Abstract: In general, one innovative aspect of the subject matter described in this specification may be embodied in methods that may include validating user data pages extracted from a digital identification in circumstances where a user device that includes the digital identification is either unavailable or presently lacks network connectivity. For instance, an authorized device may be used to extract user data pages from the digital identification by either exchanging communications with the user device using a proximity-based data exchange protocol, or by using a physical identification card to identify the digital identification on a user record. The user data pages may then be validated by comparing checksums associated with user data pages against the checksums within the user record, and decrypting the user data pages using a decryption key that is variably designated by a security status assigned to the digital identification.

Abstract: The present disclosure relates to a password management system and to a method for operating such a password management system. The password management system operates in communication with a client device running a cookie enabled browser application. The present disclosure also relates to a method for allowing access to restricted information stored at a server.

Abstract: A server apparatus is capable of communicating with a client terminal. The client terminal transmits first information to a second server, receives a digital signature from the second server, and transmits the digital signature together with the first information to the server apparatus. The second server generates the digital signature based on the first information. The server apparatus includes a controller configured to receive the first information and the digital signature from the client terminal, determine whether or not the first information is valid based on the first information and the digital signature received; and, transmit second information to the client terminal when the first information is valid.

Abstract: Technologies are disclosed for enforcing access control to resources of an indexing system using resource paths. Before performing a search for resources, access control is performed. By determining the resource paths that the user is authorized and/or unauthorized to access before performing the search, the search engine returns resources that the user is authorized to access instead of returning resources that the user may not be authorized to access. Before submitting a search query to a search engine an augmented search query is generated. The augmented search query includes one or more filter rules (which may be referred to herein as “filters”) that specify the resource paths to include or exclude from the search. The augmented search query limits the search to resources that the user is authorized to access.

Abstract: Communication circuitry associates a data source with a source Identifier (ID) and a cryptographic key and associates a data target with a target ID, contact token, contact condition, and contact information. The communication circuitry receives and decrypts the encrypted source ID, the encrypted target ID, and the encrypted contact token with the cryptographic key, and in response, authenticates the source ID, authenticates the target ID, and validates the contact token. When the authentication and validation are successful, the communication circuitry selects a portion of the contact information based on the contact condition, encrypts the selected contact information, and transfers the encrypted selected contact information to the data source. The data source uses the selected contact information and the contact token to transfer data to the data target. The data target uses the contact token to validate the data source.

Abstract: A method, device and non-transitory computer readable medium for randomized multi-factor authentication with biometrics includes randomly selecting one of a plurality of biometrics in response to a request from a client device. At least the randomly selected biometric is requested from the requesting client device. A match of the requested randomly selected biometric received from the requesting client device against stored biometric information above a set threshold is verified. Access for the request is granted when the verification indicates the match.

Abstract: The present disclosure relates to a method method for performing a disjunctive proof for two relations R0 and R1. The relation R0 is between an instance set X0 and a witness set W0 and defines a language L(R0) containing those elements x0?X0 for which there exists a witness w0 that is related to x0 in accordance with R0. The relation R1 is between an instance set X1 and a witness set W1 and defining a language L(R1) containing those elements x1?X1 for which there exists a witness w1 that is related to x1 in accordance with R1. For proving knowledge of a witness wb of at least one of instances x0 and x1, where b is 0 or 1, of the respective relations R0 and R1, the prover may generate using a bijective function a challenge from a simulated challenge c1-b.

Abstract: Disclosed herein are methods, systems, and processes for managing and controlling the collective behavior of deception computing system fleets. A malicious attack initiated by a malicious attacker received by a honeypot that is part of a network along with other honeypots is detected. Information associated with the malicious attack is received from the honeypot. Based on the received information, a subset of honeypots other than the honeypot are configured to entice the attacker to engage with the subset of honeypots or avoid the subset of honeypots.

Abstract: [Problem] To provide a terminal registration system and a terminal registration method for improving user convenience in registration of a new terminal to a plurality of service sites. [Solution] The registered terminal 1 includes an Authenticator 10 including service site list information 110 that associates private keys and URLs for access to service sites with each other. A Registration Manager 100 acquires the service site list information 110 from the Authenticator 10 of the registered terminal 1. Then, the Registration Manager 100 performs FIDO authentication for a registration target service site using a private key of the registered terminal 1, on the basis of the acquired service site list information 110, and performs Registration of a newly generated cryptographic key at the new terminal 2.

