Abstract: A method of creating a password for a user account may include receiving, by a computing device, one or more authentication rules that each correspond to a password. Each authentication rule may describe a feature a password is to possess. The method may include receiving, by the computing device, a content and a corresponding action rule for the password, where the action rule specifies an action that is be performed if the password includes the received content, associating the authentication rules, the content, and the action rule with one or more credentials of the user for the user account, and storing the password type, the authentication rules, the content, and the action rule in a database.

Abstract: Techniques for classifying non-process threats are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for classifying non-process threats comprising generating trace data of at least one observable event associated with execution of a process, representing a first feature of the at least one observable event of the trace data, calculating, using a computer processor, a similarity between the first feature and at least one sample feature, and classifying the process based on the similarity.

Abstract: The present invention seeks to meet these needs by providing a password generation and retrieval system (PGRS) that generates encrypted passwords with a computer program using an algorithm that combines a website information such as a domain name or email address, the user's own text input or phrase, and the user's own numeric value or pin number. The present invention does not involve the maintenance of a database of any kind. As such, there is no login required and no records are kept of the visitors, their input or the passwords generated. Preferably, the process is carried out using a website, browser extension, smart phone application and/or a stand-alone executable program.

Abstract: A system and method for providing access to an object over a network may comprise hosting an object on a distributed data processing system accessible over the network, the object contained within a cell; generating, by a cell access provider, a unique and random address for the cell containing the object, utilizing an address resolution module and providing, by the cell access provider, the unique and random address to a computing device of a unique consumer; and upon receipt of the unique and random address from the unique user, matching the unique and random address with the cell to facilitate access by the unique user to the object. The object may comprise a virtual object acting as a cell for facilitating access to one or more additional objects. The virtual object cell may contain one or more unique and random addresses facilitating access to one or more additional objects.

Abstract: The field of the invention relates to network connected authentication systems, and more particularly to systems and methods that enable authentication of a user using a connected device in the possession of the user. In an embodiment, the system includes a network connected authentication server system communicatively coupled to a network for access by a plurality of user devices to authenticate a plurality of users of one or more third party applications, and a user account database coupled to the network connected authentication server system to store account information including a username for each of the plurality of users.

Abstract: A system for discovery and analysis of network data usage of users of a communication network may collect information related to data usage over a network. The system may determine network data usage patterns for users from the data usage information. The network usage data, usage patterns and additional information may be analyzed to create user segments, and to analyze network data usage for the user segments. Differentiated data services may be created and implemented based on the network data usage for the user segments.

Abstract: Systems and methods for testing to tell computers and humans apart and generating said tests are described. To generate a test, a selection of a range of characters at least including the 8-bit ASCII character range is received. Each character in the selected range of characters is tested to determine if the character has a glyph in the selected font, if the character is a whitespace character, and if the character leaves a visible impression. From all the characters in the selected range of characters that pass the tests, a plurality of characters is selected for a challenge, and a larger set of characters (that includes the plurality of characters from the challenge) is selected for a response. An image is generated that includes the challenge and the response, and a solution threshold is calculated based on the location of the challenge characters within the generated response.

Abstract: A token-based validation method for delivery of at least part of a segmented content item and a content delivery system configured for executing such method are described. Said segmented content item may be associated with at least one manifest file comprising one or more segment identifiers. The method may comprises the steps of: a content processing device sending a first segment request message comprising a first segment identifier associated with a first segment to said at least one delivery node; generating first validation information for use with a further second segment request message, said first validation information comprising at least a first token and associated first timing information; and, sending a first response message and said first validation information to said content processing device, said first response message comprising at least part of said segment or location information associated with at least one delivery node for delivering said segment.

Abstract: An image is selected responsive to receiving an access request for access to protected content. An access code is assigned to the image, and the image is partitioned into a plurality of image tiles. Each image tile comprises a code segment, which is a part of the access code. The image tiles are then scrambled into a scrambled version of the image and displayed to a user. The user rearranges the scrambled version of the image to reassemble the image, identifies a correct sequence for the code segments, and then enters the code segments in the correct sequence as a codeword. The codeword is matched against the assigned access code. If they match, the user is granted access to the protected content. Otherwise the person is denied access to the protected content.

Abstract: A method and system for providing access to application, where an association of a plurality of passwords with a login for an account of an application is maintained, wherein each of the plurality of passwords has a corresponding user and a corresponding set of privileges. A request for access to the account is received from a first user including the login and a first password of the plurality of password corresponding to the user, and the user is authenticated in view of the login and the password. Upon authentication of the user, access to the account is granted for the user to execute a corresponding first set of privileges.

