives an access token request that includes the symmetric key, verifiable authentication data, and the redirection URI. The resource device sends an access token to the application device in response to validating the access token request, where the access token allows for access to the resource on the resource device thereby establishing the trust relationship between the resource device and the application device.

Abstract: Described is a technology by which the identity of a person (e.g., a customer in a commercial transaction) is determinable without active identification effort, via biometric data is obtained without action by the person. Machine processing of the biometric data over a set of possible persons, determined from secondary proximity sensing, is used to determine or assist in determining the identity of the person.

Abstract: Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

Abstract: A method for securing a transaction between a transaction device and an external device is described. The transaction device includes a communication controller, an application processor, and an input device. The method includes requiring the user to enter agreed transaction data via the input device, monitoring the transaction data designated to be sent to the external device or received from the external device, and preventing the transaction data designated to be sent from being sent to the external device if the transaction data designated to be sent is different from the agreed transaction data, or rejecting the received transaction data if the received transaction data is different from the agreed transaction data.

Abstract: A semiconductor device has: as security states to which the nonvolatile memory device can transition, an unprotected state in which, when secret information is not set in the nonvolatile memory device, rewriting the nonvolatile memory device is permitted, and reading the stored information is permitted; a protection unlocked state in which, when the secret information is set in the nonvolatile memory device, rewriting the nonvolatile memory device is permitted on condition that a result of authentication using the secret information is correct, and reading the stored information is permitted; and a protection locked state in which, when the secret information is set in the nonvolatile memory device, rewriting the nonvolatile memory device is inhibited until correctness as a result of authentication using the secret information is confirmed, and reading the stored information is inhibited under a predetermined condition.

Abstract: Methods and systems for configuring a network are disclosed. An example method can comprise receiving a first token and an encryption key from a first device. A second token can be received from a second device. A determination can be made as to whether the first token matches the second token. Configuration information can be provided to the second device if the second token matches the first token. The configuration information can comprise information for connecting to a proxy configured on the first device. A request for content can be received from the proxy on behalf of the second device. The request for content can comprise the encryption key.

Abstract: A first electronic device, a second electronic device and methods for operating the same are provided. The method of the first electronic device includes obtaining wearing status information of a second electronic device which is wearable, and determining a security environment of the first electronic device based on the wearing status information. The method of the second electronic device includes detecting a wearing status of the second electronic device, confirming at least once of a security level and a user profile corresponding to the wearing status, and sending information of the security level or the user profile to a first electronic device.

Abstract: A privacy-preserving identity system is described herein that combines low disclosure tokens with an identity metasystem to allow proof of a user's identity and other claims about the user in a manner that preserves the user's privacy by avoiding disclosing unnecessary information about the user. A low or minimal disclosure token is a security token that encodes claims in such a way that (1) the token can be long-lived, (2) the token can be presented in an unlinkable manner, or (3) the user can minimally disclose the encoded information to respond to an unanticipated Relying Party policy. Using the privacy preserving system within an identity metasystem, users can obtain long-lived, low disclosure tokens from the Identity Provider and later present them to Relying Parties; thus improving both users' privacy and the system's scalability.

Abstract: A display device is disclosed. The display device comprising: a display unit; a sensor unit; a storage unit; and a processor configured to: provide feedback for indicating a security on state of selected first information when selection input for selecting the first information in the security on state is detected, when a security off input for clearing security is detected in response to the feedback, obtain the fingerprint using the display unit, and convert the first information in the security on state into a security off state when the obtained fingerprint is matched with a pre-stored fingerprint, when a security maintenance input for maintaining security is detected in response to the feedback, maintain the security on state of the first information.

Abstract: An electronic circuit 120 includes a more-secure processor (600) having hardware based security (138) for storing data. A less-secure processor (200) eventually utilizes the data. By a data transfer request-response arrangement (2010, 2050, 2070, 2090) between the more-secure processor (600) and the less-secure processor (200), the more-secure processor (600) confers greater security of the data on the less-secure processor (200). A manufacturing process makes a handheld device (110) having a storage space (222), a less-secure processor (200) for executing modem software and a more-secure processor (600) having a protected application (2090) and a secure storage (2210).

Abstract: An embodiment relates generally to a method of binding a token to a user. The method includes receiving a token embedded with an address and inserting the token into a computer. The method also includes connecting to the address stored on the token and binding a user to the token based on information from the address.

