Abstract: A method of determining whether to authorize a user of a computer system to perform an action in the computer system is described. Besides the explicit authorization grants, a new, more secure semantics is defined where only unassigned users or actions are granted generically. For example, if an access control list for an action is not empty, a user may be authorized to perform the action only if the user is a member of the access control list for the action. If the access control list for the action is empty, the user may be authorized to perform the action only if the user is not a member of any access control list of a group of access control lists.

Abstract: Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.

Abstract: Processes and techniques for tailoring operations management in a system are described. The processes and techniques allow a user to customize operations management based on the user's function within a system and the particular tasks that the user wishes to accomplish. Simplified user interfaces can be created by scoping the interfaces based on user profiles, preferences and system components.

Abstract: A method for generating a network address in a communication network includes at least one user equipment and a network equipment. The method includes: a) providing a same shared secret key both at the at least one user equipment and at the network equipment; and b) generating at least a portion of the network address at the at least one user equipment and at the network equipment based upon at least the shared secret key.

Abstract: Systems and methods are disclosed for facilitating secure commenting on content items among collaborators via external messaging applications in a collaborative cloud-based environment. In one embodiment, the system receives a response to a notification associated with a content item from a collaborator via an external messaging application. The response can include a text-based comment associated with the content item and secure message information provided by the notification including a message and a message authentication code. The system then determines a validity of the response. The validity of the response can include verifying the integrity of the message using the message authentication code.

Abstract: The present invention relates to a method and a system for operating a device (100).

Abstract: A method for securing intellectual property includes establishing contact between an IP server and a client. At least two component codes are shared and pre-stored in both the player and the server prior to ordering the intellectual property. The IP server accepts an order for an intellectual property product from the client. The IP server creates a shared private key based on the pre-stored shared component codes and an additional shared component code at the time the intellectual property product is ordered. The shared private key is not distributed to the player software. The IP server encrypts the intellectual property product with the created shared private key prior to distribution to the client. The intellectual property product further comprises content data and rights data in digital form. The IP server electronically distributes the intellectual property product to the client in encrypted form without the shared private key.

Abstract: Authorizing remote access points for use in a network: After the remote access point is provisioned to communicate securely to a controller using its TCP/IP address provided by a user, the remote access point is put into an un-authorized state by the controller pending further authorization. The user is presented with a secure captive portal page authenticating the end-user. User's authentication credentials are verified by the controller. After the remote access point has been authorized, the controller marks it verified as a fully functional node, and saves this state. The remote access point is provisioned with the current provisioning parameters for the remote access point as configured by the IT administrator for the end user, so that each remote access point can have unique per-user configuration applied.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: A method, system, and computer product for use in generating one time passcodes (OTPs) in security environment, the security environment comprising an OTP generator and an OTP validator, the method comprising generating, at the OTP generator, an OTP according to a function, wherein the function includes as an input a device id, validating the OTP at the OTP validator, whereby the validation comprises generating, at the OTP validator, a second OTP according to the function, and determining whether the OTP is valid based on a comparison of the OTP with the second OTP generated at the OTP validator.

Abstract: A method may include authenticating a device to a first server, where the device includes an agent; receiving a request, in the first server from a second server, to verify the authenticity of the device, where the device is not authenticated to the second server; sending a browser plug-in to the device to communicate with the agent for verifying the authenticity of the device; receiving, in the first server, a message from the agent verifying the authenticity of the device; and sending a message from the first server to the second server to authenticate the device to the second server.

Abstract: An information processing apparatus according to the present invention includes a biometric authentication unit that authenticates one piece of biometric information based on registered biometric information, wherein the one piece of biometric information is image information unique to a living body, and a plurality of pieces of user information are associated with the one piece of biometric information, and the registered biometric information is biometric information registered in advance, and a login processing unit that selects, based on user specification information for specifying user information used for login processing, one of the plurality of pieces of user information associated with the biometric information successfully authenticated by the biometric authentication unit so that the login processing unit uses the selected one of the plurality of pieces of user information to perform the login processing.

Abstract: A method, a terminal and a communication system are provided for generating a local interface key. In the disclosure, the terminal generates a variable parameter and sends the generated variable parameter and other parameters for generating the local interface key to a network. The network derives, according to the variable parameter and the parameters for generating the local interface key, the local interface key. The terminal obtains the local interface key from the network so as to use in intercommunication with other device, such as a UICC, or other terminal device. Thus, the security of the intercommunication between the terminal and the other device is ensured.