Abstract: An information processing apparatus usable via a plurality of user interfaces, and a method of controlling the same, having a plurality of authentication processing modules configured to perform a user authentication for each of the plurality of user interfaces respectively. Setting information of authentication processing for each of the plurality of authentication processing modules and setting information of authentication processing by a common authentication processing module for performing a user authentication common to the plurality of user interfaces are held. If the user authentication by the common authentication processing module succeeds using the held setting information, based on user information input via an authentication screen of any one of the plurality of user interfaces, the user authentication is performed based on the held setting information of the user interface.

Abstract: Systems and methods for providing secured network access are provided. A user device located within range of a hotspot initiates a request sent via an open communication network associated with the hotspot. The request concerns secured network access at the hotspot by the user device. A unique pre-shared key is generated for the user device based on information in the received request and transmitted over the open communication network for display on a webpage accessible to the user device. The unique pre-shared key is stored in association with information regarding the user device. The user device may then use the unique pre-shared key in subsequent requests for secured network access.

Abstract: Authenticating a client device to a service to allow the client device to access a resource provided by the service. A client device obtains a secondary credential that is associated with a primary credential and that is generated as being usable by a particular set of devices including the client device to indirectly gain access to the service through the primary credential. While outside of an enterprise network, the client device requests access to the service, including sending the secondary credential to an enterprise gateway. Based at least on sending the secondary credential to the enterprise gateway, the client device receives a resource from the service. The resource is received based at least on the enterprise gateway having forwarded the primary credential to the service after verifying that the secondary credential is valid and that the client device is in the particular set of client devices.

Abstract: Systems and techniques for managing local communication between a network access point and a host device. Upon connection by a host device to an access point, a local connection link is established between the access point and the host device. A network connection may be established between the access point and the host device, with the network connection being able to pass through the host device to enable communication with and beyond an access network to which the access point provides a connection. Local messages may be passed between the access point and the host device over the local connection link, separately from and independent of communication that may occur over the network connection.

Abstract: Systems and methods of performing single sign-on authentication from multiple platforms when establishing a connection to a database are described. An application can securely access a database based on user credentials provided during a prior authentication. In an embodiment, single sign-on is accomplished by relying on existing and emerging authentication, security service, security mechanism, and wire protocols, enabling the creation of drivers to accommodate various platforms and databases. In another embodiment, a pure type 4 Java Driver is used, eliminating dependencies on native operating functionality.

Abstract: Aspects of the present disclosure are directed towards a method of electronic verification of motion data. This includes collecting a first set of motion data that corresponds to a first set of motion characteristics generated from physically moving a hardware element of a computer ending upon inserting the hardware element of the computer into a computer chassis. This can further include determining an approved set of motion data and comparing the first set of motion data to the approved set of motion data. This can further include determining a difference between the first set of motion data and the approved set of motion data. This can further include determining that the difference does not satisfy a threshold. This can further include executing a reaction sequence in the computer, in response to determining that the difference does not satisfy the threshold.

Abstract: Methods and apparatus are provided for performing spelling corrections using one or more variant hash tables. The spelling of at least one candidate word is corrected by obtaining at least one variant dictionary hash table based on variants of a set of known correctly spelled words, wherein the variants are obtained by applying one or more of a deletion, insertion, replacement, and transposition operation on the correctly spelled words; obtaining from the candidate word one or more lookup variants using one or more of the deletion, insertion, replacement, and transposition operations; evaluating one or more of the candidate word and the lookup variants against the at least one variant dictionary hash table; and indicating a candidate correction if there is at least one match in the at least one variant dictionary hash table.

Abstract: An application that consumes key management information (e.g., keys and certificates) through a conventional keystore API is configured to recognize a new keystore type. In addition, the services of that API are pointed to a management server component associated with a key management protocol (e.g., KMIP), and a client component of the key management protocol is instantiated as a “semi-remote” keystore in association with the application. Once configured to use the new keystore type, the consuming application uses the keystore API in a conventional manner, but calls to the new keystore type are directed to the KMIP client. The client intercepts these calls and then interacts with the KMIP server on behalf of the consuming application, and without the application being aware of the interaction over the KMIP client-server API. This approach enables the consuming application to take advantage of the full benefits provided by the key management protocol transparently.

Abstract: A computer-implemented method, including receiving, by one or more computer systems, customer characteristic information for a user; applying, by the one or more computer systems, one or more recommendation rules to the customer characteristic information to determine a security tier; comparing, by the one or more computer systems, the customer characteristic information to one or more other users with a threshold level of similarity to the user for which the customer characteristic information is received; identifying, by the one or more computer systems, a security tier assigned to one of the one or more other users; and generating information indicative of a recommended security tier, based on the identified security tier and the determined security tier.