Abstract: A user-wearable device includes a housing and a band that straps the housing to a portion of a user's body (e.g., wrist). One or more skin contact sensors in and/or on the housing can sense biometric information of a user wearing the device. An authentication module performs or receives results of an authentication determination that compares the sensed biometric information to baseline biometric information to determine whether they match. An on-body detector uses one or more of the sensors to determine whether the device is being worn by a user. After a user is authenticated based on a match between the sensed and baseline biometric information, the authentication module continually concludes that the user is authenticated for at least a period of time, without an additional comparison between sensed and baseline biometric information, if the on-body detector detects that the user-wearable device is still being worn by the user.

Abstract: A system and method for providing or exchanging healthcare information (e.g., medical information) to authorized users in a secure manner. The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable to: assign identification information to a plurality of users and a plurality of items; associate the identification information of a user of the plurality of users with one or more items of the plurality of items; set-up security policies including predetermined locations, within predetermined stages within a sequence and during predetermined times; and provide the user access to the one or more items when there is a matching between the identification information of the user and the one or more items, and all of the security policies associated with the user and the one or more of the plurality of items are met.

Abstract: The invention relates to a wireless device, configured for ensuring authentication of a user, to a reference unit configured for ensuring authentication of a user of the wireless device and to a method for ensuring authentication of a user. The wireless device comprises a checking unit configured for scanning a distance to a reference unit and for checking if the distance scanned lies within a predetermined range such that authentication of the user is ensured. In this way, a wireless device is provided which is simple and cost-effective to realize and increases security by making sure that the rightful owner is available without the need of asking for PIN codes, passwords or other measures, such as biometric recognition, i.e. voice recognition, fingerprint recognition, retina recognition and the like.

Abstract: Embodiments relate to systems for, and methods of, reporting authentication failures in a security system that includes a token reader and a host. The authentication failure report may include an identification of the type of authentication failure.

Abstract: A bundle-to-bundle authentication process is presented that provides a flexible authentication mechanism to application bundles for accessing the persistence bundle of a modular application and requesting security sensitive data from a database. The modular application comprises a plurality of bundles such as application bundles, connector bundles, persistence bundles, authentication bundles, and so on. During runtime of the modular application, the application bundles and the connector bundles may need access to security protected resources (sensitive data) stored in the database. To access these resources, the application bundles and the connector bundles should authenticate themselves with the persistence bundle. The persistence bundle provides the communication with the database.

Abstract: A system and method for realizing specific security features for a mobile device that may store sensitive and private data by providing secured communications to a paired remote device. In this respect, both the mobile device (which may be a mobile phone, for example) and the paired remote device (which may be a keychain, for example) include a SIM card that may have identification data stored therein. Once paired, the two devices may communicate encrypted security messages back and forth in order to implement various security measures to protect data and wireless communications. Such messages may be generated from initial information known only to each respective device such as a randomly generated offset number and a common time reference.

Abstract: A method and apparatus for brokering the enablement of the communication of encrypted media programs from a plurality of independent broadcasters to a plurality of receivers is disclosed. The system makes use of a pairing key for each provided service, which is differently encrypted by a pairing server and by the broadcaster providing the service. The encrypted versions of the pairing key are decrypted in a first receiver module using information known to the pairing service but not the broadcaster and in a second receiver module using information known to the broadcaster. The pairing key is used to cryptographically bind the first and second receiver modules.

Abstract: Methods, apparatus and articles of manufacture for implementing cryptographic devices operable in a challenge-response mode are provided herein. A method includes storing a set of authentication information in a first cryptographic device associated with a user, receiving a challenge in the first cryptographic device in connection with a user authentication request responsive to a request from the user to access a protected resource, wherein the challenge comprises an index of at least one non-sequential portion of the authentication information stored in the first cryptographic device, and outputting a non-sequential portion of the authentication information from the set of authentication information stored in the first cryptographic device in response to the challenge for use in authenticating the user.

Abstract: A system for enabling data syncing between a host device and an electronic device includes a first port configured to be coupled to a first electronic device, a second port configured to be coupled to the host device, and a data sync switch coupled to the first port and the second port. The data sync switch is switchable between a first state, in which data communication between the electronic device and the host device is enabled, and a second state, in which data communication between the electronic device and the host device is disabled. The system also includes an authorization device configured to couple to an authorizing physical object and generate an output signal. The data sync switch is in one of the first state and the second state based on the output signal from the authorization device.

Abstract: A smart card installed in a device receives from the device data to be scanned and determines whether a virus exists in the data. Accordingly, security of the device may be enhanced without using substantial resources of the device.

