Abstract: An authentication includes a unit that issues right transfer information that is to be transmitted to a service providing device and a token that corresponds to the right transfer information and is to be transmitted to a service proxy access device on a basis of information about a user to whom a right is transferred and a condition under which the right is transferred, a unit that provides the token to the service proxy access device, and a unit that receives from the service providing device the token transferred from the service proxy access device and transmits to the service providing device the right transfer information that corresponds to the token and is kept by the authentication device.

Abstract: The present invention discloses a multi-account login method and apparatus. Herein, the multi-account login method comprises: opening a temporary webpage window in a browser according to a multi-account login instruction; creating a Cookie for the temporary webpage window, wherein the Cookie is independent of a global Cookie of the browser; and performing multi-account login by using the temporary webpage window. By means of this application, it is convenient for a multi-account user to use a browser, thereby improving the use experience of the multi-account user in using the browser.

Abstract: Leveraging a persistent connection to provide a client access to a secured service may include establishing a persistent connection with a client in response to a first request from the client, and brokering a connection between the client and a secured service based on a second request from the client by leveraging the persistent connection with the client. The brokering may occur before the client attempts to connect to the secured service directly and the connection may be established between the client and the secured service without provision by the client of authentication information duplicative or additional to authentication information provided by the client to establish the persistent connection.

Abstract: An authentication method and system oriented to a heterogeneous network are disclosed. After receiving a service request sent by a virtual terminal, a unified authentication platform generates a service token according to the service request, and sends the service token to the virtual terminal and a target network; the virtual terminal submits the service token to the target network, and requests the target network to provide service data; and the target network compares the service token submitted by the virtual terminal with the service token sent to the target network by the unified authentication platform, and provides the service data to the virtual terminal when the service token submitted by the virtual terminal is consistent with the service token sent to the target network by the unified authentication platform.

Abstract: Embodiments of the invention provide systems and methods for the storage of One-Time Passwords (OTPs) on a device (principal) that needs to authenticate from time to time. It utilizes recent availability of data storage capacity not previously exploited in this arena. Also disclosed is the means to initialize and modify the system (all principals) in a secure manner, and the means to store the OTP production means on a device in a secure manner, even if the device has no built-in protected storage.

Abstract: Technologies are generally described for a remote displaying scheme configured to transmit display data stored in a source device to a target device for displaying the display data on the screen of the target device. In some examples, a method performed under control of a source device may include broadcasting to one or more target devices request information that comprises a request for displaying display data, obtaining permission information generated by a target device of the one or more target devices, the permission information based, at least in part, on the request information, transmitting to the target device an acknowledgement that a communication channel between the source device and the target device is established, the acknowledgement based, at least in part, on the permission information and transmitting to the target device the display data based, at least in part, on the permission information.

Abstract: A method and system for controlling the execution of a function protected by authentication of a user and which is provided for example for the access to a resource. The method includes inputting, by the user, of personal data using an input device, authenticating the user with the input personal data for authorizing or not authorizing the execution of the function; in a secure card connected to the input device, storing limited validity authentication data dependant on the input data; when the card is connected to a processing device by which the user generates a message whose processing implements the function, using the stored data, taking into account the limited validity, to authorize or not authorize the execution of that function.

Abstract: Techniques for providing access to data in dynamic shared accounts are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for providing data in dynamic shared accounts. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify a first user associated with an account, identify a second user to have access to the account associated with the first user in the event the first user is unavailable to access data or perform functions associated with the account, map the second user to the account, and provide the second user access to the account based on the mapping and with access privileges associated with the first user.

Abstract: An over-the-air (OTA) bootstrap method and system are described, including: when a connection between a user-registered terminal device and a device management (DM) server is finished, the terminal device sends a bootstrap confirmation message to a service center corresponding to port information of a valid service center pre-stored in the terminal device; the service center analyzes the bootstrap confirmation message to determine a device ID of the terminal device, connects with a DM server authorized by the service center, and searches for an OTA bootstrap record corresponding to the device ID in a database of the authorized DM server; if the service center fails to find the corresponding OTA bootstrap record in the database of the authorized DM server, the service center notifies the user that the terminal device has performed an OTA bootstrap with an unauthorized DM server. The present invention can improve the security of the OTA bootstrap.

