Abstract: One or more techniques and/or systems are provided for obtaining access to a cloud service. In particular, a user may log into a client device using an operating system (OS) cloud login ID. The user may access cloud services (e.g., a music streaming service, a data storage service, etc.) through applications executing on the client device using merely the OS cloud login ID without providing additional login credentials specific to the cloud services. A client side application may request a token to access a cloud service. The token may be generated by an identity provider based upon the identity provider verifying an application ID identifying the application, a cloud service ID identifying the cloud service and/or OS cloud credentials. In this way, the application may present the token to a cloud service provider for verification to gain access to the cloud service hosted by the cloud service provider.

Abstract: In particular implementations, a mobile device management system allows network administrators to control the distribution and publication of applications to mobile device users in an enterprise network.

Abstract: A printing apparatus management system includes: a printing apparatus which includes an IC tag performing wireless communication with the outside and a memory being connected to the IC tag; and a first information terminal which has at least a function of writing information in the memory through wireless communication with the IC tag. The first information terminal maintains authentication data used by the printing apparatus, writes the authentication data in the memory, and transmits the authentication data to another information terminal.

Abstract: In electronic commerce (e-commerce) sites that are executed on a single e-commerce application, a user's session is only associated with a single user identity for e-commerce site domain. Acting under a single identity across the site may not be desired. There may be requirements to associate an individual user with one or more separate identities within parts of the site. Aspects of the invention provide a method, system and computer program product for managing multiple user identities for a user of an electronic commerce (e-commerce) site.

Abstract: The present invention facilitates access to a restricted service related to secure transactions via a network. The present invention allows a user to select a minimum security level of authentication for its own login to a restricted service. The user's selected minimum security level of authentication may be registered in an authentication method system, so that the user must use the selected minimum security level for authentication in order to gain access to the restricted service. Alternatively, the user may specify that the selected minimum security level for authentication may be over-turned by the user, or optionally re-set to a new authentication method depending on the needs of the user. As such, the present invention allows the user the flexibility to select its own authentication method for accessing a restricted service.

Abstract: A web-enabled user interface is provided to enable the carriers of private networks to interact and to offer services to one another. The web-enabled user interface is integrated to a switch fabric configured to provide interconnection services for the carriers. The web-enabled user interface is configured to enable the carriers to assign different roles to different representatives. Each of the representatives is granted certain rights and permissions by an administrator representative based on the representative's role. The web-enabled user interface is configured to present to each representative a unique interface based on their roles thus providing each representative a unique experience.

Abstract: Techniques for electronic signature process management are described. Some embodiments provide an electronic signature service (“ESS”) configured to manage electronic identity cards. In some embodiments, the ESS generates and manages an electronic identity card for a user, based on personal information of the user, activity information related to the user's actions with respect to the ESS, and/or social networking information related to the user. The electronic identity card of a signer may be associated with an electronic document signed via the ESS, so that users may obtain information about the signer of the document. Electronic identity cards managed by the ESS may also be shared or included in other contexts, such as via a user's profile page on a social network, a user's email signature, or the like.

Abstract: Embodiments of the present invention relate to a service opening method and system, and a service opening server. The method includes: receiving a service request from a third-party application, where the service request carries type and parameter information of the requested service; querying, according to the type information of the service, a service directory to obtain an access address and authentication type information of the requested service; when it is determined that the invoking of the service needs an authorization of an end user, obtaining an authorization notification message of the end user according to the type information of the service and the parameter information of the service; and forwarding, the service request to a capability server, and forwarding, to the third-party application, a service response message returned by the capability server. The control of the end user on the authorized service is ensured to the greatest extent.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.

Abstract: A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network.

Abstract: A method including generating a first and second One Time Password (OTP) token from a shared clock, receiving a third OTP token, and comparing the second and the third OTP tokens. A system including a number generator residing on a first server to generate first and second One Time Password (OTP) tokens from a shared clock, a transmitter residing on the first server to transmit the first and the second OTP tokens, a receiver residing on a second server to receive the first, the second, and a third OTP tokens, and a comparator residing on the second server to compare the second and the third OTP tokens to authenicate an identity of a party who generates the third OTP token.

