Abstract: A telecommunications network server system provides a digital identifier to a user device. The digital identifier may include identification data corresponding to a user of the user device. In addition, the telecommunications network server system receives, from one or more third-party systems, requests to authenticate the user for an electronic transaction with the respective third-party system. The telecommunications network server system provides a unique electronic transaction code to each third-party system. Responsive to receiving from the user device one of the unique electronic transaction codes, the telecommunications network server system provides, to the respective third-party system, authentication of the user.

Abstract: Managing access to data, including storing a database that includes fields; encrypting data of all or some fields of the database using an application encryption algorithm; receiving data indicating user-specific data access roles and user-specific data permissions for each of the user-specific data access roles, each of the user-specific data permissions defining a subset of the data of the database that the corresponding user-specific data access role has authorization for decrypting the subset of the data; receiving a user token representing credentials and user-specific data access roles of an authorized user, wherein the user token is generated by the access rights system; receiving a query for requested data stored by the database; comparing the user-specific data access role of the user token with the user-specific data access roles of the access rights system to identify user-specific data permissions for the user-specific data access role of the user token.

Abstract: A method, a system, and a non-transitory computer readable program code are disclosed for offline authentication of users for access to web applications. The method includes requesting, by a processor, access for a user to one or more relying party applications; receiving, by the processor, a redirection request from the one or more relying party applications to retrieve an authentication token for the user from an identity service provider; determining, by the processor, that the identity service provider is not available to provide the authentication token for the user; retrieving, by the processor, the authentication token for the user from a trusted source; forwarding, by the processor, the authentication token for the user retrieved from the trusted source to the one or more relying parties; and receiving, on the processor, authentication from the one or more relying parties for the user to access the one or relying party applications.

Abstract: Techniques include a method, apparatus, system and computer-readable medium to detect, quantify and localize attacks to enhance security for time-synchronized networking. Embodiments include a diagnostic stream producer to produce diagnostic information providing evidence of a timing attack on a node of a time-synchronized network. Embodiments include a diagnostic stream consumer to consume diagnostic information, analyze the diagnostic information, and determine whether a node is under a timing attack. Other embodiments are described and claimed.

Abstract: Aspects concern a data base system comprising a data base for storing entity states, a configuration interface configured to receive, for an entity state type, a specification of an entity state data format for writing an entity state of the entity state type to the data base and a data base access interface configured to receive a write request for writing an entity state to the data base, check whether the write request includes entity state data for writing the entity state to the data base in an entity state data format specified for writing entity states of the entity state's entity state type to the data base, and write the entity state data to the data base if the write request includes the entity state data in an entity state data format specified for writing entity states of the entity state's entity state type to the data base.

Abstract: Methods and apparatus are described for automatically discriminating authentic wireless Internet-of-Things (IoT) devices using a trained machine-learning module. In a training phase, the machine-learning module is trained to identify authentic IoT devices based on data in frame headers of wireless data emitted by the IoT devices. The trained machine-learning module may identify authentic IoT devices without analysing data from the payload of the frames to which the frames headers belong, and thus the privacy of data in the payload of the frame is not compromised and encryption of the payload data does not adversely affect performance of the trained machine-learning module in a subsequent production phase. Each training data sample may consist of header data from a sequence of successive frames of wireless data from authentic wireless IoT devices and, to enhance accuracy, may exclude address data.

Abstract: An interactive platform for researching and analyzing a set of topics to elicit opinions and choices via a user device. The interactive platform creates one user profile based on a unique identification of a first user. The interactive platform presents the set of topics to the first user and receives selections of a set of responses or choices corresponding to the set of topics that are processed, segregated, and stored in real time. Furthermore, the interactive platform enables reception of a user response for the set of topics based on own analysis of the first user. Moreover, the selections are limited to a daily number of opinions. The set of responses may be quantified and presented to a plurality of users registered on the interactive platform. Furthermore, the interactive platform enables segregation or categorization of the set of responses based on, for example, age, geographical location, and other categories.

Abstract: A first network node operating in a telecommunications network can receive an authentication request associated with a communication device requesting registration with the telecommunications network. The authentication request can include first subscriber information. The first network node can determine that the first subscriber information includes an anonymous identifier. Responsive to determining that the first subscriber information includes the anonymous identifier, the network node can determine an authentication procedure to be performed. The network node can receive information associated with the communication device as part of the authentication procedure. The network node can generate second subscriber information based on the information associated with the communication device.

