Abstract: Techniques for improving data security and access control at the distributed execution level of distributed computing systems are provided. The techniques can include receiving a data access request from a data processing application to access data, directing the data access request to a security data application, modifying the data access request, executing the modified data access request to obtain data that is responsive to the modified data access request, and providing the obtained data to the data processing application.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a create indication to create a guest credential representing a guest badge associated with a visitor and receive a claim indication from an authentication device to claim the guest credential. The processor is configured to provide the guest credential to the authentication device in response to the claim indication, provide a proof request to the authentication device, receive a proof response from the authentication device, validate the proof response, determine a visitor tracking system associated with a request from the authentication device to authenticate entry, and provide a check-in indication to the visitor tracking system that the visitor has checked in.

Abstract: Some embodiments provide a method for an electronic device. The method stores user data associated with a web-based third party service based on user interaction with a web domain for the third party service through a web browser. The method receives a request from a service-specific application to utilize the user data stored for the third party service. The method provides the user data to the application only when the application is verified by the web domain for receiving user data associated with the third party service.

Abstract: One or more medical devices are configured to connect to a predetermined temporary provisioning network of a healthcare organization, the temporary provisioning network being different than a healthcare network of the healthcare organization. After the devices are received by the healthcare organization, and powered up for the first time, device identifiers corresponding to the medical devices are received at a server remote from the healthcare organization, from the temporary provisioning network, together with an indication that the medical devices are requesting access to a management server within a healthcare network of the healthcare organization.

Abstract: A user verification method and apparatus using a generalized user model is disclosed, where the user verification method includes generating a feature vector corresponding to a user based on input data corresponding to the user, determining a first parameter indicating a similarity between the feature vector and an enrolled feature vector enrolled for user verification, determining a second parameter indicating a similarity between the feature vector and a user model corresponding to generalized users, and verifying the user based on the first parameter and the second parameter.

Abstract: Systems and methods are provided for assessing an account takeover risk for one or more accounts of an individual. The account security procedures for each of a number of services with which the user has an account may be analyzed. Publicly accessible information regarding the user may also be collected and analyzed. The collected information and security procedures may be compared in order to determine one or more vulnerabilities to hostile account takeover of one or more of the analyzed accounts. An alert may be generated regarding a determined takeover risk, which may include suggested actions for remedying the risk.

Abstract: One example method includes logging into websites through devices including insecure devices. A logon device may store credentials. The logon device is configured to connect with an insecure device and then communicate with a website for authentication purposes without exposing a user's credentials to the insecure device. After the user is authenticated, the session is transferred to the insecure device.

Abstract: Embodiments described herein disclose methods and systems for authorizing transactions received from client applications. The transaction request can include a first access token. After validating the first access token, the system can determine whether additional authentication is needed to authorize the transaction. If additional authentication is needed, the system can determine the authentication requirements. Once the additional authentication is received and verified, the system can generate a second access token and authorize the transaction by releasing the first access token.

Abstract: A same wireless access profile is installed on each of multiple mobile communication devices. The wireless access profile includes outer identity information and anonymous inner identity information for each service. The anonymous inner identity information includes a credential used by each of the multiple mobile communication devices to use the service. To use the service such as access a remote network, a respective mobile communication device communicates an anonymous username and password assigned to the service to a policy server during first level authentication. The policy server stores a network address of the authenticated mobile communication device. During second level authentication, the policy server receives an identity of the mobile communication device from a network gateway. The policy server provides access control information (assigned to the service) to the network gateway.

Abstract: A method for processing a trust-based transaction via a blockchain includes: receiving data associated with a proposed trust-based transaction including at least a transaction amount, payment data, and a broker identifier; processing payment for the transaction amount using the payment data; identifying a blockchain address associated with a broker corresponding to the broker identifier; generating a digital token, wherein the digital token is unique to the proposed trust-based transaction; electronically transmitting the generated digital token to a first computing device; and electronically transmitting at least the transaction amount, blockchain address, and at least one of: the generated digital token and data used to generate the generated digital token to a node associated with a blockchain network.

