Abstract: Systems, methods, and media for authentication are provided. In accordance with some implementations, the system comprises: a hardware processor that is programmed to: receive, from a device, a message relating to an authentication status of a user account associated with the device; transmit an authentication request to the device that is transmitted to an authentication server; receive, from the device, a response to the authentication request that includes authentication data relating to a session corresponding to the user account on the authentication server; cause an interface to be presented that requests authorization to authenticate the device with the authentication server using the user account; and transmit the authentication data to the device that causes the device to retrieve a corresponding authentication token from the authentication server, wherein the corresponding authentication token authenticates the user account on the device.

Abstract: Embodiments of various systems and methods described herein provide an identity security database analytics system which is configured to provide security alerts to a user. The security alerts can include for personalized metrics related to potential identity theft incidents. The personalized metrics can include user specific information on security breaches of the user's personal information as well as depersonalized statistics generated based on information of other users having one or more similar characteristics of the user.

Abstract: A client-side, bearer token-based decentralized authentication system and associated method are, from a user's perspective, similar to familiar, centralized third-party authentication techniques.

Abstract: Maintenance and monitoring of target wait time (TWT) sessions is described. An example includes establishing at least a first target wake time (TWT) session for a first station, the first TWT session having a first set of parameters defining a wake time, wake duration, and wake interval for service periods of the first TWT session; selecting the first TWT session for health status determination; selecting a check window for the health status determination and monitoring transmissions from the first station within the check window; based at least in part on the monitoring of the transmissions from the first station, calculating a first TWT session health status value for the first TWT session; and determining whether corrective action is required for the first TWT session based at least in part on the first TWT session health status value.

Abstract: In an evaluation device, a receiver part receives, from an authentication device, a hash value of a user identifier for identifying a user, which is generated in a terminal unit used for the login by the user, and information indicating a login environment of the terminal unit, which is encrypted in the terminal unit. A decoding part decodes the encrypted information indicating the login environment of the terminal unit. A risk calculation part calculates an evaluation value that indicates a risk of the login being an unauthorized access based on a statistic related to a degree of similarity between the login environment of the terminal unit and a previous login environment by the user corresponding to the hash value. A transmitter part 120b transmits a comparison result between the calculated evaluation value and a predetermined threshold.

Abstract: A method for unlocking a screen by using a fingerprint includes: sending, by a fingerprint sensor, a first notification to a control chip and concurrently sending a second notification to a display driver chip of a screen when detecting that a finger presses or touches a fingerprint recognition area; completing, by the display driver chip according to the second notification, preparation work before the screen is turned on; verifying, by the control chip according to the first notification, fingerprint information collected by the fingerprint sensor and pre-stored fingerprint information; and if the verification succeeds, unlocking the screen and turning on the screen.

Abstract: A method, a computer system, and a computer program product for authorization using multiple entities is provided. Embodiments of the present invention may include generating a secret, a user hash and an application hash. Embodiments of the present invention may include transmitting the user hash, the application hash and the password to an identity verification authority. Embodiments of the present invention may include generating a password hash. Embodiments of the present invention may include transmitting the user hash and the application hash to a server. Embodiments of the present invention may include identifying the password hash that is associated with the user hash and the application hash, transmitting the password hash and an authorization notification to the identity verification authority, comparing the password hash with a previously stored password hash and determining that the comparison of the password hash with the previously stored password hash matches.

Abstract: A data synthesis system comprising a high side computing environment and a low side computing environment. Access to the high side computing environment may be restricted to a first one or more users. The high side computing environment may comprise a first one or more datasets and one or more specification computer programs. The one or more specification computer programs may be configured to generate a data synthesis specification based on the structure of the first one or more datasets. The low side computing environment may be accessible by a second a one or more users. The low side computing environment may comprise one or more data synthesizer computer programs. The one or more data synthesizer computer programs may be configured to synthesize a second one or more datasets based on the data synthesis specification.