Abstract: A no-click log-in system and method allowing users to access their personal web accounts using a mobile device. The method comprises acquiring a web session identifier from a code provided on an entry webpage that is displayed on a computing device; generating an authorized token having information corresponding to at least the web session identifier and a mobile session identifier that corresponds to either an authenticated session with a service provider of the webpage or credentials to authenticate a session with the service provider; and providing the authorized token to a server, which receives the information corresponding to at least the web session identifier and the mobile session identifier from the authorized token, and uses at least the web session identifier and the mobile session identifier to authenticate the user with the service provider for providing access to a user-specific webpage that replaces the entry webpage on the computing device.

Abstract: A computing device may receive authentication information. Within a time-out period, a fingerprint may also be received. The computing device may assign one or more authentication credentials to the fingerprint based on authentication credentials associated with the received authentication information. In some implementations, the computing device may assign the authentication credentials associated with the received authentication information to the biometric. However, in other implementations, the computing device may assign different authentication credentials to the biometric based on one or more user preferences, defaults, security policies, and/or enterprise policies. In various implementations, the authentication credentials assigned to the biometric may be altered, such as by adding and/or removing one or more authentication credentials. Such alteration may be performed in response to a received user request, changed enterprise policy, changed security policy, fraud alert, and/or other such factor.

Abstract: Establishing secure, mutually authenticated communication between a trusted network and a perimeter network. Servers on the perimeter network may be securely and automatically configured to communicate with the trusted network. Servers not functioning properly may be stopped from communicating with the other servers. Credential information relating to a perimeter server may be automatically, and regularly, updated without intervention.

Abstract: An approach is provided to improve security of security questions. In the approach, the system prompts a user for a security question. The security question and security answer associated with the security question are received by the system using a user input to the information handling system. Network-accessible data stores, such as social network accounts, are searched for the security answer resulting in search results. The searching results reveal a risk level which is identified by the system. The identified risk level is provided to the user, such as at a display device.

Abstract: Systems and methods according to the present invention provide a proactive approach to controlling access to information that may be correlated with a governmentally issued personal identifier. Included are systems and methods for proactive control of information access and liability incursion. Further included are systems and methods for emulating information access to an authorized person. Generally, a method according to the present invention includes the steps of requesting verification from a subscriber at any time that information is requested from registered information holders and any time that liability may be incurred through registered information holders. In this way, the subscriber, rather than reacting to invasive information or identity theft, may proactively control access to such information, thereby preventing the theft in the first place.

Abstract: Sensor-based authentication technique embodiments are presented which generally employ sensor readings captured by a user's computing device (such as a mobile computing device like a cell phone, smart phone, PDA, and so on) to authenticate the user's access to a computer network-based service (such as a web-service) that is secured with traditional textual passwords. These traditional passwords are saved in an off-device password repository service. The aforementioned sensor readings are not cached on the user's computing device and are immediately streamed to the password repository service, where they are validated against a pre-arranged, known sensor-based password. If the validation succeeds, access to the password protected service is brokered by the password repository service on behalf of the user using the appropriate traditional password, and the user's computing device is granted access.

Abstract: Systems, methods, and computer readable media for encapsulating multiple Windows® based credential providers (CPs) within a single wrapping CP are described. In general, CP credentials and fields from two or more encapsulated or wrapped CPs may be enumerated and aggregated in such a way that the order of fields from each CP is preserved, fields that may be used only once are identified and appear only once, and fields are given a new unique field identifier. The union of all such fields (minus duplicates of any one-use-only fields) may be used to generate a mapping so that the wrapping CP and CP credential may “pass-through” calls from the operating system's logon interface to the correct wrapped CP and CP credential. The disclosed techniques may be used, for example, to provide single sign-on functionality where a plurality of sign-on credentials may be used (e.g., user name/password and smart card PIN).

Abstract: Methods of securely performing online transactions are described which involve two independently controlled web servers. In order to complete a transaction, a user interacts concurrently with each of the two web servers and authentication may occur between the user and each web server and between web servers. Each of the two web servers provide data which is used to complete the transaction and the data provided by the first web server is communicated directly to the second web server for use in the transaction. In an embodiment, the first web server provides a web page which enables a user to specify a variable which is used in the transaction. This is communicated to the second web server which processes the transaction along with an identifier for the message. The identifier may be used in validating the variable before it is used in processing the transaction. Following completion of a transaction this may be reported in real time to the first web server.