Abstract: The present disclosure relates generally to mechanisms for the estimation of location privacy risk, comprising: building one or more trajectory models from auxiliary information (e.g., one or more maps, one or more routes); capturing common behavioral patterns (e.g., shortest route(s),/fastest route(s)); identifying, given unlinked trajectories for a plurality of users, most likely linkages using the trajectory model(s); eliminating one or more unlikely linkages based on deviation from the shortest route(s) and/or the fastest route(s); measuring privacy as the percentage of linkages correctly identified; and outputting the measured privacy.

Abstract: A mechanism is provided for selective password synchronization. An indication is received that a password is to be changed for an account in a plurality of accounts associated with an individual, where the indication includes a new password. Responsive to receiving the indication of the password change, the account is grouped with one or more other accounts in the plurality of accounts thereby forming a first subset of accounts, where grouping the account with the one or more other accounts in the plurality of accounts excludes at least one account in the plurality of accounts thereby forming a second subset of accounts. The new password is propagated to the first subset of accounts according to a first policy. The new password is propagated to a second subset of accounts of the plurality of accounts according to a second policy, where the second policy is different from the first policy.

Abstract: Embodiments of the invention relate to methods of generating and using an image-based derived key. In various embodiments, the image-based derived key may be used to facilitate user authentication and data encryption. For some embodiments, a method is disclosed comprising determining an image-based derived key, wherein the image-based derived key is generated from a selection of authentication images chosen by a user, encrypting data using the image-based derived key, and transmitting the encrypted data.

Abstract: Premise-based policies can be applied in the management of mobile devices and other computing devices within a system. A computing device is detected using close proximity wireless communication and location information is sent to the computing device using close proximity wireless communication. Policies applied to the computing device can be based at least in part on the location information.

Abstract: A method and apparatus to control the use of applications on handheld device is based on network service, the method comprising the steps of: receiving a network identifier; correlating the network identifier with application and/or feature limitations stored on the mobile device; and limiting application usage based on the results of such correlating step.

Abstract: A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained.

Abstract: A programmable management method and system provides mechanism for processing, viewing and transactions of secure and private information allowing user of the system the ability to control access to and viewing of personal information.

Abstract: A common security policy for a heterogeneous computer architecture environment is provided. A configuration of a security policy of a heterogeneous computer architecture is received from a management console. The security policy is stored on a policy server that is communicatively connected, by a management network, to a plurality of hardware platforms of the of the heterogeneous computer architecture. The security policy is distributed to a plurality of policy agents of the heterogeneous computer architecture over the management network. The security policy includes a security policy administrator role that permits management of (i) one or more subjects in a plurality of security zones and (ii) one or more objects in the plurality of security zones. The security policy also includes security zone administrator roles, wherein each security zone administrator role (i) is associated with a respective security zone and (ii) permits management of object(s) in the respective security zone.

Abstract: In an approach for changing a password. Aspects of an embodiment of the present invention include an approach for changing a password, wherein the approach includes a processor identifies a resource protected by a password. A processor discovers at least one information source containing information relevant to a process for changing the password of the resource. A processor constructs a set of procedures to change the password using the information relevant to the process for changing the password. A processor alters the password of the resource according to the constructed set of procedures.

Abstract: A method of authenticating users to reduce transaction risks includes indicating a desire to conduct a transaction and determining whether the transaction requires access to protected resources. Moreover, the method determines whether inputted information is known, determines a state of a communications device when the inputted information is known, and transmits a biometric authentication request from a server to an authentication system when the state of the communications device is enrolled.

Abstract: Methods, computer systems, and computer-readable storage media for using a single application on a mobile device to access a plurality of client domain sites are provided. The single application on the mobile device receives from a user of the mobile device a set of authorization credentials. Based on the set of authorization credentials, the single application receives a first client domain uniform resource locator from a third-party directory service. The first client domain uniform resource locator is used to access a client gateway service; the client gateway service provides a secure access point to a number of different service solutions hosted by a client. Upon the user inputting a set of authentication credentials, the user is able to access information from one or more of the different service solutions.

Abstract: A system that incorporates teachings of the subject disclosure may include, for example, a method for facilitating, at a system including at least one processor, establishment of a communication session with a device coupled to a Universal Integrated Circuit Card (UICC) by way of network equipment of a default Mobile Network Operator (MNO), receiving, at the system, information descriptive of an MNO selection, selecting, at the system, from a database of credentials of a plurality of MNOs first credential information according to the received information, wherein the first credential information is associated with a first MNO of the plurality of MNOs, and transmitting, from the system, the first credential information to the UICC over the communication session by way of the device to cause the UICC to facilitate establishment of communications with network equipment of the first MNO according to the first credential information. Other embodiments are disclosed.

