Abstract: Disclosed are various embodiments for a token management application. A data block tokenization call to a data layer service fails when a data store is unavailable. The token management application issues a temporary data token to the service calling the data layer service. The token management application completes the data block tokenization call on behalf of the service to obtain a valid data token. The valid data token is then communicated to services having the temporary data token.

Abstract: Methods and systems are described for state driven orchestration of authentication components to access a resource protected by an access manager framework. In response to a client request for a protected resource, relevant authentication components and their respective order are determined. Upon successful authentication of the first authentication component, proper state information of the authentication process is stored by the client indicating the next authentication component. In response to a request for additional credential information for the authentication process from the next authentication component, the client provides the stored state information so that the authentication process continues with the second authentication component according to the determined order of the authentication components within an authentication process.

Abstract: The present invention discloses a method of dual stack access, wherein a network device authenticates the first protocol address of a requesting client, stores the user name, first protocol address, and address status information of the client in the user information table if the authentication succeeds, assigns a second protocol address to the client, stores this second protocol address and address status information in the user information table, generates control rules for the client according to its user information, and controls dual stack access of the client according to the rules. This invention provides effective authentication-based access control of dual stack users.

Abstract: A user authenticates to a Web- or cloud-based application from a browser-based client. The browser-based client has an associated rich client. After a session is initiated from the browser-based client (and a credential obtained), the user can discover that the rich client is available and cause it to obtain the credential (or a new one) for use in authenticating the user to the application (using the rich client) automatically, i.e., without additional user input. An application interface provides the user with a display by which the user can configure the rich client authentication operation, such as specifying whether the rich client should be authenticated automatically if it detected as running, whether and what extent access to the application by the rich client is to be restricted, if and when access to the application by the rich client is to be revoked, and the like.

Abstract: Systems and methods for receiving a session and establishing authentication credentials associated with a user by verifying the uniqueness of requested authentication credentials among one or more entities by one or more credential verification servers. Once the authentication credentials associated with the user are established, the session may be transferred back.

Abstract: To address problems related to interface differences and disunity among on-line services, such as newsgroups message boards and forums, the present inventors devised systems, methods, and software for automating the posting and retrieval of content across different on-line services as well as encouraging growth of active on-line communities. One exemplary system includes a posting module, a retrieval module, and a web server. The posting module allows users to create and initiate data postings that are sent automatically to several newsgroups, message boards, and/or other on-line information sources. The retrieval module automatically retrieves replies to the postings at each of the on-line sources and presents them through the webserver for user review and further reply, eliminating the need for users to repeatedly visit posting sites in search of reply messages.

Abstract: A system, apparatus, method, and machine readable medium are described for implementing privacy classes within an authentication framework. For example, one embodiment of a method comprises: transmitting a query for client information from a server to a client, the client information including information related to authentication devices coupled to the client; analyzing the query to determine an appropriate privacy class to be used for providing client information to the server; providing a subset of client information selected based on the determined privacy class, the subset of client information including the information related to the authentication devices coupled to the client; and using the subset of client information within an authentication framework to provide user authentication services over a network.

Abstract: Technology is disclosed for implementing a mobile device management service. The technology includes a first computing device behind a first firewall, for providing device management as a software as a service that is configured to (a) receive one or more policies from an entity, the entity managing a second server computing device that is behind a second firewall, wherein the first firewall and the second firewall are different firewalls, further wherein at least one of the received policies is indicated to pertain to a group of mobile computing devices; and (b) upon receiving a communication from a mobile computing device belonging to the group of mobile computing devices, transmit to the mobile computing device the received policy pertaining to the group of mobile computing devices, wherein the received policy specifies a condition for future communications between the mobile computing device and the second server computing device.

Abstract: An image processing apparatus includes an operations unit configured to be directly operated by a user; a main unit configured to operate based on a request from the operations unit; a determination unit configured to determine a device that is to use an external storage device of the operations unit, in accordance with one of a function of the main unit that is activated through the operations unit and an application of the operations unit; and a switching unit configured to switch a current connection of the external storage device to a connection between the determined device and the external storage device.