Abstract: A security system for a computer network that has a plurality of devices connected thereto comprises a security subsystem, a master system and a secure link. The security subsystem is implemented on a first computer and is connected to at least some of the devices in the network. The security subsystem is configured to monitor activities of the at least some devices on the network and detect attacks on the at least some devices. The master system is implemented on a second computer which is different from the first computer. The master system monitors the integrity of the security subsystem and registers information pertaining to attacks detected by the security subsystem. The secure link is connected between the security subsystem and the master system. The master system monitors the integrity of the security subsystem and receives the information pertaining to the attacks through the secure link.

Abstract: Various methods and systems are provided for allowing a user to select a non-numeric PIN or password and use that to access content instead of a conventional numerical PIN. A series of visual, textual, and/or audio “digits” form the PIN, where each succeeding digit may be related to and/or further limit one or more of the preceding digits.

Abstract: A networking system comprising a virtual group controller in an information centric network configured to enable mobility and security for a plurality of users groups of the information centric network, a plurality of user groups coupled to the virtual group controller and associated with the users, a plurality of agents that are each associated with one of the user groups, and a database for trusted service profile coupled to the virtual group controller, wherein the virtual group controller is configured to interact with the agents to enable mobility for the user groups using a server-less domain-based naming scheme.

Abstract: An apparatus and method for a multi-tier wireless home mesh network is described. The method may include formation of an infrastructure-less wireless home mesh networking environment comprising a collection of nodes that operate as a decentralized, ad hoc wireless network with multiple sub-networks or tiers that, are responsible for different functions within the network. Each node of the multi-tier network is configured to forward data to other nodes and is assigned to a particular tier based on the node's performance capabilities. A further embodiment includes identification of a wireless home mesh network. Once identified, one or more proprietary messages may be exchanged in a secure manner to establish connections with a home electronics device as either a mobile node or a stationary node of the home network. A home electronics device may wirelessly communicate to route data within one or more nodes of the wireless home mesh network. Other embodiments are described and claimed.

Abstract: One embodiment of a method of integrating software applications includes customizing properties of an InfoVista application to accept a format of login strings provided by a SiteMinder application; modifying authentication information in properties of the InfoVista application to match authentication information that is to be sent from the SiteMinder application; and customizing the SiteMinder application to pass authentication information needed by the InfoVista application for login of a user into the InfoVista application using a single sign-on interface provided by the SiteMinder application. Other methods and systems are also provided.

Abstract: An authentication component to authenticate users can generate a unique identification for a user based on device characteristics, operating characteristics, and the like. The authentication component can provide authentication of a user to applications. Applications can provide a user with personalized content based on the authentication.

Abstract: Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

Abstract: A DRM client on a device establishes trust with a DRM server for playback of digital content. The client executes in a secure execution environment, and the process includes (1) securely loading loader code from secure programmable memory and verifying it using a digital signature scheme and first key securely stored in the device; (2) by the verified loader code, loading DRM client code from the memory and verifying it using a digital signature scheme and second key included in the loader code; (3) by the verified DRM client code (a) obtaining a domain key from the memory; (b) encrypting the domain key with a device identifier using a DRM system key included in the DRM client code; and (c) sending the encrypted domain key and device identifier to the DRM server, whereby the device becomes registered to receive content licenses via secure communications encrypted using the domain key.

Abstract: Systems and methods for providing services are disclosed. One aspect comprises authenticating a user associated with a first service, receiving a selection of a second service, generating an opaque identifier associated with the user and the first service, wherein the opaque identifier facilitates the anonymous collection of data relating to the second service. Another aspect can comprise transmitting the opaque identifier to the second service, and receiving data relating to the second service.