Abstract: A method, data processing system, and computer program product for managing passwords. A computer system receives a notification from a website that indicates a password for the website needs to be changed. If the computer system determines the website is in a list of websites and a classification of the website matches one or more of a set of website classifications, a notification is sent to a password vault that indicates the password for the website needs to be changed. A set of passwords in the password vault is selected based upon the set of passwords meeting a policy for password management.

Abstract: A secure decentralized storage system provides scalable security by addressing the performance bottleneck of the security manager and the complexity issue of security administration in large-scale storage systems.

Abstract: Disclosed is a method of providing a completely automated public turing test to tell a computer and a human apart (CAPTCHA) based on image. The method comprises the steps of: storing a plurality of randomly-selected images by session when a request for a web page is received from a user client; providing the web page and a session ID to the user client; generating a test image by mixing the plurality of images when a request for a test image corresponding to the session ID is received from the user client; transmitting the generated test image to the user client; receiving at least one of first identification information inputted by the user about the test image from the user client; and comparing the first identification information with second identification information included in Meta information of the test image.

Abstract: An authentication server generates a security token to be used by a client for accessing multiple service providers by obtaining a secret key for each specified service provider, generating a saltbase, generating a salt for each service providers using the saltbase, the secret key, and a hashing algorithm, generating a session key that includes the salt, assigning an order to each of the generated salts, and arranging the salts based on the orders, generating a presalt for each provider using the salt for each previous provider, generating a postsalt for each of the specified service providers using the salt for each following provider, generating a blob for each of the specified service providers using the saltbase, the respective presalt, and the respective postsalt, inserting the generated blobs for the specified service providers in the security token, and providing the generated security token to the client workstation.

Abstract: A method and apparatus for verifying that a user is the owner of a public listing is provided. The user selects an option to claim ownership of the public listing offered by an online service provider. The online service provider uses information regarding the user and the public listing to generate a verification code. The online service provider delivers the verification code to the owner of the public listing via the contact information provided by the public listing. If the user owns the public listing, the user receives the verification code via contact information associated with the public listing. The user verifies ownership by inputting a code to the online service provider. If the inputted code matches the verification code, then the online service provider identifies the user as the owner of the listing. Once verified, the user modifies the listing.

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requester by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: Persistent communication layer credentials generated on a persistent communication layer at one network may be leveraged to perform authentication on another. For example, the persistent communication layer credentials may include application-layer credentials derived on an application layer. The application-layer credentials may be used to establish authentication credentials for authenticating a mobile device for access to services at a network server. The authentication credentials may be derived from the application-layer credentials of another network to enable a seamless handoff from one network to another. The authentication credentials may be derived from the application-layer credentials using reverse bootstrapping or other key derivation functions. The mobile device and/or network entity to which the mobile device is being authenticated may enable communication of authentication information between the communication layers to enable authentication of a device using multiple communication layers.

Abstract: Disclosed is a client device that includes: a user interface to receive a username and a first password associated with a server site visited by a user; a random number generator to generate a random number; and a processor to generate a second password by implementing a function based upon the first password and the random number and to command storage of the random number, the username, and the associated server site. If the user attempts to log onto the server site by inputting their username and the second password, the processor extracts the random number associated with the username and the server site and implements the function based upon the second password and the random number to generate the first password which replaces the second password entered by the user and is submitted to the server site.

Abstract: This disclosure relates to a portable communication device and a network-side authorization server, and to methods therein. By splitting the functionality of an OAuth authorization server and moving the authorization endpoint into, for instance a mobile phone, an authorization server within the mobile phone is provided. This mobile phone authorization server does not need to communicate with the network-side for getting an authorization code or an access token.

Abstract: A method, data processing system, and computer program product for managing user identification information. A determination is made whether an instance of security information in use on the first application server and referenced by a token that has expired was generated by an application server compatible with a first application server in response to receiving the token. A determination is made whether the instance of the security information is managed by a set of rules for a group of users of the first application server. A determination is made whether a user identifier from the token is authorized to access the first application server. The token is renewed in response to determining that the user identifier is authorized to access the first application server.