Abstract: Methods and systems for verifying, authenticating, and/or rating the identity or profile characteristics of users of online social networks and other websites and applications. And improved systems and methods that allow one or more individuals to meet or otherwise network or connect or transact or exchange information, tangibles or intangibles with other individuals and methods and systems for verifying and/or rating the identity or profiles of users of online social networks and other websites or applications.

Abstract: A method and a system to provide identity encapsulated cryptography are provided. A method may comprise receiving a user key to access a service. The service may be provided by an enterprise and hosted within a public cloud. A request for a country key assigned to a country of a user is transmitted and the country key is received. Session data resulting from the use of the service hosted within the public cloud is encrypted using the user key and the user key is encrypted using the country key. The encrypted session data and the encrypted user key are stored in the public cloud. The country key may be provided to a legal agency of the country of the user to decrypt session data of the user and to not decrypt session data of other users of another country.

Abstract: Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

Abstract: A method and a system allow accessing several of a user's controlled access accounts by presenting the credentials of only one of the accounts. The method may include (a) storing the credentials for each of the user's accounts; (b) receiving from the user credentials corresponding to any of the user's accounts; (c) presenting the received credentials to access the corresponding account; and (d) upon successful access of the corresponding account, using the stored credentials to access one or more of the user's accounts without requiring the user to present the corresponding credentials. For each of the user's accounts, the credentials are stored encrypted, using a randomly generated key, common to all the encrypted credentials. In addition, the randomly generated key is encrypted using the credentials of each of the accounts. In that manner, plain-text copies of neither the random key nor the credentials of the accounts need to be stored.

Abstract: With a terminal apparatus that includes an authentication method deciding unit that selects one of two or more authentication methods according to acquired position information, an authentication screen output unit that outputs a screen corresponding to the one authentication method, an accepting unit that accepts authentication information that is input on that screen, an authentication information sending unit that sends an authentication method identifier that identifies an authentication method and the authentication information to a server, an output information receiving unit that receives, from the server, one or more pieces of output information corresponding to the authentication method identification information in the case of success of authentication, and an output information output unit that outputs output information, information necessary for medical practice can be acquired while appropriately securing the privacy of a patient.

Abstract: Methods, interface, and a communication network in a 3GPP network are presented. A user is authenticated and application service rules are binded to the user in GGSN filters ensuring that the correct charging, QoS level or similar function rules apply to the user for specific application services available from both external application service providers and network operator supplied specific services.

Abstract: Methods for ad-hoc trust establishment using visual verification are described. In a first embodiment, a visual representation of a shared data is generated on two or more devices and the visual representations generated can be visually compared by a user. This method can be used to verify that the correct devices are involved in a negotiation, when pre-existing trust relationships do not exist between the devices. The visual representation may, for example, comprise a picture with a number of different elements, each representing a part of the shared data. In another embodiment, a method of secure key exchange is described in which, before sharing the keys, the parties exchange information which encapsulates the key. This information can be used subsequently to check that a party has not changed the key that they are using and prevents a man in the middle attack.

Abstract: A system and method of implementing a security mode in a mobile communications device, including a mobile communications device comprising a processor, and a computer readable storage medium storing programming for execution by the processor, the programming including instructions to activate a security mode of the mobile communications device, and pursuant to activation of the security mode, disable a first class of features of the mobile communications device, wherein other features of the mobile communications device remain enabled after activation of the mobile security.

Abstract: A method of capturing biometric data is provided that includes activating a security application in a device. The security application is activated by an operator of the device and is configured to cause the device to display an outline image. Moreover, the method includes displaying the outline image in a stationary position on a display of the device, positioning desired biometric data proximate the device such that the desired biometric data appears as a biometric image on the device display, and monitoring the outline and biometric images shown on the device display. Furthermore, the method includes positioning the device and the desired biometric data to better align the outline and biometric images when the outline and biometric images do not align and capturing the desired biometric data from an individual after approximately aligning the outline image with the biometric image.

Abstract: Novel systems and methods for testing network security are disclosed. In one example, at least one specified data message and at least one specified access credential to at least one third-party web-based service is stored on a monitoring system. At least one software agent configured with the specified data message and the specified access credential to the third-party web-based service is installed on at least on system to be tested. The software agent is executed on the testing system to send the specified data message to the third-party web-based service using the specified access credential. A monitoring system which is independent of the network, access the third-party web-based service with the access credential. The monitoring system compares, if data on the third-party web-based service is equivalent to the specified data message sent by the software agent. In another example, the software agent is configured with a custom start-logging command.