Abstract: An authentication technique involves receiving an authentication request which includes a set of authentication factors and performing, in response to the authentication request, an authentication operation based on a set of authentication factors. An authentication result of the authentication operation identifies a particular trust category among a set of trust categories. Each trust category of the set defines a unique set of user permissions. The technique further involves providing the authentication result for use by a web application. The particular trust category identified by the authentication result defines a particular set of user permissions to be imposed by the web application. For example, the trust categories may take the form of trust levels such as Low, Med, and High which control access to certain resources.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating a nonce. In one aspect, a method includes generating, by a data processing apparatus, a source value, and hashing, by the data processing apparatus, the source value to generate the nonce.

Abstract: Techniques and systems for authentication with an untrusted root between a client and a server are disclosed. In some aspects, a client may connect to a server. The server and client may initiate a secure connection by exchanging certificates. The server may accept a client certificate having an untrusted root that does not chain up to a root certificate verifiable to the server certificate authority. In further aspects, the server may enable the client to associate an untrusted certificate with an existing account associated with the server. The client certificate may be hardware based or generated in software, and may be issued to the client independent of interactions with the server.

Abstract: A mechanism for securely transmitting credentials to instantiated virtual machines is provided. A central server is used to turn on a virtual machine. When the virtual machine is turned on, the central server sends it a secret text string. The virtual machine requests the credentials from the central server by transmitting the secret string and its instance ID. The central server validates the secret string and source IP to determine whether they are authentic. Once verified, the central server transmits the credentials to the virtual machine in a secure channel and invalidates the secret string. The credentials can now be used to authenticate API calls.

Abstract: Resetting a password for a network service account may include redirecting the user to a password reset tool, wherein the user is blocked from network access other than the password reset tool while being redirected. After redirecting the user to the password reset tool, user entry of verification information may be accepted, and the verification information from the user may be compared with known verification information for the user. User entry of a new password may be accepted if the verification information accepted from the user matches the known verification information for the user; and the new password may be stored as the known password for the user. Related systems and computer-program products are also discussed.

Abstract: An authentication information management program of an authentication information management apparatus allowing the authentication information management apparatus to execute: changing the first authentication information in correspondence information which is information including the first authentication information and second authentication information in association with each other and stored in a storage section of the authentication information management apparatus; transmitting the authentication apparatus of the changed first authentication information; determining, in response to a request from the apparatus to be authenticated, whether the second authentication information in the authentication request coincides with the second authentication information in the correspondence information; and returning, in the case where it is determined that the second authentication information in the authentication request coincides with the second authentication information in the correspondence information, the

Abstract: A method in one embodiment includes authenticating a first agent to an on board unit (OBU) of a vehicle if the first agent validates a first set of one or more authentication requirements and identifying a first identity profile corresponding to the first agent. The method also includes determining a role of the first agent in the vehicle and configuring the vehicle with the first identity profile, where the vehicle is configured based, at least in part, on the role of the first agent. In this embodiment, the first identity profile is one of a plurality of identity profiles provisioned on the OBU. In specific embodiments, each one of a plurality of agents corresponds to a respective one of the plurality of identity profiles, and includes one or more of a human agent, a machine device, a software agent, an authorized entity, and a mobile device.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: In some embodiments, a user has use a single universal text—or image-based secret for generating a service-provider specific identity credential, for example username plus password, for authentication is derived. A human (i.e., the user) must interpret an image to enter this universal text (or image) based secret. For example, an image based challenge is presented to the user, and a credential is obtained based on the user's response to the challenge.

Abstract: Managing validity status of at least one associated credential includes providing a credential manager that selectively validates associated credentials for at least one device, the device invalidating a corresponding associated credential, and the device requesting that the credential manager validate the corresponding associated credential after invalidating the associated credential. The associated credential may be invalidated based on an external event, such as a user invalidating the associated credential from a UI of the device, a user improperly entering a pin value, a user indicating that a corresponding device is lost, the device entering sleep mode, the device locking a user interface thereof, the device shutting down, and a particular time of day. The at least one associated credential may be provided on an integrated circuit card (ICC) that may be part of a mobile phone and/or a smart card.