Abstract: Embodiments herein describe using visual passwords to control access to secure information. When a user attempts to access the secure information, she can provide her username to an authentication agent which identifies the visual password corresponding to the received username and selects a first set of images that contains the visual password and a second set of images that does not. The first and second sets of images are then transmitted to a user device. The user device can display the first and second sets of images to the user who selects which images have the visual password. An indication of which images the user selected is then transmitted to the authentication engine which determines whether the user selected all the images in the first set and none of the images in the second set. If so, the user is granted access to the secure information.

Abstract: Methods and systems for verifying a user's identity on a computing device using two-factor authentication are described. More particularly, the system can use a personal identification number input by a user, together with one or more of a secure browsing feature, a device fingerprint, and a token generator to authenticate the user on the computer.

Abstract: Systems and methods are provided for providing, by a user equipment, a short message service (SMS) message to initiate Wi-Fi onboarding to a mobile network, receiving, by the user equipment, a binary SMS message including a request for a certificate signing request by a server, generating, by the user equipment, the certificate signing request based on the request for the certificate signing request of the binary SMS message, providing, by the user equipment, the certificate signing request to the mobile network, and receiving, by the user equipment, a binary SMS message including Wi-Fi login data based on the certificate signing request provided to the mobile network.

Abstract: Methods and systems are disclosed for enabling the creation of substitute low-value token creation, comprising providing software content to a content delivery network wherein, when transmitted to a user browser, the software content is configured to enable the user browser to create a substitute low-value token if a token service is unavailable, wherein the content delivery network is configured to provide the software content to at least one user browser, and receiving the substitute low-value token from a merchant system, the substitute low-value token having been generated by the user browser in response to the user browser being unable to obtain a low-value token from the token service.

Abstract: An authentication system includes an authenticator that receives an authentication request from a device and receives sensor data from one or more sensors, the sensor data being indicative of interaction with one or more real world objects or with a displayed authentication image. The authenticator determines that the sensor data is indicative of an authorized interaction with the one or more real world objects or with the displayed authentication image and, in response to the determination, grants the authentication request.

Abstract: A method includes: processing a request to execute a transaction of a virtual asset of a video game; responsive to the request, accessing a blockchain to perform an anti-fraud verification, including analyzing data of a prior transaction involving the virtual asset; responsive to the anti-fraud verification providing a result that does not indicate fraudulent activity, then generating transaction data based on an identifier for the first user account, an identifier for the second user account, an identifier for the virtual asset, and state data of the virtual asset, and submitting the transaction data to a node network, to write the transaction data to a block of the blockchain; receiving confirmation of the writing of the transaction data; responsive to receiving the confirmation, then updating a registry of virtual assets to transfer ownership of the virtual asset from the first user account to the second user account.

Abstract: Systems and methods are disclosed for securing a network, for admitting new nodes into an existing network, and/or for securely forming a new network. As a non-limiting example, an existing node may be triggered by a user, in response to which the existing node communicates with a network coordinator node. Thereafter, if a new node attempts to enter the network, and also for example has been triggered by a user, the network coordinator may determine, based at least in part on parameters within the new node and the network coordinator, whether the new node can enter the network.

Abstract: In an embodiment, a method of blockchain-enhanced proof of identity (POI) includes receiving identity information of a user in connection with a POI request. The method also includes generating a first cryptographic hash using at least a portion of the identity information and storing the first cryptographic hash on a public blockchain in a first blockchain transaction. The method also includes establishing a request identifier based on the first blockchain transaction. The method also includes receiving a digital image that depicts the user together with a POI document, the digital image including the request identifier. The method also includes creating a POI digital document comprising at least a portion of the digital image. The method also includes generating a second cryptographic hash using at least a portion of the POI digital document and storing the second cryptographic hash on the public blockchain in a second blockchain transaction.

Abstract: A security control method and a computer system are provided. A first domain and a second domain are deployed in the computer system, the second domain is more secure than the first domain, a program is deployed in the first domain, and a control flow management module and an audit module are deployed in the second domain. The second domain is more secure than the first domain. When the program in the first domain is executed, the control flow management module obtains control flow information by using a tracer. The audit module audits the to-be-audited information according to an audit rule, and when the to-be-audited information matches the audit rule, determines that the audit succeeds and then allows the first domain to perform a subsequent operation, for example, to access a secure program in the second domain.