Abstract: Cloud services are provided to mobile devices. Applications access cloud services through a consolidator that consolidates the services. The mobile device may include a secure element and secure memory to which the consolidator may authenticate. Authenticated consolidators can control the lifecycle of applications and data in secure memory. Secure elements and secure memory may be embedded or integrated in the mobile device in non-removable add-on slots, or may be in a removable or remote add-on device.

Abstract: Method for rapidly booting two or more computer processors (32, 28, 58-1, 58-2, 36-1, 36-2) in a device (200) designed for communicating sensitive or classified information. The method includes verifying an absence of any modification of a software image for each computer processor relative to an original authentic version of the image for the computer processor. The verifying step can include calculating an integrity check value which is uniquely determined by a combination of the original authentic version of the software image and a first random number.

Abstract: A method of maintaining a blacklist for gesture-based passwords is provided. A data store of index values corresponding to gestures is maintained on a blacklist server. Upon receiving a new gesture based password, an electronic device converts the password to an index value and forwards that index value to the blacklist server. The blacklist server increases an occurrence of the received index value by one in a data store and if the increase results in a blacklist threshold being exceeded, the index value is inputted to the blacklist. A notification can be sent back to the electronic device if the forwarded index value is on the blacklist or is inputted to the blacklist.

Abstract: Methods, devices and systems for moderating and policing voluntarily established transparency regarding past and present, and personal and professional relationships via online networking services. Identity of a person or commercial entity is verified before registration as a user. Each user is permitted a single profile. A profile includes a record of all relationships entered in the profile, some of which may be hidden by user. Each user is capable of linking his profile to profiles of other consenting users. Owner of a profile may flag inaccurate information on other linked profiles. The reliability or value of information in a profile is measured as a function of duration of existence of profile, transparency of the information in the profile, periods of inactivation, and number of times the profile is correctly flagged. A code is generated and used to allow gradual exposing of the profile of a user to his prospective contacts.

Abstract: In some embodiments, an apparatus includes an authorization module implemented in at least one of a memory or a processing device. The authorization module receives at a first time and from a first mobile application, a request for an access token associated with a second mobile application that includes an identifier associated with the second mobile application and a first random verification identifier. The authorization module provides to the first mobile application a signal representing an authorization code associated with the access token. The authorization module receives from the second mobile application at a second time a signal representing the authorization code, the identifier associated with the second mobile application, and a second random verification identifier. The authorization module provides a signal representing the access token to the second mobile application based in part on the first random verification identifier being equal to the second random verification identifier.

Abstract: A method, a computer readable medium and a system of multi-domain login and messaging are provided. The method for multi-domain login comprises inputting a local password by an agent, accessing a password vault with the local password, and retrieving at least one hidden password from the password vault, and logging the agent into at least one agent application using the at least one hidden password. The method for multi-domain messaging comprises retrieving information of an agent from a database, retrieving at least one skill group to which the agent belongs from the information, retrieving a message linked to the at least one skill group, and sending the message to the agent.

Abstract: A method, system and computer-usable medium are disclosed for controlling access to attribute information. A request is received from an application for attribute information. An attribute release policy associated with the requesting application is used to filter attributes stored in a datastore. The filtered attributes are then provided to the requesting application.

Abstract: User authentication systems and supporting methods and devices are described. For instance, the disclosed subject matter describes image-facilitated generation of user authentication credentials, user authentication, etc. for a user and related functionality, where a selection of images can correspond to a grammatical structure comprising disparate parts of speech according to various non-limiting aspects. The disclosed details enable various refinements and modifications according to system design and tradeoff considerations.

Abstract: A system for collecting, storing, authenticating, and managing personal information, such as identity data, skill data, qualification data, certification data, for individuals and/or organizations. The system surely collects identity, skill, qualification, and certification data and enables the generation of a personal identification credential that can be used to securely authenticate the identity of an individual and, thereafter, retrieve skill, qualification, certification data, and/or other personal information for the individual. The system also enables an individual with an issued personal identification credential via third party verification to securely update personal information, such as skills, qualifications, and certifications data for storage in a secure cloud database system.