Abstract: Methods, systems, and media for measuring gesture-based password quality are provided, the methods comprising: receiving a first image; receiving a proposed password; identifying points of interest in the image each associated with an attribute; receiving a gesture selection function sequence, with a plurality of gesture selection functions each associated with a gesture type and a point of interest attribute; determining that a subset of points of interest in the image have attributes corresponding to attributes associated of a gesture selection function sequence; generating a possible password based on the gesture selection function sequence; determining and presenting a relative strength of the proposed password based on whether the proposed password matches the possible password.

Abstract: The systems, methods and apparatuses described herein provide a computing environment for authenticating a user. An apparatus according to the present disclosure may comprise a non-volatile storage, a user interface, and a password engine. The password engine is configured to retrieve two or more predetermined prompts from the non-volatile storage, present the two or more predetermined prompts on the user interface to a user in a random order, receive a first set of input(s) in response to the two or more predetermined prompts, create an encryption keyword from the received first set of input(s) according to an original order of the two or more predetermined prompts stored in the non-volatile storage, and use the encryption keyword to authenticate the user.

Abstract: Technologies are generally described for a network selection scheme for an electronic device. In some examples, a method performed under control of an electronic device may include searching one or more communication networks available for the electronic device; determining types of the searched communication networks; determining a type of data traffic to be transmitted over at least one of the searched communication networks; and determining at least one of the communication networks to be used for the data traffic based at least in part on the determined types of the communication networks and the determined type of the data traffic.

Abstract: A method for interacting with a user, comprising communicating with at least one cooperative server through a normal browser; automatically receiving encrypted data having an associated received type code indicative of a requirement for a secure browser having restricted functionality with respect to a functionality of the normal browser; selectively and automatically invoking the secure browser for handling of the received encrypted data based on the received type code associated with the received encrypted data; receiving the encrypted data with the invoked secure browser for handling thereof, wherein the received encrypted data is not available for use by the user in the normal browser and the invoked secure browser imposes restrictions on availability outside of the secure browser of decrypted data derived from the encrypted data; and communicating an input from the user, through the secure browser, to the at least one cooperative server.

Abstract: An authentication challenge system for performing secondary authentication for an account associated with an online store is described. In one embodiment, the authentication challenge system includes a question generation engine, which can derive a series of questions based upon activity associated with a user account of an online store; a network interface, which can transport the series of one or more questions derived by the question generation engine to authenticate the user to the online store; a confidence engine, which can determine a required confidence level for a successful authentication, and can compute a confidence score of the user identity; and a quality engine, which can adjust the question generation engine and the confidence engine based upon an analysis of question and answer metrics across multiple accounts of the online store. The online store can include digital media, such as music, movies, books or applications for electronic computing devices.

Abstract: Systems and methods for dynamic development and deployment of computing applications including a development framework, a visual design subsystem, and a deployment subsystem, where at runtime the deployment subsystem is operable to dynamically deploy a computing application realized by a blueprint by sending a request at runtime for graphs and components instantiated by the blueprint.

Abstract: A new approach is proposed that contemplates systems and methods to support the operation of a Virtual Media Room or Virtual Meeting Room (VMR), wherein each VMR can accept from a plurality of participants at different geographic locations a variety of video conferencing feeds of audio and video streams from video conference endpoints and enables a multi-party video conferencing session in real time among the plurality of participants. Each of the participants is offered a rich set of conferencing and collaboration interaction hitherto not experienced by video conferencing participants and a moderator of the video conference is further offered with in-meeting management and control over a plurality of security and privacy settings during the video conference. These interactions encompass controlling of a video conferencing session, its configuration, privacy, security, the visual layout of the participants, customization of the VMR and adaptation of the room to different vertical applications.

Abstract: A framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures. A framework is provided for open authorization. A framework is also provided for relying party functionality. A mapping repository can be configured to store a mapping between applications and identity providers. The mapping associates each application of a plurality of applications with one or more identity providers. Identity management logic can be configured to use the mapping to determine that one or more identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of the first application in response to receiving a first request associated with a first application.