Abstract: Techniques are described herein for using special session identifiers to defer additional authentication steps (AAS) for at least some restricted application actions. A client session is associated with a special session identifier that is mapped to an authentication tier (AT) achieved for the session based on the satisfied authentication steps. Web servers that are enabled for AAS deferral include context information, which identifies a requested action, with session verification requests to an authentication service. The authentication service determines that AAS is required to perform an action when (a) the AT associated with the action is a higher-security tier than the AT associated with the session, or (b) the session is associated with an AT that is lower than the highest-security AT and there is no context information accompanying the request for session validation, in which case the authentication service assumes that the highest-security AT is required to perform the request.

Abstract: An information processing apparatus includes a display unit that displays plural images consisting of one or more correct answer images selected from a candidate set, which consists of images not including images corresponding to public information of a user in an image group owned by the user, and one or more incorrect answer images other than the one or more correct answer images, and an image authentication unit that performs authentication of the user by having the user select at least one or more of the correct answer images from the plural displayed images.

Abstract: Systems and methods for providing cryptographic services. A cryptography service obtains a request to provision a computing device to perform cryptographic operations. The cryptography service generates executable code for a protected execution environment. The computing device obtains and executes the executable code. The computing device fulfills requests for cryptographic operations in the protected execution environment.

Abstract: Techniques are described with regard to client authentication management. An associated method includes constructing an authentication resolution model specific to a client based upon error patterns respectively included in a plurality of erroneous authentication submissions inconsistent with a proper authentication submission. The method further includes receiving, via an authentication interface, a new erroneous authentication submission inconsistent with the proper authentication submission. Responsive to determining that the new erroneous authentication submission corresponds to an authentication exception defined in the authentication resolution model, the method further includes completing authentication. Responsive to determining that the new erroneous authentication submission corresponds to an authentication warning defined in the authentication resolution model, the method further includes performing at least one client account warning protection activity.

Abstract: Some embodiments provide a method for gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives at least one authorization policy that defines access to the service by the users, where the service includes multiple resources. The method identifies combinations of users and resources referenced by the policy, and for each identified combination of user and resource, executes the policy in order to define access to the identified resource by the identified user. The method receives a query regarding access to a particular resource from a particular set of one or more users, and uses the executed policy to provide a response to the query that describes access to the particular resource for the particular user set.

Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.

Abstract: Features are disclosed for accurately authenticating a delivery agent for unattended delivery of an item. The systems and methods described confirm the location of the delivery agent and proximity to the delivery location using short range wireless communications between a monitoring device at the delivery location and a communication device associated with the delivery agent. Access may also be conditioned on user specified “do not disturb” rules indicating when remote access is authorized. The authentication may be dynamically assessed such as based on a type of item being delivered.

Abstract: A method for transmitting an application is disclosed. The method includes, for example, receiving, from a client, an input for initiating the application; generating an application bundle associated with the application, the application bundle including an address of a server, the address capable of enabling a program on the client to request, from the server, information needed for running the application; and transmitting the application bundle to the client.

Abstract: Techniques are described herein for dynamically-tiered authentication, which allows the authentication tier (AT) associated with a session to be automatically downgraded based on the session satisfying one or more downgrade criteria. Automatically downgrading a session eliminates some authentication-based privileges for the session without eliminating all privileges for the session. A session satisfies downgrade criteria based on: an explicit request for session downgrading; client interaction with the application; and/or activity on the device on which the client runs. For example, if a client authenticates to a third AT, but only performs actions in the application that are associated with the first AT during a pre-defined amount of time, the AT associated with the session is automatically downgraded. The session is either downgraded from the third AT to the first AT, or downgraded in intervals until the current or more recently accessed tiers are consistent with the current AT of the session.

Abstract: A method for providing a user authentication credential comprises a) registering, in a device, at least one reference character, as a first user authentication credential; b) submitting, by the user, to the device, at least one character, as a second user authentication credential; c) retrieving, by the device, each reference character along with a corresponding position within the first user authentication credential; d) comparing, by the device, each submitted character within the second user authentication credential to a corresponding reference character within the first user authentication credential at one and the same position within the second user authentication credential and the first user authentication credential; and e) providing, by the device to the user, if the submitted character does not match the corresponding reference character, an information item for prompting the user to correct the submitted character.

Abstract: A computing device may include a memory and a processor configured to cooperate with the memory to store an authentication token having first and second authentication credentials associated therewith. The first and second authentication credentials may be different from one another. The processor may further cooperate with a server to access a session based upon the authentication token.