Abstract: Embodiments of website authentication including receiving a request from a user to view a website within a graphical user interface (GUI); generating a one time password (OTP); storing the generated OTP in a database; displaying the generated OTP on the GUI; verifying an identity of the user by receiving an identification datum from a communication device; receiving an entered OTP from the user; comparing the entered OTP with the generated OTP; and communicating whether the website is authenticated.

Abstract: High speed wireless infrastructures and techniques are provided. Wireless radios are situated within an enterprise, each radio positioned at the end of the wireless frequency range for that of a neighboring radio. Each radio wireless transmits using direction steerable antennas at 60 Gigahertz. At lease one radio is interfaced to a back-end enterprise information server. Each radio capable of interfacing to a consumer's wireless device within the enterprise when that wireless device is within range of the directional steerable antennas. The wireless radios and the back-end information server combine to form a high speed wireless communication network within the enterprise.

Abstract: Provided are a method and an apparatus for searching neighboring Bluetooth® devices through an external terminal having programming capability. The inventive method provides for a slave Bluetooth® device to receive, from the external terminal, the MAC address and optional device name from a target Bluetooth® device.

Abstract: An improved solution for authenticating a user seeking to manage a computer system is provided according to aspects of the invention. A user seeking to perform out-of-band management of the computer system can provide a set of credentials to a service processor, which in turn provides them to the computer system for authentication. Additionally, a user seeking to perform in-band management of the computer system can provide a set of credentials to a management agent executing on the computer system for authentication. In either case, the computer system can authenticate the set of credentials, e.g., using an operating system interface.

Abstract: An information delivery device interacting with a user's eye, the device comprising an eye characteristic reader for reading at least one characteristic of the user's eye, a retinal projector for projecting information onto the retina, and an eye characteristic processor operative to receive at least one characteristic of the eye and to select the information based at least partly thereupon. A content protection system may comprise a multiplicity of such eye characteristic readers and a content protector receiving said at least one characteristic from such readers and controlling the user population's use of content to be protected based on that at least one characteristic. Related apparatus and methods are also provided.

Abstract: A technique of allowing entry of the password which is not 100% correct. This password would be used to verify identity and/or login information in low security techniques. The password is scored relative to the correct password. The scoring can take into effect least mean squares differences, and other information such as letter groups, thereby detecting missed characters or extra characters, as well as shift on the keyboard.

Abstract: An embodiment of a network manager permits a resource group administrator (with resource group level permissions but without global permissions) to add a global object to his/her resource group as a managed object, without requiring the administrator to have a global permission, as discussed further below. An embodiment of the network manager permits a resource group administrator to also edit the configuration settings that are attached to his/her resource group without requiring the administrator to have a global permission.

Abstract: A method of encrypting a plain text message that is m characters in length is described. A one off random key having a length of m characters is generated. The random key uses a character set and modulus that is compatible with the plain text message. A first substitution encryption of the plain text message is performed using the generated random key. A string of random fill characters that is f characters in length, f being a number between zero and infinity is generated. The generated random key and the string of random fill characters is concatenated to the encrypted plain text message to generate an encrypted message string. The encrypted message string has a length 2m+f. The encrypted message string is transmitted to a receiver.

Abstract: The present invention relates to the field of strong authentication tokens and more specifically to methods and apparatus employing cryptographic key establishment protocols for such strong authentication tokens. An apparatus comprising storage for a secret key, said secret key for use in the generation of cryptographic values, and a cryptographic agent for generating said cryptographic values using said secret key, selects one of a predetermined set of key transformations in an unpredictable way and applies said selected key transformation to said secret key prior to generating one of said cryptographic values.

Abstract: Systems and methods for authenticating electronic transactions are provided. The authentication methods employ a combination of security features and communication channels. These security features can be based, for example, on unique knowledge of the person being authenticated, a unique thing that the person has, unique personal features and attributes of the person, the ability of the person to respond, and to do so in a fashion that a machine cannot, and so forth. Methods for enrolling the person prior to authentication are also provided, as well as systems for enrollment and authentication.