Abstract: A method enables a simple and convenient secured connection to a secured wireless network by individual passwords generated by requesting clients, and a confirmation of the owner or operator (Wi-Fi hot spot) of the secured wireless network. Each requesting client automatically generates its own individual password. A routing device of the secured wireless network generates a request which is submitted to a confirmation authority such that the owner or operator of the secured wireless network can decide whether to agree to the request. An answer of the owner or operator submitted via the confirmation authority to the routing device enables the secured connection between the requesting client and the secured wireless network. The owner or operator of the secured wireless network does not need to remember a special password in order to enable the secure connection. The subject innovation includes such requesting clients, routing devices and systems.

Abstract: A system and method can support on-device operation management. A token issuer on a backend server, and/or a tool, can generate an authorization token, which is bound to a user of one or more devices using a unique identifier (ID) that is assigned to the user. The unique ID can be known and/or shared between the an on-device authorizing entity and the token issuer. Then, the on-device authorizing entity can verify the authorization token before granting an execution of one or more protected on-device operations. Furthermore, the on-device authorizing entity may not grant the execution of the one or more protected on-device operations, when the unique ID is erased from the device.

Abstract: Internet user passwords are securely managed. A formation component can enable a user to create a master account on a web server, the master account comprising a master username and password. An access component can enable the user to access a plurality of password protected websites from a web browser or non-browser software application resident on the user's computing device when the user logs into the master account by entering the valid master username and password. A selection component can log the user into a website of the plurality of password protected websites when the user selects a hyperlink associated with the website, selects a linked image associated with the website, or selects the website from a pulldown list contained in a toolbar of a web browser. A display component can open a web browser or tab associated with the website.

Abstract: A method and system for securing a user transaction involving a subscriber unit (“SU”) (having a processor, memory, and a display configured to accept user input), a credential information manager (“CIM”) (having a processor and memory), and a transaction service provider (“TSP”) (having a processor and memory). A cyber identifier (“CyberID”), a subscriber identifier (“SubscriberID”), and subscriber information, each associated with the user, is stored in the CIM. A transaction request is sent from the SU to the TSP, which creates a transaction identifier (“TID”), stores it in the TSP memory and transmits it to the SU. The SU transmits an authentication request, the TID, and SubscriberID to the CIM, which authenticates the SubscriberID and verifies the TID to the TSP. The TSP verifies the TID and reports it to the CIM, which transmits the CyberID and subscriber information to the TSP, and transmits a transaction authorization to the SU.

Abstract: In general, the invention relates to a method for performing a command on a token. The method includes receiving a first command authentication message digest (CAMD), a command, and scrambled data from a sender, and making a first determination that the sender is allowed to send commands to the token. The method further includes, based on the first determination, generating a second CAMD on the token using the command, the scrambled data, and an Administrative Command Authentication Secret (ACAS), making a second determination that the first CAMD and the second CAMD match, and based on the second determination, performing the command by the token.

Abstract: An information sharing system according to an embodiment includes an information processing system and a terminal and display device connected to the information processing system via a network. The information processing system is composed of one or more information processing apparatuses. The display device is equipped with a display unit on which an image is displayed. The display device includes a first identification-information acquiring unit that acquires identification information for identifying the display device on the network. The terminal acquires the identification information from the display device, and accesses a storage service and acquires access information, and transmits the acquired identification information and access information to the information processing system.

Abstract: A purpose of the invention is to accomplish ensuring security and the like when a user program is executed in a cloud environment. The present system comprises a user terminal 2, a public cloud (CL) 3, and an authentication server 1. The CL 3 comprises a server (31) that executes a user program (UP) and a controller 30. The authentication server 1 comprises an authentication control unit 13 and a library 50. The library 50 stores user information (d2), UP information (d3), CL 3 information (d4), server information (d5), and permission information (d1) that manages an association about execution of the UP with the server. The authentication control section 13 performs processes such as a process for generating UP authentication information (F1), a process for generating server authentication information (F2) and a process for determining execution permission with reference to the authentication information (F1, F2) and the permission information (d1) when the UP is executed by the server of the CL 3.