Abstract: Providing registration for password/challenge authentication includes receiving an access code or pattern inputted by a user, recording a time message associated with each component of the access code or pattern via a processor, generating a data record in combining each component of the access code or pattern with the associated time message, and storing the data record.

Abstract: Methods and systems for managing cloud zones are described herein. A management server for a cloud of computing resources may add private zones to the cloud. The private zones may contain computers owned and operated by a user of the cloud, such as a cloud customer, rather than the cloud operator. The management server may manage the computing resources in the private zone by sending commands to an agent, which in turn relays the management server's commands to the individual computing resources. The agent may be authenticated using a token.

Abstract: There is a server apparatus in which: an issuing unit issues data to devices; a distribution manager distributes the data to devices; a data manager manages data set as issued; a revocation manager detects, from the data set, data that satisfies a condition, and invalidates the detected data; and a filter manager updates and distribute to devices a filter having a predetermined bit length each time data is invalidated, by setting one of a first value and a second value to each of bits in the filter when a revoked data set is projected onto the filter; the data manager identifies data other than the invalidated data, having projection onto at least one of bits whose value has changed between before and after the update, and having the first value for all of bits projected onto the updated filter and reissues data to the device having the identified data.

Abstract: Systems and methods are provided for operating an electronic device, the method comprising storing data related to at least one selected language used during password creation. At password entry prompt, the stored data related to the at least one selected language may be used to select a character mapping based on the stored data related to the at least one selected language, and the character mapping may be applied to the keyboard so that a password may be entered using that character mapping.

Abstract: An authorization and validation system and method for mobile financial transactions uses (1) historic Global Positioning System (GPS) and time at specific locations and (2) both visible and invisible prompts to allow access to assets and performance of financial transactions. Said system and method also determines when the mobile device, tablet or smart phone, is lost or is operated by an impersonator. Special attention is devoted when said system is engaged in determining whether the user is under threat or not.

Abstract: Systems, devices and techniques for establishing a secure file transfer session for secure downloading of configuration files to a Demarcation device are disclosed. Communication is established with a first network device. A password challenge message is received from the first network device. A username is generated. A password is generated using the password challenge message and a locally stored salt key. The username and the password are communicated to a second network device via the first network device, to facilitate establishing a secure file transfer connection with the second network device.

Abstract: A system and method for associating message addresses with certificates, in which one or more message addresses are identified and associated with a user-selected certificate that does not contain any e-mail addresses. In certain situations, a message may be encrypted using a certificate that does not contain an e-mail address that matches the e-mail address of the individual to which the message is to be sent, so long as the address to which the message is to be sent matches any of the message addresses associated with the certificate. The message addresses are saved in a data structure that resides in a secure data store on a computing device, such as a mobile device.

Abstract: Obfuscating a message, in one aspect, may include detecting sensitive information in a message to be broadcast into public or quasi-public computer network environment; replacing the sensitive information in the message with a representation that preserves general aspects of the sensitive information and a user interface element, the user interface element for enabling a viewer of the message to request access to details of the sensitive information; and transmitting the replaced message for broadcasting into the public or quasi-public computer network environment. De-obfuscating the message, in one aspect, may include authenticating one or more viewers or receivers of the message and based on the authentication, presenting details associated with the sensitive information.

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fiber channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fiber channel network entities into a fiber channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fiber channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract: A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

Abstract: A gateway system for implementing access to various media is provided in the invention, and the gateway system includes: a communication media access module, for establishing a communication link with the corresponding media access network; a Media Independent Handover Functions module, for seamless handover between accesses to various media; and a handover decision module, for selecting a target network for the seamless handover. The gateway system may also include an authentication module, for sharing the authentication information of the User Equipment. Two methods for implementing access to various media are further disclosed in the invention. By the provided gateway system and methods, the User Equipment can access various media via the gateway system, seamlessly hand over between accesses to various media and achieve the access to a service network using the shared authentication information.

Abstract: One aspect relates to a process and associated device for managing digital ID lifecycles for application programs, and abstracting application programs for multiple types of credentials through a common Digital Identity Management System (DIMS) and Application Programming Interface (API) layer.

