Abstract: There is described methods, systems and software for creating, managing and using authentication credentials. The invention maintains for each user two authentication credentials—external and internal authentication credentials that share the same number of authentication factors of the same type. These are stored in a data store [1.4]. The user users the external authentication credential by a device [1.1] that is external to the network [1.8]. This is matched to the internal authentication credentials that are then used authenticate the user on the network [1.8]. It is an advantage of the invention that the internal authentication credentials are not stored on the device [1.1] leading to greater security. Also, the client software on the device [1.1] does not need to be customised in anyway to deliver this improved security.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: A method for authenticating a password is provided. An authentication server device receives a plurality of password segments associated with a password from a client device over a plurality of communication channels. The authentication server device reconstructs the password from the plurality of password segments based on a particular set of parameters identified by a selected session key identification number. The authentication server device sends the reconstructed password to a target device for comparison with a stored password associated with the client device. If the stored password matches the reconstructed password, then the target device establishes a session with the client device so that the client device may access a resource located on the target device.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: A method of providing continuous authentication in a contactless environment is provided. The method includes providing a reader having a contactless interface, as well as a device, operable to communicate with the reader. The method further includes the steps of receiving at the reader a first authentication request from the device, and communicating from the reader a second authentication request to a secure transaction service. The secure transaction service holds authentication credentials relating to the device. Authentication credentials relating to the device are received at the reader from the secure transaction service, and the reader provides continuous authentication based at least in part on the authentication credentials received from the secure transaction service.

Abstract: A method for managing multi-tenancy database access, including receiving credentials from a user associated with a first organization and a second organization, validating the credentials received from the user, logging the user into an access module, generating a first realm ID associated with the credentials and a first access type, generating a second realm ID associated with the credentials and a second access type, storing the first realm ID, the second realm ID, and the credentials in an authentication module, generating a connection request, establishing a connection from the access module to a data repository based on the connection request, generating a first identifier associated with the first realm ID and a second identifier associated with the second realm ID after establishing the connection; and storing the first identifier, the first realm ID, the second identifier, and the second realm ID in the data repository.

Abstract: The present invention provides a system and method for authentication of network traffic managed by a traffic management virtual server. A traffic management virtual server may determine that a client has not been authenticated from a request of the client to access a server. Responsive to the request, the traffic management virtual server may transmit a response to the client with instructions to redirect to an authentication virtual server. The authentication virtual server may receive a second request from the client. The authentication virtual server may then authenticate credentials received from the client and establish an authentication session for the client. Further, the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server. The second response identifies the authentication session. The traffic management virtual server then receives a request from the client with an identifier to the authentication session.

Abstract: An electronic device may present a user interface for making selections related to connecting to a network or selecting a network from a plurality of available networks. Additionally, a user interface may give a user an opportunity to secure to an open, unsecure, connection, for example, an ad-hoc wireless connection, such as may be found at a coffee shop. A selection of security offerings may be made from a user interface screen including pre-populated service providers. A user may be allowed to save preferences for connecting to new networks, as well as preferences related to previously used networks. Further, the user may save preferences for invoking security services on a per-network or pan-network basis. The security service may a known tunneling protocol (i.e. VPN), such as L2TP or PPTP.

Abstract: A computer-implemented method technique is presented. The technique can include selectively initiating, at a mobile computing device including one or more processors, communication between the mobile computing device and a public computing device. The technique can include transmitting, from the mobile computing device, authentication information to the public computing device. The authentication information can indicate access privileges to a private account associated with a user of the mobile computing device. The technique can include receiving, at the mobile computing device, an access inquiry from the public computing device. The access inquiry can indicate an inquiry as to whether the user wishes to login to the private account at the public computing device. The technique can also include transmitting, from the mobile computing device, an access response to the public computing device. The access response can cause the public computing device to provide the user with access to the private account.

Abstract: Systems, methods, and computer readable media for encapsulating multiple Windows® based credential providers (CPs) within a single wrapping CP are described. In general, CP credentials and fields from two or more encapsulated or wrapped CPs may be enumerated and aggregated in such a way that the order of fields from each CP is preserved, fields that may be used only once are identified and appear only once, and fields are given a new unique field identifier. The union of all such fields (minus duplicates of any one-use-only fields) may be used to generate a mapping so that the wrapping CP and CP credential may “pass-through” calls from the operating system's logon interface to the correct wrapped CP and CP credential. The disclosed techniques may be used, for example, to provide single sign-on functionality where a plurality of sign-on credentials may be used (e.g., user name/password and smart card PIN).