Abstract: A method for initiating a login of a user into a system, the login being passed by inputting a username into a username field, inputting a password into a password field, and verifying whether the inputted username is stored by the system and whether the inputted password is a stored password corresponding to the inputted username. The method can include the system requiring during inputting character by character of the username and/or the password in addition waiting a predefined delay and/or inputting at least one character at at least one position within a character sequence of the username and/or the password, respectively, wherein the at least one character differs from the character of the username at the at least one position when inputting the username and/or differs from the character of the password at the at least one position when inputting the password.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: Systems and methods for encrypting and decrypting a data encryption key are provided. A data encryption key used to encrypt data is encrypted using a first asymmetric key and a policy. The policy includes rules that correspond to attributes. A second asymmetric key is associated with the attributes. To decrypt the encrypted data encryption key, the attributes are used to identify the second asymmetric key. The attributes are also used to pass the rules in the policy included in the encrypted data encryption key. If the attributes pass the rules in the policy, the encrypted data encryption key is decrypted. The decrypted data encryption key can then decrypt the encrypted data.

Abstract: An apparatus in an illustrative embodiment comprises a client device configured for communication with a storage system, with the client device comprising a processor coupled to a memory. The client device is further configured to identify a data item to be stored in the storage system, and to generate a data encryption key for the data item as a function of a first secret key and the data item. For example, the function may comprise hashing at least the data item. The client device is further configured to encrypt the data item using the data encryption key for the data item, and to send the encrypted data item to the storage system for storage therein. The client device in some embodiments is further configured to encrypt the data encryption key using a second secret key, and to send the encrypted data encryption key to the storage system for storage therein as metadata of the data item.

Abstract: A microservice join request is received by a first microservice from a second microservice within a microservices system. The microservice join request includes microservice trust relationship information of the second microservice that defines microservice credentials and service description parameters of the second microservice. Using the microservice trust relationship information, a determination is made as to whether a consensus exists among other microservices within the microservices system that the second microservice is authorized to inter-operate within the microservices system. In response to determining that the consensus exists, validated local run-time inter-operational microservice trust relationship information is created.

Abstract: In accordance with this disclosure, a system and method for remotely enabling proximity-based authentication is provided. A computing device initiates a secure server based on proximity-based communication when the computing device is in a vicinity of the secure server. The computer device then prompts proximity-based authentication to establish a secure connection with the secure server. As a result of the proximity-based authentication, the computing device is authenticated and locally stores a secure token sent from the secure server in response to the proximity-based authentication. Once the authenticated computing device communicates with the secure server, remote authentication is initiated to the secure server and the authenticated computing device is remotely connected to the secure server if the stored secure token is properly accepted by the secure server for authentication.

Abstract: Techniques are provided for establishing a session with an application using asymmetric cryptography. Techniques include secure single-sign on capabilities using asymmetric cryptography. With asymmetric signatures, the use of browser local storage and the Web Crypto application programming interface (API), the key cannot be extracted from the browser that it was generated for. The mechanism allows a web domain to track a user login session using a non-extractable asymmetric key stored in the client's web browser, and leverage the non-extractable asymmetric key for single sign-on.

Abstract: A method is disclosed. The method includes receiving, by a server computer from a resource provider computer, interaction data comprising a user identifier, a resource provider identifier, and a resource identifier. The interaction data is associated with an interaction between a resource provider and a user. The server computer can then determine a set of attribute types specifically associated with the resource provider identifier and the resource identifier. The server can then determine a set of user attributes associated with the set of attribute types using the user identifier. The server computer can then execute a query comprising one or more questions on the set of user attributes to determine if the one or more questions are satisfied. Next, if the one or more questions are satisfied, then the server computer can perform additional processing associated with the interaction.