Abstract: Systems and methods for authenticating an avatar are provided. This system is useful with an avatar having an identifier, virtual environments, and a user who uses the avatar in the virtual environments. Transoms are generated, each with a unique identifier configured to exist in a specific location, and registered with an identity provider. The transom initiates a request. An offer is conveyed that includes the transom identifier, the location and the avatar identifier. The avatar is then authenticated by a shared secret. The identity provider then responds to the offer with avatar identification information, including reputation information. Reputation information is for the avatar and the user, and is compiled from external avatar data sources by using a trust matrix. An avatar gallery is generated by linking each avatar owned by each user to the account and compiling avatar profiles from the account, and the reputation information. The avatar profiles are searchable, and include micro formats.

Abstract: The invention discloses a device for identity authentication management comprising a client and a background. The client includes terminal unit and fingerprint sensor, which includes a collection and recognition device for collecting fingerprint information and a memory for storing fingerprint information and user information corresponding to the fingerprint information, and terminal unit is used for registering or recognizing the fingerprint information collected by the fingerprint sensors. The background includes an identity authentication server interconnecting with the terminal units and multiple application management areas interconnecting with identity authentication server and including application units and application information.

Abstract: Various techniques for providing a device token protocol for authorization and persistent authentication shared across applications are disclosed. In some embodiments, a device token protocol for authorization and persistent authentication shared across applications includes sending user credentials to a remote server to authenticate a user on a device for a plurality of applications; and receiving a device token from the remote server for the user to authenticate the user for the plurality of applications on the device, in which the device token facilitates authentication and authorization.

Abstract: A method performed by one or more processing devices, comprising: receiving a request for a quick response code associated with the hosted resource; generating a reference code that references information included in the request; and encoding the reference code into the requested quick response code; transmitting information indicative of the quick response code to the system hosting the resource; receiving a request for access to a resource, the request for access comprising a decoded version of the quick response code; determining that access is requested for the hosted resource; determining that a user who is requesting access to the hosted resource is permitted to access the hosted resource; responsive to determining that the user is permitted to access the hosted resource, transmitting a token for permitting the user to access the hosted resource; and transmitting a message specifying that the user is granted access to the hosted resource.

Abstract: The present invention extends to methods, systems, and computer program products for providing a cloud based password manager that automatically logs in users from any computer. The cloud based password manager does not require that the user install a local plug-in or other tool to perform automatic login. In this sense, unlike current password managers, the password manager of the present invention is completely cloud based. By simply using any browser or a dedicated app on any computer, the user can request a website and receive a copy of the website with the user logged in even if the user has never used the computer.

Abstract: Provided are method and apparatus for authenticating a password of a user terminal. The method includes: pre-setting, by a user, a password and an identification image for identifying the password; moving a keypad window or an image window realized on a screen of the user terminal according to an action of the user; determining, when a plurality of images included in the image window and a plurality of keys included in the keypad window sequentially overlap with each other, whether a plurality of keys and the identification image corresponding to the password sequentially overlap; and authenticating the password when the plurality of keys and the identification image corresponding to the password sequentially overlap. Accordingly, password information may be protected from a third person observation as the user inputs a pre-set password in an indirect method without having to directly input the pre-set password through an authentication interface.

Abstract: A method for execution in a communication device, which comprises receiving a first data set and a second data set over a first communication path; receiving a series of requests over local communication path different from the first communication path; responding to a first one of the requests by releasing a first response including the first data set over the local communication path; and responding to a second one of the requests by releasing a second response including the second data set over the second communication path.

Abstract: A system, method and computer program product for using delegation as a mechanism to manage business activity by taking on a shared identity. In some implementations, the system includes a user interface module for receiving input signals from and sending information to a user, a delegate authentication module and an identity translation module. The delegate authentication module is operable to determine that an individual user identity is authorized to act as a delegate for an organization having an identity on a network-based software application and generate a verification signal. The delegate authentication module is coupled to the user interface module to receive the input signals from the user. The identity translation module is operable to translate the input signals from the user to a format such that they appear to be from the identity of the organization.