Abstract: A security fingerprint architecture is disclosed. A security fingerprint comprises one or more behavioral factors which store a history of events associated with one or more users. The data in the security fingerprint is exposed by one or more modes, each of which determines the conditions that data in the security fingerprint may be accessed. Security fingerprints support a number of primitive operations that allow set operations to be performed. Security fingerprints may be used in for authentication, advertising, and other operations either alone, or in conjunction with third party data sources. An exemplary platform of security fingerprints built upon a cellular infrastructure is also disclosed.

Abstract: Provided are a computer program product, method and system for dynamically providing algorithm-based password/challenge authentication. A page is generated including selectable conversion operators to enable generation of an algorithm that applies at least one selected conversion operator of the selectable conversion operators on a string to generate a password. A created algorithm created using the at least one selected conversion operator in the page is received. The created algorithm is associated with a username for use in authenticating access by a presenter of the username to a computer service.

Abstract: Computer systems and environments implemented herein permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, this computing environment can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Abstract: A token has a memory, an interface allow connection to a host, and a processor. The processor, in response to user input for configuring a remote access connection, executes a first set of processing instructions to establish a trusted connection with the server host, exchanges credentials over the trusted connection to establish a secure connection with the server host over an untrusted connection, and defines configuration information for accessing user selected data or services.

Abstract: A system and method for managing trusted platform module (TPM) keys utilized in a cluster of computing nodes. A cluster-level management unit communicates with a local TPM agent in each node in the cluster. The cluster-level management unit has access to a database of protection groups, wherein each protection group comprises one active node which creates a TPM key and at least one standby node which stores a backup copy of the TPM key for the active node. The local TPM agent in the active node automatically initiates a migration process for automatically migrating the backup copy of the TPM key to the at least one standby node. The system maintains coherency of the TPM keys by also deleting the backup copy of the TPM key in the standby node when the key is deleted by the active node.

Abstract: Some demonstrative embodiments of the invention include a method, device and/or system of performing an administrative operation on a user token. The method may include, for example, providing to an admin token user-identification data identifying the user token; receiving from the admin token an administrator code to enable performing the administrative operation; and providing the administrator code to the user token. Other embodiments are described and claimed.

Abstract: In some embodiments, communications in a private network are programmatically inspected to identify traffic associated with uncontrolled Web applications originating from outside of the private network. Unstructured data, including messages and application content, originating from such uncontrolled Web Applications may be disassembled, analyzed, and categorized into source specific application element types (AETs). A monitoring layer may be injected on a page associated with the uncontrolled Web Application to allow a user to switch between different modes. Activities associated with different modes may be handled differently utilizing AETs. Example modes may include personal, professional, etc.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens associated with a session. The session may facilitate access to a resource by a user. The session may be identified by a session token. The apparatus may determine, based on a token-based rule, a second plurality of tokens required to facilitate determination of a risk token. The risk token may be used to facilitate determination of an access decision to the resource. The apparatus may determine that the plurality of tokens comprises the second plurality of tokens and generate a dataset token that represents the plurality of tokens. The apparatus may then communicate the dataset token to facilitate the generation of the risk token. The apparatus may receive the risk token and correlate it with the session token to facilitate determination of the access decision.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens that indicate a user is using a device to access a resource over a network. The apparatus may detect at least one token indicating a change associated with at least one of the device, the network, or the resource. The apparatus may then determine to re-authenticate the user in response to the change. The apparatus may then request a password generated using personal information of the user, and receive a re-authentication token comprising the password generated using personal information of the user. The apparatus may then request, from the user, a second password. The request for the second password may include instructions on how to form the second password. The apparatus may receive a response comprising the second password and determine that the second password matches the password. The apparatus may then re-authenticate the user.

Abstract: According to one embodiment, an apparatus may store: a hard token representing identification information of the device, a network token representing the status of a network, and a resource token representing information associated with a resource. The apparatus may further store secured copies of the hard token, network token, and resource token. The apparatus may receive a suspect token indicating a risk that at least one of the device, the network, and the resource has been tampered, and in response, determine to inspect at least one of the hard token, network token, and resource token. The apparatus may then compare the at least one of the hard token, network token, and resource token with its corresponding secured copy. If at least one of those tokens does not match its corresponding secured copy, the apparatus may communicate a revalidation token indicating at least one token has been tampered.