Abstract: Systems and methods for controlling access to a dataset management system using permission records are provided. For example, a request to access information in a dataset management system may be obtained from an entity, and a permission record associated with the entity may be selected. Further, it may be determined if the entity has permission to access the information. In some examples, when the entity has permission to access the information, the access to the information may be allowed. In some examples, when the entity has no permission to access the information, the access to the information may be denied.

Abstract: Methods, systems, and devices for sharing keys with authorized users are described. In some cases, the first device may transmit, to the server, a request for a certificate for the first device to communicate with a memory device. The server may generate the certificate using a first private key of a first public-private key pair. The first device may receive the certificate and generate a content message that is signed by a second private key of a second public-private key pair. In some cases, the memory device may receive the content message and the certificate and validate the certificate using a first public key of the first public-private key pair. In such cases, the first device may establish a connection with the memory device in response to the memory device validating the certificate.

Abstract: An agent computer system uses a session-less login process to log in two users in a same application session. The system establishes an application session with an application server and a user session with the application server by authenticating a first user using an identity provider system (IdP). The system detects a request to perform an action by the first user within the application session that requires a second user's authentication. While maintaining the user session, the system requests a session-less authentication of the second user by transmitting an authentication request, which includes a flag indicating that the requested authentication is a session-less authentication. The system receives a confirmation of the authentication of the second user without establishing a second user session and performs the requested action in response to receiving the confirmation of the authentication of the second user.

Abstract: An information processing system includes an installation device and a cyber physical system (CPS) device. The installation device includes a detection unit, a determination unit, and a first communication unit. The detection unit detects a communication state of a first network to which a first CPS server device is connected. The determination unit determines the first CPS server device or a second CPS server device as an initial registration destination, based on the communication state. The first communication unit transmits a notification indicating the initial registration destination to the CPS device. The CPS device includes a memory control unit and a registration processing unit. The memory control unit stores, upon receiving the notification from the installation device, the initial registration destination included in the notification in a memory unit. The registration processing unit connects to the initial registration destination, to perform initial registration of the CPS device.

Abstract: A control apparatus for a vehicle includes a processor, a storage, and a first determining unit. The processor is configured to control a control target mounted in the vehicle. The storage is configured to contain unauthorized entry data. The unauthorized entry data indicates a presence of an unauthorized entry into the vehicle. The first determining unit is configured to make a determination on a necessity of a secure boot process upon activation of the processor, on the basis of the unauthorized entry data.

Abstract: Various arrangements for wireless network provisioning using a pre-shared key (PSK) are presented. A plurality of wireless network access profiles that indicate a plurality of PSKs may be stored. An access point may receive, from a wireless device, a first value based at on the PSK. The access point can transmit the first value to a cloud-based provisioning system. A plurality of values based on the plurality of PSKs of the plurality of wireless network access profiles may be created and a match between a second value of the plurality of values and the transmitted first value may be identified. A third value may be provided to the access point based on the PSK of the wireless network access profile of the plurality of wireless network access profiles used to generate the value. Network access can then be granted based on the third value.

Abstract: A method for permission management includes: generating a plurality of job roles with different permissions according to organization permission table; generating first permission structure directed graph according to the job roles; selecting one of the job roles in first permission structure directed graph as target job role; generating minimum directed spanning graph in first permission structure directed graph according to target job role; determining whether permission of each of the job roles in first permission structure directed graph matches job of each of the job roles in first permission structure directed graph; and adjusting permission and job of each of the job roles to generate second permission structure directed graph if it is determined that permission of each of the job roles in first permission structure directed graph does not match job of each of the job roles in first permission structure directed graph.

Abstract: Systems, methods, and computer-readable media are provided for generating a unique ID for a sensor in a network. Once the sensor is installed on a component of the network, the sensor can send attributes of the sensor to a control server of the network. The attributes of the sensor can include at least one unique identifier of the sensor or the host component of the sensor. The control server can determine a hash value using a one-way hash function and a secret key, send the hash value to the sensor, and designate the hash value as a sensor ID of the sensor. In response to receiving the sensor ID, the sensor can incorporate the sensor ID in subsequent communication messages. Other components of the network can verify the validity of the sensor using a hash of the at least one unique identifier of the sensor and the secret key.