Abstract: A method for data processing that includes receiving an indication of a configuration for a first action of a communication process flow that controls electronic communications between a tenant of a multi-tenant system and a first set of users associated with the tenant. The method further includes associating, within a storage location associated with the tenant, a unique identifier with metadata that defines the configuration. The method further includes receiving a request to apply the configuration to a second action of a communication process flow that controls electronic communications between the tenant and a second set of users associated with the tenant. The request may indicate the unique identifier associated with the metadata. The method further includes retrieving the metadata from the storage location using the unique identifier indicated by the request. The method further includes applying the configuration to the second action using the retrieved metadata.

Abstract: Trigger based analytics database synchronization is described. In one example case, a trigger is invoked based on an operation issued for a record in a transactional database. According to the trigger, one or more data values for synchronization from the transactional database to an analytics database are determined. A message including the data values is formed and added to a message queue through a message infrastructure service including a message broker. In turn, the values from the message are stored in a suitable memory space, such as a staging table, for forwarding to an analytics computing system. Using the trigger and the message infrastructure service, execution of the transactional database operation can be detached in execution from the addition of the value to the staging table and synchronization with the analytics computing system.

Abstract: A communication control device includes: a processor configured to: acquire identification information of a communication terminal from the communication terminal that is authenticated by communication via a wide area communication network; and when the identification information is included in a storage storing an information set in which associated are (i) the identification information of the communication terminal and (ii) specific connection unit information indicating a specific connection unit that is predetermined for the communication terminal in a narrow area communication network different from the wide area communication network, perform control such that the communication terminal is connected to the specific connection unit as a connection destination of the communication terminal, based on the specific connection unit information of the information set including the acquired identification information.

Abstract: Plurality of users share a common key while permitting change of members sharing the common key and computational complexity required for key exchange is reduced. Ri and ci are computed based on a twisted pseudo-random function in a first key generation step. sid is generated based on a target-collision resistant hash function and (sid, R?, R?) is transmitted to communication devices Ui in a session ID generation step. T1 and T? are computed based on a pseudo-random function in a representative second key generation step. Tj is computed based on the pseudo-random function in a general second key generation step. k? is computed based on the twisted pseudo-random function and T?j is computed with respect to each j in a third key generation step. K1l and k1 are computed in a first session key generation step. A common key K2 is generated based on the pseudo-random function in a second session key generation step.

Abstract: Methods, systems, and storage media for multi-cloud data connections for white-labeled platforms are disclosed. Exemplary implementations may: receive an indication of a plurality of applications to be accessed; receive authentication information for the plurality of applications; establish a plurality of data connections to the plurality of applications, if authenticated with the authentication information; receive application data received from the plurality of data connections; normalize the application data to provide normalized data; generate a customizable feed with display parameters and displaying the normalized data according to the display parameters; and generate a visualization dashboard with visualization parameters and displaying the normalized data according to the visualization parameters.

Abstract: Methods and systems for secure authentication in an extended reality (XR) environment are described herein. An XR environment may be output by a computing device and for display on a device configured to be worn by a user. A first plurality of images may be determined via the XR environment. The first plurality of images may be determined based on a user looking at a plurality of objects, real or virtual, in the XR environment. The first plurality of images may be sent to a server, and the server may return a second plurality of images. A public key and private key may be determined based on different portions of each of the second plurality of images. The public key may be sent to the server to register and/or authenticate subsequent communications between the computing device and the server.

Abstract: A method includes linking a first application with a first Transport Layer Security (TLS) library, linking a second application with a second TLS library, obtaining a sequence of cryptographic keys by a first agent, the sequence of cryptographic keys based on an agent key and provided from the first agent to the first TLS library, obtaining the sequence of cryptographic keys by a second agent, the sequence of cryptographic keys based on the agent key and provided from the second agent to the second TLS library, establishing communication between the first TLS library and the first agent to create a first trusted relationship, establishing communication between the second TLS library and the second agent to create a second trusted relationship, and establishing a third trusted relationship between the first agent and the second agent.