Abstract: In one example, a controller device for a software defined network (SDN) includes one or more network interfaces configured to communicate with network devices of the SDN, and one or more processors configured to receive credentials from a client device in accordance with a public key infrastructure (PKI)-based authentication protocol, determine one or more policies that are applicable to the client device based on the received credentials, and program network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the client device.

Abstract: Securely providing secret information, such as PINs, to users via an encrypted electronic document is disclosed. The user might receive the encrypted electronic document as an attachment to an e-mail or might access the encrypted electronic document from a web site, as two examples. In order to open the encrypted electronic document, the user may need to provide some information that is on a physical banking card that was issued to the user. Therefore, an extra level of security is provided in that the user needs to be in possession of the physical banking card that may have been delivered by traditional mail, as well as the encrypted electronic document which is delivered via an electronic network.

Abstract: There is provided a provisioning device which provides, in advance, setting information necessary for joining in a wireless network to a first field device which is to newly join the wireless network to exchange data with an existing field device that is installed in a plant. The provisioning device includes: a storage unit that stores a white list which contains unique information of the first field device and the setting information such that the unique information and the setting information are correlated with each other; a device information acquiring unit that acquires the unique information from the first field device by wireless communication; an extracting unit that extracts, from the white list, the setting information that is correlated with the acquired unique information; and a setting unit that sends the extracted setting information to the first field device by wireless communication.

Abstract: A device receives an indication that a security code is to be generated; generates the security code based on the indication; generate a message that includes the security code and an identifier associated with a subscriber of the device; outputs the message using the first protocol; encodes the security code based on outputting the message; and outputs a request to access the service. The request is outputted using a second protocol, and includes the encoded security code and the identifier. The device receives a notification that indicates whether the subscriber is authenticated based on the identifier, the security code, and the encoded security code; and accesses the service when the notification indicates that the subscriber is authenticated.

Abstract: A. method is used in managing predictions in data security systems. An authentication request is received from an entity for access to a computerized resource. A predictor is determined based on context data for the authentication request and the entity. The authentication request is managed based on the predictor and the context data.

Abstract: A user may utilize a set of credentials to access, through a managed directory service, one or more services provided by a computing resource service provider. The managed directory service may be configured to identify one or more policies applicable to the user. These policies may define the level of access to the one or more services provided by the computing resource service provider. Based at least in part on these policies, the managed directory service may transmit a request to an identity management system to obtain a set of temporary credentials that may be used to enable the user to access the one or more services. Accordingly, the managed directory service may be configured to enable the user, based at least in part on the policies and the set of temporary credentials, to access an interface, which can be used to access the one or more services.

Abstract: A system and method for prevention of malware infections, the system comprising: a secured server configured to authenticate a user and issue an identifier (ID) uniquely associated with the user, to receive a user input and to send commands based on the received input; a protection module configured to validate transmissions from the secured server, to reconstruct commands based on the commands sent from the secured server, and send the reconstructed commands comprising the unique user ID and a rendering processor configured to receive the reconstructed command from the protection module, to execute the reconstructed command, to acquire data from another machine based on the reconstructed command and to generate an image to represent the acquired data, the image comprising a stamp relating the image to the unique ID, wherein the protection module is placed in a transmission channel connecting between the secured server and the rendering processor.

Abstract: A password input device comprises a storage unit for storing character strings according to each icon; an input window generation unit for generating and displaying an input window on which a plurality of icons are arranged; a secret icon recognition unit which confirms a shift coordinate value and recognizes icons, which are arranged on coordinates inversely moved up to the shift coordinate value from a coordinate value at which a selected icon is arranged, as secret icons selected by the user if the user selects the icon; and an authentication processing unit which confirms a character string corresponding to each secret icon recognized in the secret icon recognition unit, generates a combined character string in which the one or more confirmed character strings are arranged, and authenticates the user by confirming whether the generated combined character string is consistent with the user's password stored in the storage unit.

Abstract: A method for use in a simplified login system, involving operating a computer to identify user name, password and submit fields on a remote website. The method comprises identifying a password field on a webpage, defining a first area around the password field for a user name field and a second area around the password field for a submit field, locating a field for user text entry in the first area and locating a field for a user click entry in the second field. There is also described a computer programmed to carry out the method, a data carrier containing program data by which a computer may be programmed to carry out the method, and a secure password storage and login system comprising a central server and a number of user computers, and which operates using the method.