Abstract: An apparatus is configured to receive an email message that is addressed to a plurality of recipients. The email message comprises a first portion with a first level of encryption and a second portion with a second level of encryption. The apparatus creates a first instance of the message to be sent to a first recipient from among the plurality of recipients. In the first instance, the apparatus masks the portions of the message that are not of the first level of encryption. The apparatus creates a second instance of the message to be sent to a second recipient from among the plurality of recipients. In the second instance, the apparatus masks the portions of the message that are not of the first or second levels of encryption. The apparatus is further configured to transmit the first instance to the first recipient and the second instance to the second recipient.

Abstract: Methods, systems, and computer-readable storage media for receiving, in response to instantiation of an application that enables access to data within the database layer through a data model provided as a computer-readable file, the data model defining a set of associations between two or more tables stored in the database layer, processing the data model to provide a set of inverted associations, each inverted association being specific to a respective association in the set of associations, generating an enriched data model including the set of associations of the data model and the set of inverted associations, and hosting a service that uses the enriched data model to enable access to the data within the database layer based on one or more queries submitted from a web client.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

Abstract: A system provides credential management for computer systems and services within a customer data center by acting as an intermediary to an authentication service of a computing resource service provider. In an embodiment, an application server hosts an agent that is registered as a trusted provider of credentials. In an embodiment, the agent is cryptographically linked to the application server using a digital certificate. In an embodiment, the agent uses the digital certificate to authenticate with a credential server, and the credential server provides short-term credentials that may be used to access services of the computing resource service provider. In an embodiment, the short-term credentials are transmitted from the credential server to the agent, and the agent provides the credentials to one or more applications running on the application server. In an embodiment, the credentials allow the applications to access the services of the computing resource service provider.

Abstract: Techniques are disclosed for query processing system that can, when queried, generate a result related to one or more connectivity paths and/or one or more network security rules. Network security rules and connectivity paths may be stored in corresponding data structures (e.g., sets of attributes) that may be utilized with a number of set operations. The user may issue a query requesting the system to apply a rule to a path, a set of rules to a set of paths, to identify if one set of rule(s) are equivalent to another set of rule(s), and the like. Utilizing this query processing system can enable a user to identify effects of one or more network rules with respect to traffic being allowed or restricted along particular connectivity paths between components of the system.

Abstract: A method for generating an authentication key for providing a digital signature at a device for authenticating an output from a ring comprising a plurality of peers, the method comprising generating respective security credentials for each peer of a plurality of peers constituting a ring of peers, at least one security credential being generated in dependence on one or more feature of the respective peer device; generating a ring key in respect of the ring in dependence on the respective security credential of each peer constituting the ring; and generating an authentication key in dependence on the ring key, a security credential of a first peer and respective security credentials of at least one of the other peers.

Abstract: An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked logout requests and responsive to a determination that requests remain, crawls a selected next unprocessed request. Responsive to a determination, in the next instance, that state of the crawl is out of session and the selected request meets logout request criteria, the computer-implemented process marks the selected request as a logout request.

Abstract: Systems and methods for secure information exchange are disclosed. During setup of an accessory device in association with a voice-enabled device, token data may be generated and signed using a private encryption key by the accessory device. An accessory-device system associated with the accessory device may send a request for account identification including the token data to a remote system associated with the voice-enabled device. The remote system may determine if an application associated with the accessory-device system is enabled, and if enabled, may send the account identification in an encrypted format to the accessory-device system.

Abstract: The present application discloses a method, system, and device for executing system calls. The method includes obtaining, by one or more processors, a request to execute a system call, the request to execute the system call being made by an executor to execute the system call, determining, by the one or more processors, whether the executor to execute the system call has an access permission for the system call, and in response to determining that the executor has the access permission for the system call, permitting, by the one or more processors, the executor to execute the system call.

Abstract: A blockchain based alias directory may be utilized. Encrypted lists of aliases may be stored on the blockchain and may be accessible to network computers and secure gateways. Embodiments are directed to secure gateways and user devices for accessing the alias directory stored in the blockchain during a financial transaction. The user device may be provided with a list of aliases from which a user may select a payment account. Upon selection the user may be redirected to an identity verification system of the associated payment network.