Abstract: The present disclosure relates to a communication method and system for converging a 5th-Generation (5G) communication system for supporting higher data rates beyond a 4th-Generation (4G) system with a technology for Internet of Things (IoT). The present disclosure may be applied to intelligent services based on the 5G communication technology and the IoT-related technology, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services. The present invention relates to an authentication method applied to a next generation 5G communication system and an apparatus for performing same, network slices, a method for managing the network slices, and an apparatus for performing the same.

Abstract: Various embodiments are generally directed to an apparatus, method and other techniques to determine a secure memory region for a transaction, the secure memory region associated with a security association context to perform one or more of an encryption/decryption operation and an authentication operation for the transaction, perform one or more of the encryption/decryption operation and the authentication operation for the transaction based on the security association context, and cause communication of the transaction.

Abstract: A method for operating an Internet of Things (IoT) system includes obtaining, by a device registration tool, identification information of a first IoT module, obtaining, by the device registration tool, identification information of a device with the first IoT module mounted thereon, and registering, by the device registration tool, the identification information of the first IoT module and the identification information of the device in a database accessible by an IoT network.

Abstract: Methods, apparatuses, and computer program products for edge device assisted mitigation of publish-subscribe denial of service (DoS) attacks are disclosed. An edge device hosts a virtualized copy of an Internet-of-Things (IoT) device subscribed to one or more publish-subscribe topics. When the edge device receives an indication to activate the virtualized copy of the IoT device, for example, during a DoS attack on the IoT device, the edge device activates the virtualized copy of the IoT device, which receives traffic from the publish-subscribe topic. The virtualized copy of the IoT device applies security policies to incoming traffic received from the subscription topics and transmits to the IoT device sanitized traffic obtained from the received incoming subscription content traffic.

Abstract: A display apparatus includes an optical module, a display panel and a display panel driver. The display panel is disposed on the optical module. The display panel driver is configured to drive the display panel. The display panel includes a first display area including at least a portion overlapping with the optical module and a second display area not overlapping with the optical module in a plan view. The first display area includes pixels having a first pixel structure. The second display area includes pixels having a second pixel structure different from the first pixel structure.

Abstract: Embodiments described herein provide for system and methods to crowdsource the location of wireless devices and accessories that lack a connection to a wide area network. One embodiment provides for a data processing system configured to perform operations comprising loading a user interface on an electronic device, the user interface to enable the determination of a location of a wireless accessory that is associated with the electronic device, generating a set of public keys included within a signal broadcast by the wireless accessory, the signal broadcast during a first period, sending the set of public keys to a server with a request to return data that corresponds with a public key in the set of public keys, decrypting the location data using a private key associated with the public key, and processing the location data to determine a probable location for the wireless accessory.

Abstract: Techniques for managing secure login with authentication while viewing a unique code are described. In some examples, a requesting device displays a visual representation of data. An authenticating device detects the presence of the visual representation of data. The authenticating device prompts a user to provide authorization information at the authenticating device. The authenticating device receives a set of one or more inputs. The authenticating device transmits information authorizing access to content on the requesting device.

Abstract: A telecommunications network server system provides a digital identifier to a user device. The digital identifier may include identification data corresponding to a user of the user device. In addition, the telecommunications network server system receives, from one or more third-party systems, requests to authenticate the user for an electronic transaction with the respective third-party system. The telecommunications network server system provides a unique electronic transaction code to each third-party system. Responsive to receiving from the user device one of the unique electronic transaction codes, the telecommunications network server system provides, to the respective third-party system, authentication of the user.

Abstract: A system for credential authentication comprises an interface configured to receive a create indication to create a badge credential representing an employee badge and receive a claim indication from an authentication device to claim the badge credential, and a processor configured to provide the badge credential to the authentication device in response to the claim indication, receive a proof response from the authentication device comprising the badge credential and a lock identifier, validate the proof response using a distributed ledger, and provide a token for unlocking a lock associated with the lock identifier to the authentication device.