Abstract: A portable data or information carrier in the form of a smart card with partially or fully virtualized components. To maximize the confidentiality of information stored in the carrier, and more specifically to limit the amount of information available to a potential defrauder, electronic components such as circuits, I/O, cryptographic, memory and dummy objects are built, modified or influenced on demand from physical characteristics of an eligible person or device. Digitized unique biometric or hardware identifiers are read upon start-up and runtime of the device and, in case of an eligible person or device, subsequently supply all values necessary for determination of the characteristics of the user specific virtual smart cards objects, their placement and connections. By multi-factor authentication, the end-user or device will retain sole control of its keys and use them for authentication, signature or encryption purposes as if he had a physical smart card in his hand.

Abstract: An intermediary system facilitates a connection request from a client to a server. The intermediary system may participate in either or both of a token creation phase and a server connection phase. If participating in the token creation phase, the intermediary system generates a token that may later be used by the client during a server connection phase. The token includes a session identifier and is returned to the client. If participating in the server connection phase, the intermediary receives the token, which is sent from the client in conjunction with a connection request, extracts the session identifier from the token, and compares against the session identifier for the session in which the token was created. If the session identifiers match, then the intermediary connects to the server to complete the connection request for the client.

Abstract: (EN) The invention relates to an authentication device (TK) set to identify itself to a computer (PC) as a native human interface device. It also relates to a system comprising an authentication device (TK) and a computer (PC), as well as to a method to have a computer (PC) recognize an authentication device (TK).

Abstract: A smart card, system, and method for securely authorizing a user or user device using the smart card is provided. The smart card is configured to provide, upon initialization or a request for authentication, a public key to the user input device such that the PIN or password entered by the user is encrypted before transmission to the smart card via a smart card reader. The smart card then decrypts the PIN or password to authorize the user. Preferably, the smart card is configured to provide both a public key and a nonce to the user input device, which then encrypts a concatenation or other combination of the nonce and the user-input PIN or password before transmission to the smart card. The smart card reader thus never receives a copy of the PIN or password in the clear, allowing the smart card to be used with untrusted smart card readers.

Abstract: A function performing apparatus includes a function performing unit, an operation unit, a processor and memory. The function performing apparatus receives a first instruction from a portable device, determines whether first authentication information is to be registered in an authentication memory, registers the first authentication information in authentication the memory, transmits the first authentication information, receives a second instruction including the first authentication information from the portable device, changes a state of the function performing apparatus from a non-permission state to a permission state if the second instruction is received while the first authentication information is registered in the authentication memory and changes the state from the non-permission state to the permission state if second authentication information is input to the function performing apparatus by the operation unit while the second authentication information is registered in the authentication memory.

Abstract: A function performing apparatus includes a function performing unit performing a specific function, a processor, and memory storing computer-readable instructions therein, the computer-readable instructions, when executed by the processor, causing the function performing apparatus to perform, in response to receiving a user authentication information when the user authentication information has been registered in an authentication memory, transitioning a state of the apparatus from a non-permission state to a permission state, registering, in the authentication memory, a device authentication information in association with the user authentication information upon establishing a first connection with a portable device, and transitioning the state of the apparatus from the non-permission state to the permission state when a second connection with the portable device is established and the device authentication information is obtained from the portable device.

Abstract: A processing apparatus includes a process performing unit, an operation unit, a processor and memory. The processing apparatus receives first identification information from a communication device, acquires second identification information input by the operation unit, determines whether registration of the first and second identification information is permitted, registers registration information in which the first and second identification information are associated, when the first identification information is received after registering the registration information, performs authentication based on the first identification information, and, when the second identification information is acquired after registering the registration information, performs authentication based on the second identification information.

Abstract: A communication system detects particular application protocols in response to their message traffic patterns, which might be responsive to packet size, average packet rate, burstiness of packet transmissions, or other message pattern features. Selected message pattern features include average packet rate, maximum packet burst, maximum future accumulation, minimum packet size, and maximum packet size. The system maintains a counter of packet tokens, each arriving at a constant rate, and maintains a queue of real packets. Each real packet is released from the queue when there is a corresponding packet token also available for release. Packet tokens overfilling the counter, and real packets overfilling the queue, are discarded. Users might add or alter application protocol descriptions to account for profiles thereof.