Abstract: A cloud-based service monitoring device includes a criteria database and an exceptions database. The criteria database includes predefined configuration criteria corresponding to approved operating parameters of each cloud-based service being monitored. The exceptions database includes predefined configuration exceptions such that, for a given instance, each configuration exception corresponds to a different instance-specific criteria than the associated configuration criteria for the cloud-based service. The monitoring device extracts configuration settings from instances of the cloud-based service and compares the settings to the configuration criteria of the cloud-based service. If a suspect setting is identified that does not satisfy the configuration criteria at the service level, the monitoring device compares the suspect setting to instance-specific criteria.

Abstract: Systems and methods for credential character selection are provided. The system includes one or more sensors configured to detect a character selection and generate a character selection signal, and detect a character selection completion and generate a character selection completion signal. The system also includes one or more processors coupled to the one or more sensors, the one or more processors configured to receive the character selection signal and the character selection completion signal, and generate an output signal based on the received character selection signal that includes components of a credential. The system also includes a network interface component configured to transmit the output signal. The credential characters may be components of a PIN or password. Moreover, the credential character selections may be made on one device, but displayed on a separate coupled device. The character selections may be a selection of a character or a modification of character.

Abstract: The present disclosure is directed towards systems and methods of authenticating a client. A device intermediary to clients servers that provide one or more resources can receive a request from a client to access a resource of the one or more resources. The device can select a login schema associated with the request that includes a definition of a login form. The login schema may correspond to an authentication protocol. The device can generate the login form responsive to the request. The login form can be constructed according to the definition provided by the selected login schema. The device can provide the login form for display via the client. The device can receive information inputted into the login form via the client. The device can establish access to the resource responsive to authentication of the client based on the information and the authentication protocol.

Abstract: A method for real-time detection of malware in a Kernel mode includes detecting a file operation request initiated by a process running in user mode. Malware detection analytics is performed on a file buffer associated with the detected file operation request to detect behavior indicating presence of malware. Responsive to detecting the behavior indicating the presence of the malware, the process responsible for initiating the detected file operation request is identified. A search for the identified process is performed on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process. Responsive to determining that the identified process is not a trusted process, a malware remediation action is executed against the identified process. Information describing the malware is transmitted to a client device.

Abstract: Controlled access to a physical area or secured service is managed using sonic tones. A secret key is stored in a user device and in a security system, and then when access is desired, the secret key or a derivative thereof is encoded into a sonic tone which is transmitted. The sonic tone is received and decoded to obtain the encoded binary message, which is then compared to an expected binary message, and if there is a match, access is granted by the security system. In illustrated particular embodiments the secret key is used to generate a one-time password based upon the secret key and a randomizing factor, such as the current time.

Abstract: A computer system determines that authentication information has been requested from a user device by a requesting device. In response to determining that authentication information has been requested by the requesting device, the computer system identifies information corresponding to the requesting device and determines if one or more risk indications correspond to the identified information corresponding to the requesting device. In response to determining that one or more risk indications correspond to the identified information corresponding to the requesting device, the computer system implements one or more security measures.

Abstract: A method, system, and computer-usable medium are disclosed for: (i) determining if a server response from a server received at a security device and intended for a client includes original encryption key information for encrypting identifying information associated with the server; (ii) if the server response includes original encryption key information for encrypting identifying information associated with the server, determining if a network policy provides for decryption of identifying information associated with the server; and (iii) if the network policy provides for decryption of identifying information associated with the server, replacing the original encryption key information with modified encryption key information associated with the security device and communicating the server response to the client with the modified encryption key information associated with the security device.

Abstract: A patterned smart card module includes a chip module and a patterned ink layer coated on a conductive surface of the chip module. The IC chip of the chip module stores chip data therein, and the chip data includes holder-related data. The patterned ink layer has a pattern relating to the holder-related data.