Abstract: Methods and systems for unique session number sharing to ensure traceability are discussed herein. According to an implementation, a user sends a request to login a browser from a user equipment to a server device. The server device validates a user credential associated with the browser by comparing the user credential with pre-stored user registration information. Once the user credential is validated, the server device generates a session with a unique session number (USN) with respect to the request. The server device generates a plurality of logs with respect to the activities occurred during the session and associates the USN with each of the multiple logs. The USN is further included in an access token that authorizes the user to access the websites hosted by the browser.

Abstract: A client communications device and method for generating a user message comprising an assertion for verification by a remote server device is described. Payload data for the user message as generated by a secure application resident on the communications device is received. Biometric authentication of the user is performed as a first level security mechanism. If biometric authentication of the user is successful, a digital signature is generated based on the message payload as a second level security mechanism. The digital signature is generated using a private signature key stored in a secure element of the client device. A third level security mechanism is applied by authenticating the user message using a secure application-specific key. In implementations, the digital signature is generated in a secure environment of the client device which has sole access to the secure element after successful biometric authentication.

Abstract: Systems and methods are described herein for enabling discovery and selection of a WTRU-to-network relay by a remote WTRU and handling a WTRU-to-network relay configuration update. The WTRU-to-network relay may broadcast a service type indicating that the service type is available or conditionally available based on the WTRU-to-network relay slicing configuration. The WTRU-to-network relay may update broadcasting the service type or the indication that the service type as being conditionally available based on update of the WTRU-to-network relay slicing configuration. The WTRU-to-network relay may relay traffic between one or more distinct remote WTRUs and the core network node via a WTRU-to-network relay. The WTRU-to-network relay may reuse an existing PDU session for relay traffic or send a PDU session establishment request to network with the requested PDU session parameters depending on if the session parameters associated with an existing PDU session match the PDU session requirements of the remote WTRU.

Abstract: The present disclosure relates to a 5th generation (5G) or pre-5G communication system for supporting a higher data transmission rate after a 4th generation (4G) communication system such as long-term evolution (LTE). According to various embodiments of the present disclosure, according to various embodiments of the present disclosure, an operating method of a network exposure function (NEF) in a wireless communication system is provided.

Abstract: One or more first servers can implement an example method including storing, at a memory accessible by the first one or more servers, a primary email address for a user. The method further includes detecting a request, from a client device associated with the user, to access a network resource hosted at a second one or more servers, wherein the network resource is associated with an online service. The method also includes automatically generating a secondary email address for the user that is unique to the online service; and transmitting the secondary email address to the second one or more servers such that the online service receives the secondary email address for the user without receiving the primary email address for the user, thereby enabling the online service to transmit emails to the user despite not receiving the primary email address for the user.

Abstract: A system retrieves from cloud storage a packet(s) sampled from network traffic detected for software deployed on a cloud instance within a cloud environment. Each packet is inspected with deep packet inspection (DPI) to determine characteristics of the packet from which the identity/type of the corresponding software are determined. The system correlates the data/metadata generated from DPI with data/metadata of other cloud resources of the cloud environment based on determining the cloud resources to which the cloud instance is related or which also support deployment/execution of the software. The correlated data/metadata are evaluated based on security policies which include criteria for characteristics of software running on the cloud infrastructure rather than criteria for cloud infrastructure configuration alone. The system thus determines whether a cloud resource complies with the security policies based at least partly on the types/characteristics of software with which it is correlated.

Abstract: According to the present disclosure, there are provided methods and devices for utilizing controllable metasurface devices capable of redirecting a wavefront transmitted by a transmitter to a receiver in the wireless network to take advantage of the controllable metasurface device capabilities, intelligence, coordination and speed, and thereby enable solutions having different signaling details and capability requirements.

Abstract: Systems, methods, and other embodiments described herein relate to adaptable canary values. In one embodiment, a method includes acquiring state information about a program executing within a vehicle. The state information specifies at least a security level of segments of the program. The method includes, responsive to the program satisfying a generating threshold, generating a canary value according to the state information. The method includes inserting the canary value into a memory address associated with the program.