Abstract: In order to create and access a secure storage account in a non-volatile memory device, an account identification value is calculated. A memory identification value is read from a first non-volatile memory device. The memory identification value and the account identification value are transmitted to a second non-volatile memory device, and a calculated credential is received. A command is transmitted to create a secure storage account in the first non-volatile memory device, where the command contains the credential and the account identification value. To access the account, a sequence is transmitted, containing the account identification value and a value based on the credential. A secure storage system contains a first non-volatile memory device that stores a memory identification value and contains a secure partition accessible using a credential, a second non-volatile memory device that can compute the credential, and a host adapted to create and access the secure partition.

Abstract: A memory device includes a plurality of memory chips, including one or more memory chips that store authentication information, and a controller including a first register that stores information indicating a representative memory chip, from among the one or more memory chips that store the authentication information, that stores valid authentication information.

Abstract: A method and apparatus are provided for mediating access to a shared object in a naive computer system having a shared-nothing operating system layered on a shared file system. At least one primary token is utilized as a tool to mediate ownership of one or more shared objects in the naive system. A secondary token is created and utilized to mediate ownership of one or more shared objects. The secondary token created and utilized in limited circumstances, such as when the owner of the primary token ceases communicating with one or more requesters of the primary token.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: A method of providing a user with an option to access a protected system by satisfying a reduced security measure is disclosed. An attempt by the user to access the protected system is detected. It is detected that a first security token system is within a first proximity to the protected system. Based on the detecting of the attempt by the user to access the protected system and the detecting that the first security token system is within the first proximity, the user is provided with the option to access the protected system by satisfying the reduced security measure.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: Method for monitoring an online identity of a user on a network is described. In one example, data exchanged between a browser client on a device associated with the user and the network is monitored. Creation or use of an online identity by the user is detected within the data. The online identity is associated with a host site. The host site may be any of a plurality of point of presence sites. A notification of the online identity is generated for presentation to a custodian of the user. The notification may then be sent to the custodian.

Abstract: A biometrics authentication device utilizes biometrics information and performs individual authentication enables secure modification of authorization details for an authorized agent other than the principal. A verification device verifies biometrics information registered on an IC card against biometrics information detected by a detection unit. When results in satisfactory biometrics authentication, modification of authorization details of an authorized agent, registered on the IC card, is permitted. Authorization details for an authorized agent can be securely modified on a card on which biometrics information for the principal and the authorized agent is registered.

Abstract: Provided is a license management system comprising: a license check device that independently operates on a platform; and an information processing device that is connected to the license check device, in which the license check device includes: a license check unit that checks for presence or absence of a license of the information processing device; a first start unit that starts the license check unit in response to a call instructed by the platform; and a calling unit that calls, when the license check unit determines that the license is present, the information processing device, and in which the information processing device includes: an information processing unit that performs a specific information processing; and a second start unit that starts the information processing unit only in response to the call from the license check device.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: The pureness of a connection between an external device and a host computer can be inspected or monitored to determine the status: connected or disconnected. When it is determined that a disconnection state is entered, an indication can be sent to the host and, in parallel, the data transportation from and/or to the external device may be manipulated. In some embodiments an exemplary connection protector device (CPD) may be added to the connection in between the external device and the host. The CPD can have two connectors one for the host and one for the cable of the external device. The CPD can be adapted to identify any disconnection in the connection with the host and/or the connection with the external device on the other side of the CPD.

Abstract: A method and apparatus are provided to allow a user of a communications device to utilize one-time password generators for two-way authentication of users and servers, i.e., proving to users that servers are genuine and proving to servers that users are genuine. The present invention removes the need for a user to have a separate physical device, e.g., token, per company or service, reduces the cost burden on the companies and allows for two-way authentication via multiple access methods, e.g., telephone, web interfaces, automatic teller machines (ATMs), etc. Also, the present invention may be utilized in consumer and enterprise applications.

Abstract: Systems, methods, and apparatus are disclosed for electronically sharing data using authentication variables, such as biometrics and contextual data. Example contextual data includes machine identifications (IDs) and data collected from sensors of computing devices.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: A data storage system comprises a removable drive with memory for storing data, and an identifier for identifying the removable data cartridge. A host computer can be coupled in data communication with the removable data cartridge, with a driver for performing data operations thereon. The driver is configured to perform the data operations with encryption, in the presence of the identifier, and to perform the data operations without the encryption, in the absence of the identifier.

Abstract: A device may receive a request for analytics information associated with a user device. The device may retrieve application programming interface (API) information associated with the request for analytics information. The API information may include information associated with providing an authorization token and with providing user device information. The device may determine demographic information based on the request for analytics information. The demographic information may be associated with a user of the user device. The device may determine the analytics information based on an analysis of the API information and the demographic information. The device may provide the analytics information.