Abstract: A method for sharing content between clients at a common trust level in a trust hierarchy associated with a network implementing policy-based management includes receiving integrity information from a first client at a first trust level in the trust hierarchy at a second client at the first trust level, requesting permission to receive electronic content from the first client, receiving a determination regarding the requested permission, and communicating the determination to the first client. The first client obtained content from a policy enforcement point in the network. The request for permission is made to the policy enforcement point and the request includes the integrity information. The determination is received from the policy enforcement point and is based in part on the integrity information about the first client. The second client communicates to the first client the determination of whether the second client receives the content from the first client.

Abstract: Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base.

Abstract: Methods, systems, and apparatus, for pairing a wireless card reader and a computing device, including: receiving first user input setting the wireless card reader in a pairing mode; sending an indication from the wireless card reader to the computing device that a pairing mode of the wireless card reader is enabled; receiving an indication from the computing device that a pairing mode of the computing device is enabled; receiving, in the wireless card reader, a second user input of a sequence of actuations of a sensor on the wireless card reader; determining, on the wireless card reader, whether the sequence of actuations matches a stored sequence; and in response to determining that the sequence of actuations matches a stored sequence, pairing the wireless card reader with the computing device.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.

Abstract: A cloud configuration management method implemented in a cloud configuration management system communicatively coupled to one or more cloud nodes in a cloud system includes creating a plurality of golden configurations for each of a plurality of roles, wherein each of the one or more cloud nodes has one of the plurality of roles for operation in the cloud system; defining metadata rules for each of the plurality of golden configurations; performing a configuration analysis to audit the one or more cloud nodes using the metadata rules; and providing results of the configuration analysis to determine misconfiguration of any of the one or more cloud nodes.

Abstract: Threat detection is improved by monitoring variations in observable events and correlating these variations to malicious activity. The disclosed techniques can be usefully employed with any attribute or other metric that can be instrumented on an endpoint and tracked over time including observable events such as changes to files, data, software configurations, operating systems, and so forth. Correlations may be based on historical data for a particular machine, or a group of machines such as similarly configured endpoints. Similar inferences of malicious activity can be based on the nature of a variation, including specific patterns of variation known to be associated with malware and any other unexpected patterns that deviate from normal behavior. Embodiments described herein use variations in, e.g., server software updates or URL cache hits on an endpoint, but the techniques are more generally applicable to any endpoint attribute that varies in a manner correlated with malicious activity.

Abstract: A method is provided for generating a soft token by which attributes of a user may be authenticated. A request to generate the soft token is transmitted from an electronic device of the user to a service provider computer via a first secure connection. After receiving the request, the service computer generates a one-time password, records the password as a session identifier, and transmits the password to the electronic device. The password is output by the electronic device via a user interface. The user enters the password into a user computer system, from where it is transmitted, via a second secure connection, to the service computer system. If the recorded password agrees with the received password, one or more attributes are read from an ID token of the user and a corresponding soft token is generated and transmitted to the electronic device or user computer system.

Abstract: A client sends a request to start to use a service via an information processing system that is a cooperation source, acquires identification information indicating that authentication has been successfully performed based on group authentication information set for a group to which a user belongs, and then transmits the identification information to an information processing system that is a cooperation destination.

Abstract: A non-transitory storage medium stores instructions which, when executed by a processor of an information processing device, cause the processor to: transmit, to an image processing apparatus, identification information for identifying a login requestor; acquire account information transmitted from the image processing apparatus when the identification information is registered in the image processing apparatus; cause the information processing device to log in to a server using the account information; and perform at least one of: acquiring image data from the server and transmitting the image data and the identification information to the image processing apparatus; and transmitting an image reading request and the identification information to the image processing apparatus, acquiring image data from the image processing apparatus, and transmitting the image data acquired from the image processing apparatus, to the server.

Abstract: Methods and systems for inserting media content from multiple media content repositories are disclosed herein. The method includes displaying indicia corresponding to a number of repositories within a user interface that is authorized to access all of the repositories, wherein the repositories may include a local repository and an online repository, or any combination thereof. The method also includes obtaining media content from any of the repositories via the user interface and inserting the media content into a location via the user interface.