Abstract: Systems and methods are disclosed for online authentication of online attributes. One method includes receiving an authentication request from a rely party, the authentication request including identity information to be authenticated and credential information to be authenticated; determining whether a user account is associated with the received identity information by accessing an internal database; accessing user data of the user account determined to be associated with received identity information; determining authentication data to obtained from a user associated with the user account based on the user data of the user account and the credential information to be authenticated; transmitting a request for authentication data; receiving authentication data associated with the user; transmitting authentication data associated with the user; and receiving an authentication result from the verification data source server for the user associated with authentication data.

Abstract: Systems and methods for real-time management of delta inventory certificates for component validation using eventing and cloud infrastructures are described. In an embodiment, an Information Handling System (IHS) may include: a processor, a Remote Access Controller (RAC) coupled to the processor, and a memory coupled to the RAC. The memory may have program instructions stored thereon that, upon execution by the RAC, cause the RAC to: determine that a component has been added to the IHS; in response to the addition, request that a delta inventory certificate be generated by a remote validation service; and receive a copy of the delta inventory certificate.

Abstract: Various embodiments of the present disclosure provide techniques for facilitating a credential-less exchange over a network using a plurality of identifier mapping and member interfaces. The techniques may include initiating the presentation of an enrollment user interface via a client device of a user and receiving selection data indicative of a selection of a service provider instrument from the enrollment user interface. The techniques include generating a matching code for authenticating the user, providing the matching code to a service provider platform, and receiving the matching code from a partner platform. In response to an authentication of the user based on the matching code, the techniques may include generating an UUEK for the user that may be used to replace persistent credentials.

Abstract: A method of increasing security of digital assets stored in an isolated device by associating the isolated device with a plurality of accounts of the user each configured to store a limited value of digital assets, each of the plurality of accounts is assigned an asymmetric cryptographic key pair (comprising a unique private key encrypting the respective account and a corresponding public key identifying the respective account), transmitting, via a unidirectional secure channel, the public key assigned to each of the plurality of accounts to one or more computing nodes connected to a network community regulating the digital assets and transferring a value of the digital assets by transmitting, to one or more of the computing nodes, the private key of one or more of the plurality of accounts cumulatively storing the transferred value thus releasing the limited value stored in the respective account(s).

Abstract: A validation software obtains a session datum from a request initiating at a device. The validation software hashes the session datum to obtain a hashed session datum. The validation software transmits a validation request that includes a portion of the hashed session datum to a validation server. The portion of the hashed session datum may have a length that is less than a length of the hashed session datum. The validation software determines, and based on a response received from the validation server, that the session datum is likely compromised. In response to determining that the session datum is likely compromised, a notification is output at the device.

Abstract: A method includes receiving, by a token provider server, a first request for a first token that is associated with first information from a first application. The first request for the first token is part of an application session between a plurality of applications that includes the first application. The token provider server provides the first token to the first application. The token provider server receives the first token from a second application of the plurality of applications. The token provider server provides first information associated with the first token to the second application. The first information enables an action to be performed by the second application based on the first information.

Abstract: A coordinator module, a cyber threat analyst module, and AI models trained to model a normal pattern of life for entities in a wireless domain and a normal pattern of life for entities in a second domain cooperate with a combination of wireless sensors with RF protocol adapters to monitor and analyze wireless activity and probes to monitor activity in the second domain in order to analyze an anomaly of interest in a wider view of another domain's activity. These modules and models understand and assess the wireless activity and the activity from the second domain in light of the AI models modelling the pattern of life for entities in a wireless domain and/or a in the second domain in order to detect a cyber threat indicated by at least by the anomaly of interest. A formatting model generates an alert and/or a report.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for providing continuous session authentication and monitoring. An example method includes authenticating, at a first time, a session for a user of the client device based on an authentication image data structure and a plurality of first video frames captured before the first time. The example method further includes extracting sample data from a monitor region for each of a plurality of second video frames captured after the first time and generating motion data based on the extracted sample data. The example method further includes detecting, at a second time, a re-authentication trigger event based on the motion data. Subsequently, the example method includes re-authenticating the session based on the authentication image data structure and a plurality of third video frames captured after the second time.