Abstract: A method for a mobile computing device comprises downloading a one-time password initializer from an authentication server, the one-time password initializer configured to generate a device-specific signature for the mobile computing device; uploading a device-specific signature to the authentication server; and downloading a device-specific configuration and one-time password generator from the authentication server. In this way, both the mobile computing device and authentication server may independently generate equivalent one-time passwords based on unique information associated with the mobile computing device.

Abstract: A secure message facility transfers authentication data between various applications, operating systems, and authentication devices and software in the form of messages. These messages comprise a data structure with a standard header with fields that describe the class, length, and type of message, and routing information. This header information is used to route the message to the appropriate handler. The messages are transferred between applications via the messaging facility DLL and the messaging facility Service. The messaging facility DLL is intended to be loaded by an application. The messaging facility DLL forms the messages, directs them to the appropriate messaging facility service (local or remote) and interprets the responses. The messages sent between the messaging facility DLL and messaging facility Service are extremely flexible and can be used to send any type of data or content of messages.

Abstract: Techniques for electronic signature process management are described. Some embodiments provide an electronic signature service (“ESS”) configured to manage electronic identity cards. In some embodiments, the ESS generates and manages an electronic identity card for a user, based on personal information of the user, activity information related to the user's actions with respect to the ESS, and/or social networking information related to the user. The electronic identity card of a signer may be associated with an electronic document signed via the ESS, so that users may obtain information about the signer of the document. Electronic identity cards managed by the ESS may also be shared or included in other contexts, such as via a user's profile page on a social network, a user's email signature, or the like.

Abstract: The objective of the present invention is to disable functionality of an additional-function unit if an unauthorized program has been installed in an information processing device, thereby preventing an unauthorized program from acquiring, in an unauthorized manner, information from the additional-function unit.

Abstract: In one implementation, form field(s) of a form of a website or application are populated with data obtained using a digital identity, and the populated form field(s) are submitted to the website or application. A form field specification specifying information about the form fields of the form is obtained. A user selects or creates a digital identity. Data is obtained using the digital identity, and the data is used to provide values to the form. The data is submitted to the website or application. In another implementation, a username and password are automatically generated. The username and password that are generated meet parameters that may be specified by the website or application. The username and password are submitted to the website or application for a purpose such as registration or authentication, and stored away for future authentication.

Abstract: Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

Abstract: The claims based identity model provides a model which associates security identities with claims. The model represents information contained in the claims, as well as, captures relationships between the security identities described in the claims. Finally, the data model can be easily translated to the existing .NET environment without breaking the backward compatibility for existing .NET applications.

Abstract: A method and system for dynamically authenticating an Internet Protocol (IP) client at a central device comprising a dynamic passcode generation means which is synced to an authentication system within or connected to the central device, the dynamic passcode generation means connected to or built into the IP client; wherein the dynamic passcode generation means periodically generates a passcode according to a preset schedule; the IP client automatically sends the periodically-generated passcode according to the preset schedule to the authentication system to authenticate the IP client; and upon authentication until the IP client is no longer authenticated, the authentication system allows a IP communications services to be provided by the central device.

Abstract: Methods, systems, and computer-readable storage media for authenticating a user and user input to a back-end system and for validating the user input. In some implementations, actions include receiving a unique user identifier and user input, generating a personalized image recognition challenge based on the unique user identifier and the user input, the personalized image recognition challenge including a plurality of images and a written message, the written message instructing a user to select a particular image of the plurality of images to validate the user input, transmitting the personalized image recognition challenge for display on a device, receiving a response to the personalized image recognition challenge, the response comprising a selection of an image from the plurality of images, and authenticating the user and the user input based on the response.

Abstract: Systems and methods are provided for establishing communications sessions over multiple network protocols using a stored key. The key may be generated by a user credential entered at a first network station and may be stored in a profile in a memory of the first network station and used for authenticating with a second network station to establish a communications session with the second network station over a first network protocol. The key may then be retrieved from the profile for use in authenticating with the second network station and establishing a communications session with the second network station over a second network protocol.