Abstract: A method, system, and computer program product for staged user identifier deletion are provided. The method includes checking a status of a user identifier in response to a triggering event. In response to determining that the status of the user identifier indicates a marked for deletion status, a notification action is performed. The method also includes monitoring a time value to determine whether a time for deletion associated with the user identifier with the marked for deletion status has been reached, and automatically deleting the user identifier with the marked for deletion status in response to determining that the time for deletion has been reached.

Abstract: A safe URL shortening service creates a short URL from any valid long URL. At resolution time, the service determines if the resulting URL points to a known bad, known good, or unknown site. Depending on the determination results, the service may redirect a user to the target site, block redirection, or present a warning page that allows the user to manually activate the target link.

Abstract: A method for granting access to change a security system from a locked state to an unlocked state includes: displaying a security access interface, wherein the security access interface comprises a graphical region, the graphical region is filled with a plurality of colors; selecting at least one color in the graphical region; at least recording at least one color property according to the at least one selected color; generating an input password at least according to the at least one recorded color property; determining whether the input password matches a predetermined password; and granting access if the input password matches with the predetermined password. A related security system is also provided.

Abstract: A system and methodology that facilitates management of a single identity and billing relationship for multiple UE (user equipment) associated with a subscriber is provided. Specifically, each of the multiple UEs can employ LTE (Long Term Evolution) radio technology to authenticate and register with a femto access point. Further, the transport level billing associated with the multiple UE can be facilitated by the femto access point by employing a femto id (identity) and/or credentials. Moreover, the femto access point can be employed by the multiple UEs as a network hub and can be employed by the UEs to perform authentication to connect to a core network. In addition, the femto access point can determine an authorized IP cloud associated with a registered UE and allow the registered UE to access only the authorized IP cloud.

Abstract: Methods and systems are provided for performing a secure transaction. Users register biometric and/or other identifying information. A registration code and an encryption key are generated from the biometric information and/or information obtained from a unpredictable physical process and are stored in a secure area of a device and also transmitted to a service provider. A transaction passcode generator may be computed based on the stored registration code. In at least one embodiment, a unique transaction passcode depends upon the transaction information, so that on the next step of that transaction, only that unique transaction passcode will be valid. In an embodiment, the passcode includes the transaction information. In at least one embodiment, if the transaction information has been altered relative to the transaction information stored in the device's secure area, then the transaction passcode sent during this step will be invalid and transaction may be aborted.

Abstract: Method, apparatus, and computer products are provided for providing temporary generated codes by a server. Responsive to triplet authentication of a device to service provider network, a server receives an initial code from the device to request a temporary generated code. The server verifies the triplet authentication of device. The server determines whether there is a user account match to the initial code. The server determines a corresponding application server based on the initial code and the user account match. The server generates a temporary generated code to access the application server. The temporary generated code is transmitted to both the application server and the communication device, is set to expire at a preset time, is generated to allow the user access to a single session on the application server, and is generated to expire after the temporary generated code is input to access the single session on application server.

Abstract: A method and arrangement for authorizing an initially unauthorized watching client to receive client data of an observed client from a client data server. The watching client sends an expanded request for client data to the server. The expanded request contains additional information such as a text string, a picture, or a video/audio clip. The server extracts the additional information and sends it to the observed client. The observed client can then decide whether to authorize the watching client to receive the observed client's data based on the additional information.

Abstract: A computer implemented method, data processing system and computer program product are disclosed for password expiration based on vulnerability detection. A request for a password is received during re-activation of a first account that belongs to a particular user. A test password is compared to a previously created password that belongs to the particular user to determine if a match occurred. Responsive to determining that there is a match, a second account that belongs to the particular user with respect to the match is expired.

Abstract: A “Firmware-Based TPM” or “fTPM” ensures that secure code execution is isolated to prevent a wide variety of potential security breaches. Unlike a conventional hardware based Trusted Platform Module (TPM), isolation is achieved without the use of dedicated security processor hardware or silicon. In general, the fTPM is first instantiated in a pre-OS boot environment by reading the fTPM from system firmware or firmware accessible memory or storage and placed into read-only protected memory of the device. Once instantiated, the fTPM enables execution isolation for ensuring secure code execution. More specifically, the fTPM is placed into protected read-only memory to enable the device to use hardware such as the ARM® architecture's TrustZone™ extensions and security primitives (or similar processor architectures), and thus the devices based on such architectures, to provide secure execution isolation within a “firmware-based TPM” without requiring hardware modifications to existing devices.