Abstract: The present invention relates to a communication system and method, an information processing terminal and method, and an information processing device and method which enable simple and secure restricted access. When a PDA 11 is brought close, a reader 2 of a personal computer 1 reads a device ID form an IC tag 12. The personal computer 1 registers device IDs on a connection permission list, and permits only devices registered on the list to connect. When being instructed to perform accessing, the PDA 11 controls a communication unit to access the personal computer 1 and to transmits its device ID. The personal computer 1 determines whether or not the transmitted ID is registered on the connection permission list, and permits the connection when determining that the ID is registered. The present invention can be applied to various information processing devices such as a personal computer and a PDA.

Abstract: A device may receive, from a user device, transaction data, the transaction data including: a user account identifier indicating a user account associated with the user device, and data indicating a particular merchant associated with a transaction. The device may provide the data indicating the particular merchant to a server device and receive, from the server device, a merchant identifier for the particular merchant associated with the transaction. The device may then identify, based on the merchant identifier and the user account identifier, a user account control, the user account control specifying a restriction for transactions associated with the user account and the particular merchant. Based on the transaction data, the device may determine whether the user account control is satisfied and perform an action based on a result of the determination.

Abstract: An authentication management method executed in a plurality of apparatuses cooperating each other communicably connecting, to allow reception of instruction by a user, a first information processing apparatus which performs authentication that the user is a predetermined person and a second information processing apparatus which is worn by the user, in a case where the user wearing the second information processing apparatus has been identified, by the second information processing apparatus, to be the predetermined person, identifying, by the second information processing apparatus, whether or not the first information processing apparatus and the second information processing apparatus are associated with each other as a plurality of apparatuses which perform cooperative processing.

Abstract: A system and method for creating custom music/video messages to facilitate and/or improve social interaction. The music/video messages may include at least portions of: music, video, pictures, slideshows, and/or text. Custom music/video messages may be created by a user in communication with a music/video provider and a music/video messaging system. The music/video messaging system and/or a distribution network send the music/video messages to one or more intended recipient(s). The custom music/video messages are representative of feelings or emotions to be communicated by the user to the one or more recipient(s).

Abstract: A system increases security for personal devices. An authenticating authority receives an authentication request from a personal device. The authenticating authority obtains a current location of the personal device from a location server, where the location server transmits the current location to the authenticating authority. The location server receives location information associated with the personal device, where the location information is transmitted to the location server by a location updating daemon running on the personal device. The authenticating authority compares the current location received from the location server to a zone associated with the personal device to determine processing of the authentication request. The zone is retained by the authenticating authority.

Abstract: The present invention relates to a method and a system that enable a sender to send a message to a recipient in an anonymous way, allowing the recipient to respond to the sender after receiving the message. No data related to the sender and the recipient are retained in the system.

Abstract: Typically, when a user switches sessions between devices, the user authenticates the sessions by providing user account information, password, and/or pin code input or other credentials. However, when the user is frequently switching sessions between devices, authenticating sessions may result in the user reducing or even stopping switching across mobile devices. Systems and methods according to this disclosure provide automatic session roaming across mobile devices using proximity authentication. Upon detecting an indication to initiate session roaming, the source device automatically roams the session on the source device to a target device based on a proximity of the source device to the target device. The session is handed off from the source device to the target device as an authenticated user session.

Abstract: Methods and systems for expedited authentication for mobile applications are described herein. A user of a mobile device may authenticate with an enterprise system, and thereby be granted access to enterprise applications and services on the mobile device. The user may then activate an application in a managed partition of the mobile device. The application may determine that the enterprise system supports expedited authentication. The application may request expedited authentication, and the request may be compared to policies for expedited authentication. If the request is permitted, the application may be granted access to an authorization code for expedited authentication. The application may then perform the expedited authentication, and the user may be granted access to the application when the expedited authentication has completed.

Abstract: A method and an apparatus for network address analysis are provided. In the method, unique identification information of a target client device located in a local area network is obtained. Packets transmitted in the local area network are listened, and a packet transmitted between the target client device and a dynamic host configuration protocol (DHCP) server is identified from the listened packets according to the unique identification information. Finally, the identified packet is analyzed to obtain a network address assigned to the target client device by the DHCP server.