Abstract: A multitenant infrastructure server (MTIS) is configured to provide an environment to execute a computer routine of an arbitrary application. The MTIS receives a request from a webtask server to execute the computer routine in a webtask container. The computer routine is executed in the webtask container at the MTIS. Upon successful execution of the computer routine, a result set is returned to the webtask server. If the execution of the computer routine is unsuccessful, an error notification is returned to the webtask server. The resources consumed during the execution of the computer routine are determined. The webtask container is destroyed to prevent persistent storage of the computer routine on the MTIS.

Abstract: Systems and methods for managing requests to implement account related actions based on biometric data are disclosed herein. According to an aspect, a system includes a first computing device comprising a user account manager configured to manage an account of a user. The user account manager is also configured to receive a request to implement an action associated with the account. Further, the user account manager is configured to receive, from a second computing device of the user, biometric data associated with the user. The user account manager is also configured to manage the request to implement the action based on the received biometric data.

Abstract: Described herein is a data security system for enabling tokenized access to sensitive data, including a token provider configured to initiate a secure connection with a remote client computing device of a first data subject, and receive, from the remote client computing device, a request for an access token to provide a service provider with access to sensitive data associated with the first data subject. The request includes a data definition and authorization parameters. The token provider is also configured to generate the access token that enables access to the sensitive data, store the access token in a token database, and transmit, to the remote client computing device, a response including the access token and instructions that enable the remote computing device to display the access token to the first data subject or transmit the access token to the service provider.

Abstract: A lighting device according to an embodiment of the present invention comprises: a light source unit; a first communication unit for receiving library data from a mobile terminal; a storage unit for storing the library data; a second communication unit for receiving a control message indicating an execution command of a library corresponding to the library data from a control device; and a processor for controlling the light source unit such that the library is executed according to the control message, wherein the processor can control operation timing of the light source unit by sequentially receiving the control message at least a predetermined number of times at the initiation of the execution of the library.

Abstract: A method for pervasive resource identification includes receiving an authentication request from a first application service. The authentication request requests authentication of a user of a user device. The method includes obtaining device information associated with the user device of the user and generating a unique opaque identifier for the user device based on the device information. The method includes obtaining authentication credentials from the user device. The authentication credentials verify an identity of the user. In response to receiving the authentication credentials from the user device, the method includes generating an authentication token and encoding the unique opaque identifier into the authentication token. The method also includes transmitting the authentication token to the first application service.

Abstract: Embodiments described herein provide for system and methods to crowdsource the location of wireless devices and accessories that lack a connection to a wide area network. One embodiment provides for a data processing system configured to perform operations comprising loading a user interface on an electronic device, the user interface to enable the determination of a location of a wireless accessory that is associated with the electronic device, generating a set of public keys included within a signal broadcast by the wireless accessory, the signal broadcast during a first period, sending the set of public keys to a server with a request to return data that corresponds with a public key in the set of public keys, decrypting the location data using a private key associated with the public key, and processing the location data to determine a probable location for the wireless accessory.

Abstract: The present disclosure generally relates to methods for providing an upgrade option for accessing an account on a service. In some embodiments, the method is performed at a computer system that is in communication with a display generation component and one or more input devices, and includes displaying a user interface that includes information associated with a service provided by a first entity, receiving a first user input, and in response to receiving the first user input, displaying a first selectable user interface object corresponding to an upgrade option. Enabling the upgrade option causes login requests corresponding to requests to log in to the service using an access account to be authenticated by a second entity different from the first entity.

Abstract: The present disclosure relates to a terminal device, a method and apparatus for unlocking a screen of the terminal device. The terminal device comprises a touch and display chip; the method is used on the touch and display chip and comprises: when the terminal device is in a dormant state, displaying a screen unlocking interface on the screen if touch information is detected on the screen; acquiring unlocking information for unlocking the screen via the screen unlocking interface; and unlocking the screen when the unlocking information is consistent with corresponding verification information. The terminal device, the method and apparatus for unlocking the screen of the terminal device according to the present disclosure greatly reduce the power consumption of the terminal device, and save battery power. Furthermore, the touch and display chip enables user verification during unlocking process to be securer.