Abstract: The disclosed embodiment relates to identity verification and identity management, and in particular, to methods and systems for identifying individuals, identifying users accessing one or more services over a network, determining member identity ratings, and based on member identity ratings that restrict access to network-based content and certain user-to-user interactions. Further, the user experience in performing identity management is simplified and enhanced as disclosed herein.

Abstract: The disclosed embodiment relates to identity verification and identity management, and in particular, to methods and systems for identifying individuals, identifying users accessing one or more services over a network, determining member identity ratings, and based on member identity ratings that restrict access to network-based content and certain user-to-user interactions. Further, the user experience in performing identity management is simplified and enhanced as disclosed herein.

Abstract: A domain access system may include a connection package for a remote device. The connection package may be installed and used to connect to a domain without having to be physically attached to the domain. The connection package may include a domain identifier and a machine name, as well as certificates used to authenticate the device to the domain, group policies, and other components and configuration information. An installation program may configure the remote device with the various components and certificates so that the remote device may connect to the domain.

Abstract: A file server including: a first interface coupled to a client computer which manages a client side user identifier used by the client computer to identify a client computer user; a second interface coupled to a first storage storing first file system data and a first file system side user identifier used by the first file system to identify the client computer user, and a second storage storing second file system data and a second file system side user identifier used by the second file system to identify the client computer user; a processor which receives a client computer's first access request to the first file system, obtains a first file system identifier which identifies the first file system and the first file system side user identifier, and translates the first file system side user identifier to a first client side user identifier using the first file system identifier.

Abstract: A user ID and password are transmitted from a mobile telephone to a web server and whether the mobile telephone has the right to access the web server is authenticated. If the mobile telephone has the right to access the web server, a user ID and password for a first external server stored in a database are transmitted from the web server to the first external server. Authentication processing is executed in the first external server. If it is verified that the mobile telephone has the right to access the first external server, then the first external server generates authentication information and transmits this authentication information to the web server. In a case where the mobile telephone accesses the first external server, the generated authentication information is erased and then the first external server executes authentication processing.

Abstract: Techniques are disclosed for enabling operators of communication networks to provide one or more identity services such as, for example, an authentication service. For example, in a communication network, assume that a first computing device is a client device, a second computing device is an application server, and a third computing device is a server under control of an operator of the communication network. A method may comprise the following steps.

Abstract: An identity management method, apparatus, and computer readable article of manufacture tangibly embodying computer readable instructions for executing the identity management method. The method includes: creating an association table to record a first session ID between the user and the first Web application, a second session ID between the user and the second Web application, and an association of the IDs; sending a session ID request containing the first session ID by the first Web application to a return module; receiving the session ID request and searching by the return module for the associated second session ID in the association table according to the first session ID; and returning the second session ID to the first Web application, thereby providing identity management for a user in a Web environment in which a first Web application accesses a second Web application on behalf of the user.

Abstract: A system, method, and article of manufacture for generating a digital pass is disclosed. The method may comprise retrieving a plurality of identity attributes, and grouping a subset of identity attributes in the plurality of identity attributes to generate at least one digital pass. The method may further comprise grouping a subset of static identity attributes and a subset of dynamic identity attributes to generate a digital pass.

Abstract: A system, method, and article of manufacture for generating a digital pass is disclosed. The method may comprise retrieving a plurality of identity attributes, and grouping a subset of identity attributes in the plurality of identity attributes to generate at least one digital pass. The method may further comprise grouping a subset of static identity attributes and a subset of dynamic identity attributes to generate a digital pass.

Abstract: A device management system for managing a device based on management information is presented. The system includes a device monitoring unit for obtaining management information from a device, a relay server coupled to the device monitoring unit over a network, and a management server, coupled to the relay server over a network, configured to manage the device based on the management information. The device monitoring unit obtains the management information from the device and transmits the obtained management information without encryption. Upon receiving the management information, the relay server encrypts and transmits to the management server the received management information.

Abstract: A system for automatically generating and filling login information to improve the security in storage and use of the login information. The system comprises a monitoring module, a registration module, and a login module; the monitoring module is coupled to the registration module and the login module; the monitoring module is adapted to check for an entry of login information corresponding to the identifier of the current page, and prompt a result to the user, and transmit a signal to the registration module and the login module to perform a registration and/or login operation; the registration module comprises a login information generation unit, a login information storage unit, and a first user confirmation unit; and the login module comprises a login information input unit and a second user confirmation unit. A method for the same is also disclosed.