Abstract: Systems and methods for authentication code entry using mobile electronic devices are disclosed. In one embodiment, in an information processing device comprising at least one computer processor, a display, and an input device a method for authentication code entry may include: (1) receiving, at the information processing device, a masking pattern for receiving entry of an authentication code, the masking pattern specifying an order for entering the authentication code; (2) presenting, on the display, a prompt to enter the authentication code in accordance with the masking pattern; (3) receiving, at the input device, a masked authentication code entry where the masked authentication code entry comprises the authentication code entered in accordance with the masking pattern; and (4) storing the masked authentication code entry.

Abstract: A method includes, in response to receiving an email message, detecting one or more artifacts within an email message, wherein each of the artifacts is associated with a payload; for each artifact, generating, a descriptor object representing the artifact that does not include the payload, so that the processor is prevented from accessing the payload via the descriptor object; and at least one payload button based on the payload associated with the artifact for causing the payload to be transmitted to an external system for analysis of the payload; and presenting an artifact dashboard in a graphical user interface (GUI) rendered on a display of the email security system, the artifact dashboard displaying, for each artifact, the descriptor object representing the artifact and the at least one payload button based on the payload associated with the artifact.

Abstract: A method includes establishing an application layer transport layer security (ATLS) connection between a network device and a cloud server by sending, from the network device, TLS records in transport protocol (e.g., HTTP) message bodies to the cloud server, the ATLS connection transiting at least one transport layer security (TLS) proxy device, receiving, from the cloud server via the ATLS connection, an identifier for a certificate authority, establishing a connection with the certificate authority associated with the identifier and, in turn, receiving from the certificate authority credentials to access an application service different from the cloud server and the certificate authority, and connecting to the application service using the credentials received from the certificate authority.

Abstract: A method for trusted measurement of a cloud computing platform includes: generating, by a third-party management and audit system, an audit report based on a current running indicator, signed by using a digital certificate, of a software and a running security indicator of the software, where the audit report indicates trustworthiness of a cloud computing platform. In this way, a process of trusted measurement of the cloud computing platform is open and transparent, so that authenticity of trusted measurement of the cloud computing platform is improved, thereby increasing a user's trust in the cloud computing platform.

Abstract: A user authentication technique that allows a user to access a protected resource such as an account on a web site or secure files on a computing device such as a smartphone, personal computer, tablet computer, and the like, employs a shared secret that employs a state machine to sequentially transition between a series of states during which the user is requested to enter predefined information that is also a part of the shared secret. That is, the shared secret includes user-specific data that must be provided and the particular sequence or manner in which the user-specific data or credentials are to be provided. The authentication technique may supplement the user of conventional one or two factor authentication techniques requiring, e.g., a password or both a username and password, which are commonly used to gain access to a resource.

Abstract: Disclosed are methods and systems for credential protection. In one aspect, a method includes receiving an authentication credential and an authentication domain. A determination is made as to whether the authentication domain is permitted or unpermitted for authentication by the credential. If the domain is unpermitted, a data store is searched to identify a permitted domain for the credential. The credential is compared against credentials information associated with the domain to determine if it matches any of the associated credentials. If a match is found, an event is instantiated for the account.

Abstract: This specification provides techniques for secure authentication. One example method includes receiving a login request from a computing device, wherein the login request includes a variable apparatus identifier (ID) associated with the computing device; in response to receiving the login request, determining that the variable apparatus ID corresponds to a user account; in response to determining that the variable apparatus ID corresponds to a user account, determining that an update of the variable apparatus ID is requested based on a timestamp included in the variable apparatus ID and a current time; in response to determining that the update of the variable apparatus ID is requested, generating an updated variable apparatus ID associated with the computing device; and transmitting an account login permission instruction and the updated variable apparatus ID to the computing device.