Abstract: A system is provided for increasing authentication complexity for access to online systems. In particular, the system may use a hidden or obscured method for creating and enforcing a multi-factor authentication scheme. In this regard, the system may introduce authentication logic to a particular application in the network environment such that one or more “invalid” login credentials are generated by a local agent using a pre-shared key and/or algorithm. A back-end authentication system may be calculate its own set of “invalid” login credentials based on the same pre-shared key and/or algorithm, then subsequently compare the calculated incorrect credentials with the incorrect login credentials received from the local agent. If a match is detected, the system may permit a valid set of authentication credentials to be provided to authorize access to the target application and/or online system.

Abstract: Systems, methods, and non-transitory computer-readable media can determine a first dataset provided by a first party, wherein the first dataset includes a set of vectors that are each associated with a user identifier. A second dataset provided by a second party can be determined, wherein the second dataset includes a set of vectors that are each associated with a user identifier. One or more vectors in the first dataset can be matched to vectors in the second dataset based on a secure multi-party computation without revealing respective graph information of the first party or the second party. Respective mappings between vectors in the first dataset to a set of shared universal identifiers can be provided to the first party. Respective mappings between vectors in the second dataset to the set of shared universal identifiers can be provided to the second party.

Abstract: Methods and systems for performing a partial pass-through transfer are described. In an aspect, a method includes: receiving, from a first computing system, pass-through transfer definition data to be associated with a first logical storage area, the pass-through transfer definition data including a trigger condition for a pass-through transfer and an apportionment value for the pass-through transfer; storing a representation of the pass-through transfer definition data in association with the first logical storage area; detecting a first data transfer to the first logical storage area, the first data transfer representing a transfer of a resource; determining that the first data transfer satisfies the trigger condition; and in response to determining that the first data transfer satisfies the trigger condition: identifying a portion of the resource based on the apportionment value; and initiating a second data transfer.

Abstract: A system for entering a secure Personal Identification Number (PIN) into a mobile computing device includes a mobile computing device and a peripheral device that are connected via a data communication link. The mobile computing device includes a mobile application and a display and the mobile application runs on the mobile computing device and displays a grid on the mobile computing device display. The peripheral device includes a display and an encryption engine, and the peripheral device display displays a grid corresponding to the grid displayed on the mobile computing device display. Positional inputs on the mobile computing device grid are sent to the peripheral device and the peripheral device decodes the positional inputs into PIN digits and generates an encrypted PIN and then sends the encrypted PIN back to the mobile computing device.

Abstract: An input device configured for multi-factor authentication. The input device includes a plurality of sensor electrodes, one or more light sources, and an authentication component. The plurality of sensor electrodes is configured for capacitive sensing in a sensing region of the input device. The one or more light sources are configured to illuminate at least a portion of the sensing region of the input device. The authentication component is configured to receive a first authentication input via a first authentication device, determine whether the first authentication input matches a first credential of an authorized user, and selectively activate the one or more light sources based at least in part on whether the first authentication input matches the first credential of an authorized user.

Abstract: Methods and systems for creating a verifiable digital identity are provided. The method includes obtaining a first user-generated item comprising an identifiable feature. The method also includes digitally signing the first user-generated item to generate a secure digital artifact. The method also includes uploading the secure digital artifact and the first user-generated item to an auditable chain of a public ledger. The method also includes verifying a digital identity of the user by auditing the auditable chain. The method also includes obtaining a second user-generated item generated comprising the identifiable feature. The method also includes comparing the first and second user-generated items. The method also includes uploading the second user-generated item to the public ledger when the comparing is within a threshold.

Abstract: A network-accessible service provides an enterprise with a view of all identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. The service enables an enterprise to model all activity and relationships across cloud vendors, accounts and third party stores. Display views of this information preferably can pivot on cloud provider, country, cloud accounts, application or data store. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. User reports may be generated showing all privileges and data to which a particular identity has access. Similarly, data reports shown all entities having access to an asset can be generated.