Abstract: A platform for managing delivery of content originating from one or more content providers to users is provided. The platform includes a portal that is configured to support access through a plurality of access channels configured to receive requests through one or more access channels. A request for content is received from an access device through an access channel. An identity management module is configured to determine a user associated with the message. A content manager is configured to manage content for delivery through the plurality of access channels and configured to determine eligible content for the user. A billing module is configured to process billing for the user and content provider based on the content provided to the user. The content manager is then configured to deliver the requested content to the user's access device through the access channel.

Abstract: A method for implementing organization-specific policy during establishment of an autonomous connection between computer resources includes evaluating a relative priority between default credentials and alternative credentials; and using the highest priority credentials to establish a connection between the computer resources. The alternative credentials are based on organization-specific policy and provide for autonomous connections between computer resources differently than the default credentials.

Abstract: Intelligent monitoring systems and methods for virtual environments are disclosed that understand various components of a virtual infrastructure and how the components interact to provide improved performance analysis to users. In certain examples, a monitoring system assesses the performance of virtual machine(s) in the context of the overall performance of the physical server(s) and the environment in which the virtual machine(s) are running. For instance, the monitoring system can track performance metrics over a determined period of time to view changes to the allocation of resources to virtual machines and their location(s) on physical platforms. Moreover, monitoring systems can utilize past performance information from separate virtual environments to project a performance impact resulting from the migration of a virtual machine from one physical platform to another.

Abstract: Methods and devices are provided for detecting or preventing unauthorized upgrades to a customer's quality of service in an access data network. Several aspects of the invention require customer nodes to properly perform an initialization procedure. For example, the initialization procedure may involve making a request to a server controlled by, or at least trusted by, the service provider. The initialization procedure may involve downloading a configuration file, such as a DOCSIS configuration file, from the trusted server. According to some such aspects of the invention, nodes that cannot properly perform the initialization procedure are prevented from coming online. According to other such aspects of the invention, nodes that cannot properly perform the initialization procedure are marked. A warning may be sent to marked nodes. A customer associated with a marked node may be charged a higher rate for service.

Abstract: A virtual computer service includes receiving, at a network server computer over a network, an encrypted image and user credentials for a user of a computer, and storing the encrypted image and the user credentials in an image repository that is communicatively coupled to the network server computer. The virtual computer service also includes receiving a request to initiate a session, the request including the user credentials. Upon successful validation of the user credentials, the virtual computer service includes selecting the encrypted image from the image repository, decrypting the encrypted image, activating a session for a virtual computer associated with the computer, and synchronizing session details of the session, once completed, with the image and storing a synchronized image in the image repository.

Abstract: A method for authenticating users over networks includes requesting a one-time password, entering a personal identification number into a communications device, and retrieving a replaceable shared secret stored in the communications device. Moreover, the method includes generating a hashed personal identification number from the entered personal identification number, combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret, and generating a one-time password with the modified shared secret and the time of requesting the one-time password.

Abstract: A virtual computer service includes receiving, at a network server computer over a network, an encrypted image and user credentials for a user of a computer, and storing the encrypted image and the user credentials in an image repository that is communicatively coupled to the network server computer. The virtual computer service also includes receiving a request to initiate a session, the request including the user credentials. Upon successful validation of the user credentials, the virtual computer service includes selecting the encrypted image from the image repository, decrypting the encrypted image, activating a session for a virtual computer associated with the computer, and synchronizing session details of the session, once completed, with the image and storing a synchronized image in the image repository.

Abstract: The present invention relates to a method and system for mutual authentication of a user and service provider, said method comprising acts of: authenticating an event by a key generation module (KGM), said event is generated on a computing device by a user, sending a shared secret of registered user for the event by an authentication server to the key generation module (KGM), generating one time key by the KGM for the event, transmitting the one time key by appending the shared secret to registered user mobile device, and performing at least one of: authenticating the user for said event by the KGM when a registered user enters the one-time key on the computing device within a predetermined time period, or terminating the event upon receipt of predefined key sequence from the mobile device.

Abstract: Embodiments of a mobile device and method for secure on-line sign-up and provisioning of credentials for Wi-Fi hotspots are generally described herein. In some embodiments, the mobile device may be configured to establish a transport-layer security (TLS) session with a sign-up server through a Wi-Fi Hotspot to receive a certificate of the sign-up server. When the certificate is validated, the mobile device may be configured to exchange device management messages with the sign-up server to sign-up for a Wi-Fi subscription and provisioning of credentials, and retrieve a subscription management object (MO) that includes a reference to the provisioned credentials for storage in a device management tree. The credentials are transferred/provisioned securely to the mobile device. In some embodiments, an OMA-DM protocol may be used.