Abstract: A multi-tenant service container receives a container health check request and responsively identifies a list of expected tenants. The list of expected tenants may include all of the tenants hosted by the multi-tenant service container, all of the tenants hosted by the multi-tenant service container that are associated with a particular process or a list of tenants defined by the container health check request. The multi-tenant service container issues a tenant health status request to the tenants in the expected tenant list and responsively receives a tenant health status from the tenants. The received tenant health status is either a tenant healthy status or a tenant unhealthy status. The multi-tenant service container issues a container health status based on the tenant health statuses received from the tenants on the expected tenant list.

Abstract: Systems and methods are disclosed for managing the resetting of online identities or accounts of users of Internet web pages. One method includes: receiving, through an electronic device, a request to reset login information to access a web page associated with the user's online account; determining that an IP address associated with the request is not identified as being suspicious; receiving user data intrinsic to the user's request; automatically verifying two or more values of the data intrinsic to the user's request as being indicative of a level of trust of the identity of the user; and transmitting, to the user over the Internet, a subset of options to reset the login information, the subset being selected based on the level of trust.

Abstract: The compromised password mitigation module comprises a compromised password collection module, compromised password storing module, a logging module, account protection module and user database. The compromised password collection module receives or gathers sets login names, compromised password hashes and hash functions. The compromised password collection module provides this gathered information to the compromised password storing module. The compromised password storing module stores this information in user records in the user database. The compromised password hashes and hash functions are advantageously stored along with the actual password hash. The logging module uses the user records when evaluating access to determine whether a submitted password matches both a compromised password hash and an actual password hash. If a match is found, access to the system is denied and additional protective action is taken by decal protection module. If no match is found, the user is allowed to access the system.

Abstract: A mechanism is provided for selective password synchronization. An indication is received that a password is to be changed for an account in a plurality of accounts associated with an individual, where the indication includes a new password. Responsive to receiving the indication of the password change, the account is grouped with one or more other accounts in the plurality of accounts thereby forming a first subset of accounts, where grouping the account with the one or more other accounts in the plurality of accounts excludes at least one account in the plurality of accounts thereby forming a second subset of accounts. The new password is propagated to the first subset of accounts according to a first policy. The new password is propagated to a second subset of accounts of the plurality of accounts according to a second policy, where the second policy is different from the first policy.

Abstract: A method is provided for generating a soft token by which attributes of a user may be authenticated. A request to generate the soft token is transmitted from an electronic device of the user to a service provider computer via a first secure connection. After receiving the request, the service computer generates a one-time password, records the password as a session identifier, and transmits the password to the electronic device. The password is output by the electronic device via a user interface. The user enters the password into a user computer system, from where it is transmitted, via a second secure connection, to the service computer system. If the recorded password agrees with the received password, one or more attributes are read from an ID token of the user and a corresponding soft token is generated and transmitted to the electronic device or user computer system.

Abstract: Image scanning and encoding technologies can be utilized to authenticate devices to virtual desktops and to transfer virtual desktop sessions between devices. One device (e.g., PC or laptop) may encode certain information into an image that is displayed on a display screen, while another mobile device equipped with a digital camera (e.g., mobile phone or tablet) can be used to scan the image on the display screen. Once the image is scanned, it can be decoded by the mobile device to get the information encoded in the image (e.g., device ID, session ID, etc.). The information obtained from the image can be used to authenticate a device or to transfer a virtual desktop session between the devices.

Abstract: An information processing apparatus to execute an application includes first and second authentication units, first and second storage units, a request unit, and an application execution unit. The first authentication unit authenticates a user of the information processing apparatus. The first storage unit stores first certification information relating to the authentication of a user. The request unit requests a second authentication unit to perform authentication required to execute the application using the first certification information when the application is executed based on an instruction from the user authenticated by the first authentication unit. The application execution unit executes the application when the authentication performed by the second authentication unit based on the request by the request unit has succeeded.

Abstract: A computer displays a screen that includes a uniform resource locator (URL). In response to a selection of a uniform resource locator (URL) by an end-user at a computer, the computer intercepts a request within the computer to prevent the request from being sent to another computer. The computer determines whether the URL includes one or more parameters that define a field with a missing value, and that need entry of one or more input values from the end-user. The computer generates an electronic form utilizing the one or more parameters to formulate a field, within the electronic form, for each of the one or more parameters. The computer displays the electronic form including the field for each of the one or more parameters, which enables the end-user to enter information into the field within the electronic form.

Abstract: A credential can be shared by one user with other users when sharing conditions are met. Sharing conditions can include a time, time range, date, date range and the geographic location of a user with whom the credential is to be shared. The credential can be shared so that it is not visible or accessible in plaintext to the shared-with user. Sharing conditions can include conditions that, when met, result in the revocation of a shared credential.