Abstract: Some embodiments provide a method for gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by multiple users. The method receives at least one authorization policy that defines access to the service by the users, where the service includes multiple resources. Based on an analysis of the received policy, the method identifies a set of two or more access rules, each access rule associating at least one user to at least one resource. The method receives a query regarding access to a particular resource from a particular set of one or more users, and uses the identified access rules to provide a response to the query that describes access to the particular resource for the particular user set.

Abstract: A block chain system allows mining for new valid values in a system such as a computer game or computer-based trading card system. Instead of each new value being added to the block chain being equivalent, each new value is one of a plurality of possible choices.

Abstract: Systems and methods for configuring a media playback device to connect to a local area network (LAN) and be controlled by a mobile device also configured to connect to the LAN are disclosed. In one embodiment, the method includes displaying screens on a graphical user interface on the mobile device indicating the status, scanning for Bluetooth low energy (BLE) devices using the mobile device, detecting a media playback device as a BLE device, connecting the mobile device to the media playback device using BLE, obtaining LAN connection information, configuring the media playback device to connect to the LAN using the BLE connection from the mobile device, and setting speaker configuration information for the media playback device using the graphical user interface.

Abstract: Methods and apparatus are disclosed that enable information about devices connected behind a gateway, such as a home gateway, to be made available to and used by other entities, such as servers and routers, on a communications network.

Abstract: A biometric authentication device includes a biometric information sensor to read biometric information of a user, a biometric information storage unit to pre-register biometric information of a registered person as registered biometric information for verification, a determination unit to determine whether or not a captured image captured by the biometric information sensor is suitable for biometric authentication, and to perform biometric authentication by comparing the captured image to the registered biometric information registered in the biometric information storage unit when the determination unit determines that the captured image is suitable for the biometric authentication, and a notification unit to issue a notification indicating that the captured image is unsuitable for the biometric authentication.

Abstract: A system, method, and computer-readable medium are disclosed for monitoring actions of an entity. In various embodiments the monitoring includes: monitoring a plurality of electronically-observable actions of the entity, the plurality of electronically-observable actions of the entity corresponding to a plurality of events enacted by the entity; associating the plurality of events enacted by the entity with a story; and, using the story to derive an inference regarding the entity.

Abstract: A method and system for eliminating contraband in postal mail at a correctional facility comprising a central processing facility and a network of inmate email kiosks and correctional institution staff review stations. The postal mail utilizes scanning stations to create electronic versions of the mail and associates various information about the sender, recipient, mail contents, and institution into a format that is easily reviewable and provides tracking data. The scanned mail may then be made available to the intended inmate and institution staff. Institution staff may also then access the associated information and tracking data.

Abstract: Systems and methods for authorizing operations associated with blocked media assets using two-factor authentication. In some aspects, a media guidance application (e.g., executed by a set-top box or other user equipment used to store and display media assets) prompts a user for a password (e.g., a personal information number) in order to unlock the content for viewing. In response to receiving a second request from the user to perform an operation related to the media asset (e.g., delete), the media guidance application prompts the user for an additional factor confirming his or her identity, consistent with two-factor authentication protocol. If the user's identity is authenticated as a user that has authority to perform the operation related to the media asset (e.g., delete the stored media asset), the media guidance application performs the operation related to the media asset (e.g., deletes the media asset).

Abstract: Systems, methods, and apparatuses for implementing super community and community sidechains with consent management for distributed ledger technologies in a cloud based computing environment are described herein.

Abstract: A method and system of using a vehicle mounted camera device to authenticate a user during an interaction is disclosed. The method includes receiving interaction data regarding an interaction between a user operating a communication device and an access device, the user being near other candidate users. The method then includes determining one or more match indicators, the match indicators generated by comparing different sample biometric templates of the user with different enrolled biometric templates. At least one of the different biometric sample templates may be an image-based biometric template and at least one may be a voice print biometric template. Then the method includes identifying the user based on at least the match indicator associated with the voice print biometric template. The method then includes, if the match indicators are positive match indicators, initiating a process on behalf of the user.

Abstract: The present disclosure relates to methods and associated systems for unlocking a vehicle. The vehicle has a first input device and a second input device. The method includes (1) receiving a passcode from the first input device; (2) receiving a confirmation of the passcode from the second input device; and (3) in response to the confirmation, storing the passcode in a storage device associated with the vehicle. The passcode is input by operating the first input device in a first predetermined way, and, the confirmation is input by operating the second input device in a second predetermined way.

Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.

Abstract: A call screening computing system is described that is configured to perform voice captcha and real-time monitoring of calls into a contact center of an organization. The call screening computing system includes a chat bot configured to operate as an AI-based call screener. The chat bot is configured to perform voice captcha by sending a random question to a user device placing a call into the contact center, and analyzing the received answer to determine whether a user of the user device is human or a robot. The chat bot is configured to, based on the user being human, determine whether the user is a legitimate customer of the organization by generating and presenting authentication challenges to the user device. The chat bot may be configured to monitor and interact with a conversation between the user and an agent of the organization during the call into the contact center.

Abstract: Systems and methods for authorizing a real-time transaction with a third party platform (TPP). The system includes a memory that stores instructions for authorizing the real-time transaction with the TPP. The system also includes a processor configured to execute the instructions. The instructions cause the processor to: generate a tokenized personal identification number (PIN) based on a request to register with the TPP, the request including a customer PIN and an authorization token; transmit the tokenized PIN and the authorization token to the TPP, wherein the TPP stores the tokenized PIN and the authorization token; in response to receipt, at the TPP, of a request for the real-time transaction from a customer, receive the tokenized PIN from the TPP; decrypt the tokenized PIN to extract the customer PIN; and transmit instructions including the customer PIN to a service provider, the instructions comprising a command to provide access to a vehicle.

Abstract: A peripheral device package for use in a host computing device has a plurality of compute elements and a plurality of resources shared by the plurality of compute elements. A datastructure is stored in a hidden memory of the peripheral device package. The data structure holds metadata about ownership of resources of the peripheral device package by a plurality of user runtime processes of the host computing device which use the compute elements. At least one of the user runtime processes is a secure user runtime process. The peripheral device package has a command processor configured to use the datastructure to enforce isolation of the resources used by the secure user runtime process.

Abstract: Systems and methods are provided for a media provider to allow a user to access media objects with a third-party partner that authenticates the user and authorizes the user to access certain media objects. The media provider offers access to media objects, such as video content or audio content. The partner, through a relationship with the media provider, similarly offers access to the media provider's media objects, for example, as a service or benefit to the partner's customers or users. In particular, a partner integration server mediates user authentication and authorization by the partner. The partner integration server also allows the media provider to easily and flexibly to add and integrate additional partners.

Abstract: Systems, methods, and apparatuses for implementing super community and community sidechains with consent management for distributed ledger technologies in a cloud based computing environment are described herein.

Abstract: Systems, methods, and apparatuses for implementing super community and community sidechains with consent management for distributed ledger technologies in a cloud based computing environment are described herein.

Abstract: Technologies for providing efficient data access in an edge infrastructure include a compute device comprising circuitry configured to identify pools of resources that are usable to access data at an edge location. The circuitry is also configured to receive a request to execute a function at an edge location. The request identifies a data access performance target for the function. The circuitry is also configured to map, based on a data access performance of each pool and the data access performance target of the function, the function to a set of the pools to satisfy the data access performance target.

Abstract: A computer-implemented method, computer program product and computing system for: defining a threat mitigation platform for a client, wherein the threat mitigation platform includes a plurality of threat detection capability modules; defining a rollout schedule for at least a portion of the plurality of threat detection capability modules; and presenting the rollout schedule to the client.

Abstract: Methods, systems and computer program products for providing video-based authentication are provided. Aspects include receiving a master video comprising a recording of a first plurality of objects. Aspects also include identifying each of the first plurality of objects using image recognition techniques. Aspects also include receiving a user selection of a plurality of authentication objects, where the plurality of authentication objects are a subset of the first plurality of objects. Aspects also include receiving a user authentication request comprising an authentication video. The authentication video is a recording of a second plurality of objects. Aspects also include identifying each of the second plurality of objects using image recognition techniques.

Abstract: Video conferencing in a controlled environment facility entails significant security concerns. These concerns are even more prevalent in a system that permits residents of such facilities to communicate via their own personal devices. Therefore, in order to alleviate these concerns and provide a secure system in which a resident is able to make video calls using their personal device, a kiosk unit is provided to which the personal device must be linked for completing a video call. When making the video call, the camera and display on the personal device are disabled, and all video data is captured and displayed by the kiosk unit. The link between the kiosk unit and the personal device facilitates the exchange of the image information for transmission to the outside party, or display to the user. By providing a fixed camera, and disabling the personal device camera, security can be maintained while permitting video calling services.