Abstract: This disclosure relates generally to authentication for an electronic device, and more particularly to systems and method for authentication based on user preferences. In one embodiment, an authentication method is disclosed, comprising: receiving, at the electronic device, a first input; determining a password theme based on the first input and user preferences associated with the password theme; displaying the password theme, the displayed password theme comprising a plurality of visual cues; receiving, at the electronic device, a second input comprising a sequence of visual cues selected from the visual cues; verifying the sequence of visual cues; and providing access to the electronic device based on the verification.

Abstract: Embodiments are directed towards communicating using a mobile device that performs actions including. A mobile device may be provisioned with an access point such that a provisioning key and a provisioning token for each of the provisioned access points may be stored on the mobile device. The mobile device may be determined to be in the presence of a provisioned access point based on the provisioning key and an advertising nonce. The advertising nonce may be encrypted with the provisioning key. A communication channel between the mobile device and the access point may be established based on a session nonce, the advertising nonce, and the provisioning key. A session key may be generated based in part on the advertising nonce and a message counter. And, encrypted message packets that include a message and a message authentication tag may be communicated to the access point.

Abstract: An application to be installed is acquired. Security policy geographic information, which is geographic information of an application's target distribution area where a user permits installation, is acquired from security policy that defines processing regarding the application. Application geographic information, which is geographic information of an application's target distribution area, is acquired from the acquired application. Based on a comparison result of comparing the security policy geographic information with the application geographic information, whether or not to permit installation of the acquired application is determined.

Abstract: Set forth herein are systems, methods, and non-transitory computer-readable storage media for processing media requests in a secure way. A server configured to practice the method receives, from a media player client, a request for media content. The server requests a playback token from a playback service associated with the media content and generates a tag containing the playback token. Then the server transmits to the media player client a response to the request for media content based on the tag, wherein the media player client retrieves the media content by presenting the playback token to the playback service. The media player client can be an embedded media player or other player in a web browser. The server and the playback service can operate based on a common, pre-shared feed token. Other playback client and playback service embodiments exist.

Abstract: A three-way trust relationship is established between a mobile device, Internet-connected vehicle system, and a cloud-based service. Access rights are granted to the mobile device from the vehicle system, such that the mobile device can securely connect to, and obtain status information and/or control the Internet-connected vehicle system, through the cloud-based service.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: Techniques for dynamic generation and management of password dictionaries are presented. Passwords are parsed for recognizable terms. The terms are housed in dictionaries or databases. Statistics associated with the terms are maintained and managed. The statistics are used to provide strength values to the passwords and determine when passwords are acceptable and unacceptable.

Abstract: Systems, methods, and instrumentalities are disclosed that allow a user to initiate migration of a credential from one domain to another domain. A request to initiate a migration of credentials from a first domain to a second domain may be initiated by a user (1a.). A remote owner may receive a message indicating that the migration has been requested. The message received by the remote owner may be an indication that the source and destination devices have performed internal checks and determined that a migration could proceed. The remote owner may evaluate source information received from the source device and destination information received from the destination device (6), (6a.), (6b.). Based on the evaluation of the source information and the destination information, the remote owner may determine that the migration is acceptable. The remote owner may send an indication to proceed with the migration (7), (7a).

Abstract: A Virtual Single Account (VSA) system and method that provides a mobile user with automatic authentication and connection to a remote network via local access networks with a single password, where the local access networks may be independent of the remote network. A mobile user has a single authentication credential for one VSA that is utilized by a VSA client installed on a mobile computing device. The VSA client provides for automatically authenticating and connecting the user's mobile device to a current local access network, and the target remote network such as the user's office network. All authentication credentials are encrypted using a key generated from the user's VSA password that is generated from the user's single password. The VSA client derives the key from the submitted VSA password and decrypts all authentication credentials that are required in order to connect the mobile device to the current local access network and thereafter to the office network.