Abstract: Provided is a system for face authentication which can operate separately for individual providers of face authentication service in a stable and efficient manner. The system includes: face authentication machines; an administrator terminal; a face management server for storing face image data of registered users; and face matching servers, each configured to generate face feature amount data of a person to be verified from image data acquired from the camera of a face authentication machine and to perform a matching operation by comparing the face feature amount data of the person with that of registered users. Prior to face authentication, data of associations between face authentication machines and face matching servers entered by an administrator is transmitted from the administrator terminal to the face management server.

Abstract: An information processing system includes an installation device and a cyber physical system (CPS) device. The installation device includes a detection unit, a determination unit, and a first communication unit. The detection unit detects a communication state of a first network to which a first CPS server device is connected. The determination unit determines the first CPS server device or a second CPS server device as an initial registration destination, based on the communication state. The first communication unit transmits a notification indicating the initial registration destination to the CPS device. The CPS device includes a memory control unit and a registration processing unit. The memory control unit stores, upon receiving the notification from the installation device, the initial registration destination included in the notification in a memory unit. The registration processing unit connects to the initial registration destination, to perform initial registration of the CPS device.

Abstract: An attribute information conversion device includes: a memory; and a processor coupled to the memory and configured to: issue first access information and second access information linked to each other in response to a request upon reception of the request for conversion from attribute information of a first type of a user that may be used in a first service into the attribute information of a second type that may be used in a second service different from the first service; perform, upon acquisition of the attribute information of the user from a terminal through the first access information, conversion of the acquired attribute information from the attribute information of the first type into the attribute information of the second type; and output the converted attribute information to a terminal that has made access through the second access information.

Abstract: Upon an attempt to access a service of a third-party server, full-duplex password-less authentication provides a one-time password to the user displayed at the client device and at a mobile device associated with the user. The user verifies the access by comparing the one-time password displayed at the mobile device and the one-time password displayed at the client device. In some embodiments, the one-time password is displayed as a picture while in other embodiments, a combination of a picture the one-time password is displayed as a picture and a set of alphanumeric characters for ease in making the comparison. The user determines whether to accept or deny the authentication sequence after a simple visual comparison.

Abstract: A communications server apparatus for managing authentication of a user based on one or more authentication events in a session is provided, to, in one or more data records, generate, for each authentication event, data indicative of a trust score corresponding to the authentication event; and generate, data indicative of a security score based on the trust scores corresponding to the one or more authentication events in the session, and, in response to receiving request data indicative of an authentication request associated with the user corresponding to a transaction in the session, the transaction having a value indicator, authenticate the user if the security score satisfies a condition for authentication corresponding to the transaction according to the value indicator, wherein security scores for satisfying the condition are variable according to value indicators of transactions.

Abstract: Systems and methods are provided for assessing an account takeover risk for one or more accounts of an individual. The account security procedures for each of a number of services with which the user has an account may be analyzed. Publicly accessible information regarding the user may also be collected and analyzed. The collected information and security procedures may be compared in order to determine one or more vulnerabilities to hostile account takeover of one or more of the analyzed accounts. An alert may be generated regarding a determined takeover risk, which may include suggested actions for remedying the risk.

Abstract: Provided is a system for face authentication which can operate separately for individual providers of face authentication service in a stable and efficient manner. The system includes: face authentication machines; an administrator terminal; a face management server for storing image data of registered users; and face matching servers, each configured to generate face feature amount data of a person to be verified from image data acquired from the camera of a face authentication machine and perform a matching operation by comparing the face feature amount data of the person with that of registered users. Prior to face authentication, data of associations between face authentication machines and face matching servers entered by an administrator is transmitted from the administrator terminal to the face management server.

Abstract: An apparatus, method and computer program is disclosed. The apparatus may comprise means for receiving video data representing a video recording of at least one input made by a user at a user device; receiving audio data representing an audio recording of at least one audio input made by the user at the user device; determining whether there is a correspondence between the at least one input represented in the video data and the at least one audio input represented in the audio data; and providing verification based on the determination.

Abstract: In general, techniques are described by which to perform secure fine time measurement for wireless communication protocols. An initiating station comprising wireless communication circuitry may be configured to perform the techniques. The wireless communication circuitry may be configured to receive, in accordance with a wireless networking protocol for communicating between the initiating station and a responding station, a first fine time measurement specifying a first time. The wireless communication circuitry may also be configured to receive, in accordance with the wireless networking protocol and for the corresponding first time, a first message integrity code. The wireless communication circuitry may next be configured to authenticate, based on the first message integrity code, the responding station to establish that the fine time measurement is from a trusted responding station.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: The invention relates to a method for creating, and guaranteeing the integrity of electronic messages, within a server providing Internet service. The integrity of the electronic messages are guaranteed and verifiable according to the MIME standard having a header with data regarding routing and regarding content type, an address of the sender and at least one recipient address, and a body comprising a message content. The MIME standard allows the insertion, into the header, of one or more extension fields. These fields comprise a pair formed of one tag allowing the field to be identified and of a value.