Abstract: A system for distributed authentication includes a client machine, in a first domain in a federation, that receives from a user a first set of authentication credentials. The system also includes an intermediate machine in a second domain in the federation, a server, also in the second domain, a password management program executing on the server and a non-federated resource. The intermediate machine authenticates the user responsive to receiving the first set of authentication credentials and identifies a second set of authentication credentials. The server in the second domain authenticates the user, responsive to the second set of authentication credentials. The password management program, executing on the server, retrieves a third set of authentication credentials associated with the user. The non-federated resource authenticates the user, responsive to receiving, from the password management program, the third set of authentication credentials.

Abstract: According to various embodiments, a session manager generates, stores, and periodically updates the login credentials for each of a plurality of connected IEDs. An operator, possibly via an access device, may provide unique login credentials to the session manager. The session manager may determine the authorization level of the operator based on the operator's login credentials, defining with which IEDs the operator may communicate. According to various embodiments, the session manager does not facilitate a communication session between the operator and a target IED. Rather, the session manager maintains a first communication session with the operator and initiates a second communication session with the target IED. Accordingly, the session manager may forward commands transmitted by the operator to the target IED. Based on the authorization level of the operator, a session filter may restrict what may be communicated between an operator and an IED.

Abstract: A first device receives, from a second device, a first request to set up an account, where the first request includes a shared key and information associated with the second device, where the shared key is calculated based on a private key, of a private key/public key pair, and information regarding an identity selection, from user identity information, associated with a user of the second device; and store the shared key in a memory.

Abstract: Included in the present disclosure are a system, method and program of instructions operable to protect vital information by combining information about a user and what they are allowed to see with information about essential files that need to be protected on an information handling system. Using intelligent security rules, essential information may be encrypted without encrypting the entire operating system or application files. According to aspects of the present disclosure, shared data, user data, temporary files, paging files, the password hash that is stored in the registry, and data stored on removable media may be protected.

Abstract: The information processing device includes, a communication portion that communicates with a certification device which performs certification of whether or not a user has usage permission, a reception portion that receives input identification information for identifying the user, a storage portion that stores previously registered identification information, a certification portion that performs user certification, when the reception portion receives the input identification information and the communication portion requests certification of a user by sending the identification information to the certification device, based on result information, when result information is obtained from the certification device indicating a certification result, and based on whether or not the identification information is stored in the storage portion, when the result information is not obtained, and a registration portion that registers the certified identification information in the storage portion, when certification th

Abstract: Key management and user authentication systems and methods for quantum cryptography networks that allow for users securely communicate over a traditional communication link (TC-link). The method includes securely linking a centralized quantum key certificate authority (QKCA) to each network user via respective secure quantum links or “Q-links” that encrypt and decrypt data based on quantum keys (“Q-keys”). When two users (Alice and Bob) wish to communicate, the QKCA sends a set of true random bits (R) to each user over the respective Q-links. They then use R as a key to encode and decode data they send to each other over the TC-link.

Abstract: A user is enabled to select one or more client devices from a number of client devices and to select one or more server devices from a number of server devices. Secure communication is to occur between each selected client device and each selected server device. For each unique pair of a selected client device and a selected server device, a validation of a security configuration of the selected client device and a security configuration of the selected server device is performed, to determine whether secure communication can occur between the selected client device and the selected server device. Where the validation has failed, reconfiguration of one or more of the selected client device and the selected server device is performed so that secure communication can occur between the selected client device and the selected server device.

Abstract: Rather than managing a certificate chain related to a newly issued identity certificate at a terminal to which a wireless device occasionally connects, a certificate server can act to determine the identity certificates in a certificate chain related to the newly issued identity certificate. The certificate server can also act to obtain the identity certificates and transmit the identity certificates towards the device that requested the newly issued identity certificate. A mail server may receive the newly issued identity certificate and the identity certificates in the certificate chain and manage the timing of the transmittal of the identity certificates. By transmitting the identity certificates in the certificate chain before transmitting the newly issued identity certificate, the mail server allows the user device to verify the authenticity of the newly issued identity certificate.