Abstract: A method and apparatus for location-based access control applies a location-based identifier to a document, wherein the location-based identifier indicates an original storage location of the document. The original storage location is an authorized node having access privileges specific to the document. In response to the document being moved or copied, an access control engine compares a current location of the document to the original storage location and denies access when there is a discrepancy. When the document is moved consistent with an access control policy, such as when an administrator moves the document, an original storage location identifier is changed consistent with a new location. The document is only accessible when accessed from an authorized location. The locations may be referred to as access nodes, wherein each access node corresponds to a folder.

Abstract: A method, a terminal, an apparatus, and a system for device management (DM) are provided. Specifically, a DM terminal, a DM apparatus, method for managing the terminal device are provided. The method for managing the terminal device includes the following steps: adding, by a DM terminal device, amanagement nodes in a DM tree of the DM terminal device; and recording, by the DM terminal device, MOs types supported by the DM terminal device in the management nodes added in the DM tree of the DM terminal device. Therefore, the problem that the server does not know the DM applications supported by the terminal, and in the method, a specific management operation is delivered to make the management of the server more flexible and effective.

Abstract: Various embodiments utilize redirection techniques to refresh an authenticated session for a web-based executable operated across multiple domains. In at least some embodiments, the redirection techniques utilize a hidden inline frame (“i-frame”) to refresh an authenticated session. In some embodiments, polling is utilized to detect the end of a redirection sequence and a refreshed authenticated session while in other embodiments, an authenticated session is assumed to be refreshed after the expiration of a predetermined period of time.

Abstract: The present invention relates to a far-end control method with a security mechanism including a host transmitting an identification code through the PSTN (Public switched telephone network) to the I/O control device of the far-end. The I/O control device has a CPU to receive the identification code and judge whether the identification code matches with the predetermined value stored therein; if the identification code matches with the predetermined value, the mobile internet connection between the host and the I/O control device is activated to enable the host to mutually transmit information or signals with a far-end control device from the I/O control device through the mobile internet, and the connection will be disabled after the information or signal transmission is completed.

Abstract: A method of operating a security server to securely transact business between a user and an enterprise via a network includes receiving, at the security server from an enterprise with which the user is currently connected via the network, a request of the enterprise to activate a secure communications channel over the network between the user and the security server. The request includes contact information for contacting the user via other than the network. The security server, in response, transmits an activation code for delivery to the user via other than the network and in a manner corresponding to the received contact information. The security server receives, from the user via the network, an activation code and compares the received activation code with the transmitted activation code to validate the received activation code. The secure communications channel is then activated based on the validation of the received activation code.

Abstract: A processor stores a current password in a current password storage area, which results in committing the current password as a valid password. In turn, the processor initiates a password change interval that indicates a required point at which to change the current password. The processor also stores a future password in a future password storage area, which activates the future password. Activating the future password allows a user to login using the future password, but is independent of the password change interval (e.g., does not reset the password change interval). The processor subsequently receives a login request from a user that includes a login password, and determines that the login password matches the future password. As a result, the processor authorizes the user in response to determining that the login password matches the future password.

Abstract: A first information handling system (“IHS”) receives identification information of a first user of a second IHS. The first IHS initiates a network session in response to authenticating the identification information of the first user. Within the network session, the first IHS receives identification information of a second user of the second IHS. The first IHS authenticates the identification information of the second user.

Abstract: A seed value is received and a resource encryption key is generated from the seed value. The resource encryption key may be sent to an application server such that the application server system is able to encrypt a resource using the resource encryption key. Authentication credentials and a wrapped key are received and the wrapped key is decrypted to generate an unwrapped key that includes the resource identifier, the resource encryption key, and the user identifier in unencrypted form. The user identifier is accessed from the unwrapped key it is determined that the received authentication credentials correspond to the accessed user identifier. The resource encryption key is sent in unencrypted form to the application server system such that the application server system can decrypt the resource using the resource encryption key in unencrypted form.

Abstract: A system and method for storing identifying information and telephone numbers associated with individuals, and cross-referencing said information so as to link a first individual to other referee individuals capable of identifying the first individual as a result of a telephone conversation. When a relying party wishes to confirm the identity of a contracting party, the system is contacted and, using identifying information pertaining to said contracting party, identifies the set of referee individuals capable of identifying said contracting party, contacts a referee selected at random from the set, and places the contracting party in telephonic communication with the referee. At the conclusion of said telephonic communication, said system invites the referee to state the name of the first individual; by comparing the voice sample with a stored voice sample, the apparatus then provides identity confirmation to said relying party.

Abstract: Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.