Abstract: A multitude of systems and methods are provided. An encryption method and system utilizing vector label input threshold encryption is included, enabling decentralized confidentiality and decentralized, fine-grained, and attributed-based access control, enabling clients to define by whom, when, and how their data is accessed. Additionally, the disclosed systems and methods can include publish/subscribe mechanisms while achieving confidentiality-preserving and decoupled publish/subscribe messaging and strong total order for publications even with crytographic access control enforced.

Abstract: Particular systems, methods, and program products for web-based security systems for user authentication and processing in a distributed computing environment are disclosed. A computing sub-system may receive an electronic processing request and a first signed data packet having a first payload that was hashed and encrypted using a first private key. The first payload may comprise first processing output and a first timestamp. The sub-system may verify the first signed data packet by decrypting it using a first public key. The sub-system may execute computing operations to satisfy the electronic processing request, producing second processing output. The sub-system may configure a data packet with a second payload comprising at least the second processing output and a second timestamp. The sub-system may encrypt the second payload using a second private key producing a second signed data packet. The sub-system may transmit to a second sub-system the second signed data packet.

Abstract: Disclosed are example methods, systems, and devices that allow for the generation and provisioning of digital credentials, which may demonstrate that a trusted entity has validated individual identity attributes, or sets of attributes, of a user. Digital credentials may also demonstrate one or more extrapolations resulting from deductions or inductions from validated identity attributes. A receiver device may indicate which identity attributes or extrapolations are sought by displaying a QR or other code and/or via a transmission using NFC or other wireless communication, and a user device may access corresponding digital attributes in an ID wallet to be provisioned via code or transmission. Digital credentials may restrict uses and usability of identity attributes. Cryptographic keys and/or distributed ledger records may allow recipients to verify authenticity of digital credentials. The same identity attribute may be proven by showing validation by multiple selectable trusted entities.

Abstract: Upon determining a confidence score for challenge biometric data for a user of an object is less than a first confidence threshold, a confirmation confidence score for the challenge biometric data is determined based on a remote confidence score for the challenge biometric data received from a remote computer. Upon determining that the confirmation confidence score is greater than a second confidence threshold, a user status of the user is determined based on an authenticator. The user status is one of authorized or not authorized. The second confidence threshold is less than the first confidence threshold. Upon determining that the confirmation confidence score is less than or equal to the second confidence threshold, the user status is determined based on supplemental biometric data. Object components are controller based on the user status.

Abstract: A system and method to tie a removable component to a host device. A first pairing key is stored into a security module on a host device such as a server rack. A removable component is inserted into the server rack for the first time. In response to this first insertion the first pairing key is burned into the removable component using a plurality of physically modifiable internal components. The server rack/security module receives a request form the removable component to operate on the server rack, the request includes a burned in pairing key. The security module compares the received pairing key with the first pairing key and permits operation of the removable component in response to a match between the received pairing key and the first pairing key.

Abstract: In an authentication device, an image conversion unit converts a visible light image obtained by capturing a region including an iris of a subject in visible light, and generates a converted image. For example, the image conversion unit converts the visible light image into a monochrome image. A feature value extraction unit extracts a feature value of the converted image. A collation unit performs authentication of the subject by collating the feature value extracted from the converted image with a feature value generated from an infrared image of an iris.

Abstract: Example methods, apparatuses, and systems are presented that allows a user to make a secure purchase online, directly through accessing an online advertisement and without being redirected to multiple, cumbersome webpages to process different pieces of information to complete the transaction, while still leveraging existing e-commerce entities, such as existing payment platforms and existing ad/content networks. The present system includes a commerce ads engine (CA engine) that interfaces with the user through an app associated with the CA engine, a tokenization platform for authentication of the user, and a merchant providing relevant offer and check out information about a product being advertised in an online ad.