Abstract: Methods, systems, and apparatus, including computer program products, for generating or using augmentation queries. In one aspect, a set of phrase terms of a phrase are received in first ordinal positions, and a set of first hashes for each of the phrase terms. Concatenated hashes from the set of first hashes are generated. Hashes of content terms for received content are compared to the concatenated hashes to determine if a phrase is detected in the content.

Abstract: Some demonstrative embodiments of the invention include a method, device and/or system of performing an administrative operation on a user token. The method may include, for example, providing to an admin token user-identification data identifying the user token; receiving from the admin token an administrator code to enable performing the administrative operation; and providing the administrator code to the user token. Other embodiments are described and claimed.

Abstract: Methods and apparatus, including computer program products, for defining rights applicable to a digital object. A set of initial rights and a set of modifying rights are received for the digital object. At least one of the set of initial rights and the set of modifying rights specifies one or more conditions on rights in the respective set of rights. A new set of rights is defined for the digital object based on the set of initial rights and the set of modifying rights. The new set of rights specifies one or more new conditions on rights in the new set of rights. The new conditions are defined based on one or more of the conditions in the set of initial rights and/or the set of modifying rights.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: The conventional data transmitting/receiving system has problems: that a correct measurement cannot be performed because a measurement result is an addition of a verification processing time and a transmission time; that an authentication processing which is necessary for a transmission time measurement processing needs to be separately required; and that an unnecessary key exchange processing is executed.

Abstract: One embodiment relates to a security apparatus. The apparatus includes a security controller. The security controller is within a secure domain. The controller is configured to receive a trigger event from a first device outside the secure domain and a second trigger event. The controller is configured to automatically generate a secure password from a provisional password using a secure password provisioning protocol in response to the first trigger event and the second trigger event. The controller is also configured to pair the first device with the secure domain by establishing secure communications using the secure password.

Abstract: Systems and methods for maintaining data security using Luhn validation in a multiple domain computing environment are presented. Each domain includes a token generator that can generate tokens associated with sensitive data such as credit card numbers. The token generation algorithm includes a Luhn validation routine for producing a tokenized data string that either passes or fails Luhn. The possibility of token collision is eliminated by a token generation algorithm that embeds a domain designator corresponding to the active domain where the token was created. When multiple tokens represent the same sensitive data, the token manager returns a set of all such tokens found.

Abstract: Disclosed is a method for the secure access of a mobile device to a nearby client device that includes the following: 1. the mobile device generating, at the time of receiving a determined stimulus, a code comprising security credentials and a contact address in a server; 2. representing the code and address in the screen of the mobile device; 3. the client device detecting and extracting the represented information; 4. the client device connecting to the contact address using the credentials; 5. the client obtaining the information contained in the contact address. By applying the method the server device can indicate the mode of access to the contents or services associated with the device, both if they are offered directly from the device itself and if they are offered from another external element.

Abstract: Set forth herein are systems, methods, and non-transitory computer-readable storage media for processing media requests in a secure way. A server configured to practice the method receives, from a media player client, a request for media content. The server requests a playback token from a playback service associated with the media content and generates a tag containing the playback token. Then the server transmits to the media player client a response to the request for media content based on the tag, wherein the media player client retrieves the media content by presenting the playback token to the playback service. The media player client can be an embedded media player or other player in a web browser. The server and the playback service can operate based on a common, pre-shared feed token. Other playback client and playback service embodiments exist.

Abstract: The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value.

Abstract: A computer system for identifying an individual using a biometric characteristic of the individual includes a biometric sensor for generating a first code, and a controller including a memory for storing the first code and a dynamic binary code conversion algorithm. When the controller receives a sensor code from the biometric sensor, it compares the sensor code with the first code stored in the memory, and if the identity between the sensor code and the first code is verified, the controller generates a first binary code by means of the dynamic binary code conversion algorithm and outputs the first binary code from which the computer system generates a second binary code by means of the dynamic binary code conversion algorithm. The computer system then verifies the identity of the individual if the second binary code matches the first binary code.