Abstract: The SOCIAL MATCH PLATFORM APPARATUSES, METHODS AND SYSTEMS (“SMP”) transforms platform join requests, social network info, and SMP network info inputs via SMP components NJ, JIP, CIP, OP, CN-SGU and CN-UPSOG into job info, candidate info, offer info, and social meetup info outputs. A job information request for a candidate may be obtained. Social data associated with the candidate may be determined. A social job relevancy rating for various jobs may be calculated using the social data. A job may be selected using the social job relevancy rating for the job, and information regarding the selected job may be provided.

Abstract: A removable card-enabled BPID Security Device integrates a removable card reader with a biometric authentication component to provide secured access to electronic systems. The device allows for an individual to insert a removable card into an aperture in the physical enclosure of the BPID Security Device, allowing the removable card and the BPID Security Device to electronically communicate with each other. The BPID Security Device is based on a custom application specific integrated circuit that incorporates removable card terminals, such that the BPID Security Device can communicate directly with an inserted removable card. In an alternative embodiment of the invention, the BPID Security Device is based on a commercial off-the-shelf microprocessor, and may communicate with a commercial off-the-shelf microprocessor removable card receiver using a serial, USB, or other type of communication protocol.

Abstract: A server transmits to a third-party application a request for a resource that is received from a client. The server receives an authentication request from the client device that has been generated by the third-party application. The server transmits an identity provider selection page to the client device that allows the client device to select an identity provider. The server causes the client device to transmit a second authentication request to a selected identity provider. The server receives an authentication response that was generated by the identity provider that includes the identity of the user. The server enforces access rule(s) including identity-based rule(s) and/or non-identity based rule(s). If the user is permitted to access the third-party application, the server causes an authentication response to be transmitted from the client device to the third-party application that indicates the user has successfully authenticated.

Abstract: Some methods enable a first device to assist a second device in becoming authenticated with a content management system. The content management system can receive user credentials or an elevated access token from the first device. The content management system can respond to the first device with an access token for use by the second device. Alternatively, the content management system can send the access token directly to the second device. The second device can then use the access token for authenticated communications with the content management system.

Abstract: A method prompts a user to provide first credentials, receives the first credentials, and using an initial verification process including at least one of validity, a uniqueness, a suspicious contextual detection, or statistical recurrence verification, to verify the first credentials based on stored data. Based on a negative result of the initial verification process, the method prompts the user to provide second credentials, receives the second credentials, and validates the second credentials based on the stored data. The method registers the user for a service based on a positive result of the initial verification process or a positive result of the second strong validation process, refusing to register the user for the service based on a negative result of the initial verification process and the negative result of the second strong validation process, and blacklisting the verified second credentials upon registering the user.

Abstract: Some examples include establishing a secure communication session between a mobile device and a card reader. For instance, a trusted, remote validation server may be used to validate security information of a software module executing on the mobile device prior to the card reader and the software module establishing a secure communication session with each other. In some cases, the software module sends the security information of the software module to the validation server. The secure communication session between the software module and the card reader may be established based on a validation result of a validation process indicating that the security related information of the software module has been determined to be valid by the validation server.

Abstract: Implementations are directed to detecting bypass of an authentication system of a web application with actions including receiving one or more webpage logs including web traffic associated with a web application during a defined time period, receiving one or more authentication logs associated with one or more authentication appliances providing authentication services for the web application, determining, based on the one or more webpage logs, one or more webpage log entries corresponding to a user and the defined time period, determining, based on the one or more authentication logs, a total number of correct authentication factors provided by the user during the defined time period, and determining, based on the one or more webpage log entries corresponding to the user and the defined time period and the total number of correct authentication factors provided by the user, that the user bypassed an authentication system of the web application.

Abstract: Systems and methods are provided for use in provisioning accounts to applications included in mobile devices. One exemplary method includes receiving, at a mobile device, a request to provision an account to a mobile device; prompting a user associated with the account for authentication at a wireless device associated with the account; receiving an account credential from the wireless device, via a local wireless communication between the mobile device and the wireless device, when the user is authenticated at the wireless device; transmitting the account credential toward a first party associated with the account, whereby the account credential is indicative of the authentication of the user; and provisioning the account to the mobile device, in response to an approval received from the first party.