Abstract: In some embodiments, a gateway in a communications network is provided including a subscriber interface and a Session Initiation Protocol (SIP) registrar; wherein the SIP registrar: receives a first register message as a result of a request associated with a user and a mobile device seeking network authentication; and sends a request for subscriber information to the subscriber interface; the subscriber interface: retrieves the subscriber information from the subscriber database; and sends the subscriber information to the SIP registrar; the SIP registrar further: sends challenge information including a password request and a request for predetermined response information previously selected by the user to the mobile device; receives a second register message including user response information in response to the challenge information; and authenticates the mobile device and the user based at least in part on whether the user response information matches the predetermined response information.

Abstract: An entity resolution system and alert analysis system configured to process inbound identity records and to generate alerts based on relevant identities, entities, conditions, activities, or events is disclosed. One process of resolving identity records and detecting relationships between entities may be performed using a pre-determined or configurable entity resolution rules. Further, the entity resolution system may include an alert analysis system configured to allow analysts to review and analyze alerts, entities, and identities, as well as provide comments or assign a disposition to alerts generated by the entity resolution system. Furthermore, the entity resolution system may be configured to handle duplicate alerts, i.e., one or more identical or near-identical alerts generated using the same entities and/or identities as well as assign a relevance score to the particular entities and identities included in the alert.

Abstract: A method for maintaining domain access of a virtual machine is described. According to one embodiment, a generation of a new computer account password by an operating system is identified. The new computer account password is copied to an auxiliary storage location. An existing computer account password is replaced with the new computer account password when it is determined that a file system of the computer has been restored to a previous state. The copying of the new computer account password may be performed in response to the generation of the new computer account password. The replacing of the existing computer account password may be performed in response to the restoring of file system to the previous state.

Abstract: A mobile communications device is disclosed for use in an electronic access system for communicating with a central server for processing at least access authorization for an application running on the server. In at least one embodiment, an optical identification signal in the form of a barcode or a photographic recording of the user is captured on the mobile communications device in the form of an identification code and sent together with the mobile number to the server for further processing. The access authorization of the user for the respective application can therefore be verified on the central server. At least one embodiment relates in particular to medical and healthcare-related applications.

Abstract: A method and computer program product for enabling authentication of an OpenID user when a requested identity provider is unavailable. A relying party receives a login request from the OpenID user, where the login request includes a username. The relying party reads a list of trusted identity providers that are associated with the received username and selects one of those identity providers. The relying party generating an OpenID identifier using an identification (e.g., Uniform Resource Locator) of the selected identity provider and the username. The relying party transmits an authentication request (request to authenticate the OpenID user) to the selected identity provider using the formed OpenID identifier. If the selected identity provider is unavailable, then the relying party selects another identity provider from the list of identity providers that are associated with the received username and repeats the above process.

Abstract: The exemplary embodiments include a method to perform, based on at least one of hypertext transport protocol and non-hypertext transport protocol traffic tests failing, sending an hypertext transport protocol message to a subscription remediation server URI that carries a package1 message, receiving an hypertext transport protocol response from the subscription mediation server with a package2 message, and automatically replacing a password with a new value, automatically initiating creation of a new client certificate, or launching a browser to a URI provided in the response to enable user intervention. In addition, to receive an access request from a device, determining whether credentials are valid, and if the credentials are determined valid, sending an access-accept message with a success indication, and if the credentials are determined not valid, sending an access-accept message with a success indication and an indication that access by the device is limited to only a subscription remediation server.

Abstract: A system and method is described for controlling the password(s) of one or more programs through a universal program. The universal control program allows access to one or more other programs and allows editing of the passwords of the other programs directly through the universal access program.

Abstract: Techniques are disclosed for issuing inoperative credentials, and making the inoperative credential operative at a subsequent point in time. For example, a method of forming a credential comprises the step of forming, at a first point in time, an inoperative credential. The inoperative credential is adapted to become operative, at a second point in time, to form an operative credential. The second point in time occurs after the first point in time.

Abstract: The invention discloses an authenticating method and a system thereof, which relates to information security field and solves the problem that the user information is not safe in transaction process.

Abstract: Techniques for enforcing access rights during directory access are presented. Access rights are maintained at the container level of a directory tree for container objects within a cache. When security is set for a requester of a target, the container object cache is directly accessed along with rights assigned to the target and the security is calculated and then set against the requester.

Abstract: The passage of avatars into and out of regions in a virtual universe is regulated through the use of secure communications between and among the avatar, an authority managing of the region and a trusted third party who maintains a database of avatar characteristics. Permission to move from one virtual region to another is determined based upon the avatar characteristics.

Abstract: Embodiments of the invention facilitate the use of a contactless memory token to automate log-on procedures to a remote access server using dynamic one-time passwords (OTPs). A series of workflow steps establishes the identity of the user and charges a token with a number of dynamic OTPs that can be subsequently verified using, for example, a Radius server sitting behind a VPN or SSL/VPN server.

Abstract: A method of validating a user, includes: —storing for a user data representative of a validation code for the user including a combination of symbols from a set of symbols; presenting a displayed image including a plurality of designatable areas in which the set of symbols is distributed between said designatable areas such that each designatable area contains a plurality of the symbols; varying the image between subsequent presentations such that the distribution of symbols between the designatable areas changes between subsequent presentations, validating a user in an validation routine by detecting designation by a user of a combination of the designatable areas in a presented image, and determining whether the combination of designated designatable areas contains the combination of symbols making up the validation code for the user.

Abstract: Methods and systems are provided for controlling access to a file system. A record of actual accesses by users of the file system is maintained. Before a user is removed from a set of users or before a privilege for a set of users to access a data element is removed, it is determined whether the actual recorded accesses of the user are allowed by residual access permissions that would remain after implementing the proposed removal of access permission. An error condition is generated if the proposed removal of the access permission would have prevented at least one of the actual accesses. In another aspect of the invention, the system determines if the users would have alternate access to the storage element following implementation of the proposal.

Abstract: A system for, and method of, generating a plurality of proxy identities to a given originator identity as a means of providing controlled access to the originator identity in electronic communications media such as e-mail and instant messaging.

Abstract: It is convenient to allow access to a private network, such as a corporate intranet, or outward facing extranet application, from an external network, such as the Internet. Unfortunately, if an internal authentication system is used to control access from the external network, it may be attacked, such as by a malicious party intentionally attempting multiple invalid authentications to ultimately result in an attacked account being locked out. To circumvent this, an authentication front-end, proxy, wrapper, etc. may be employed which checks for lockout conditions prior to attempting to authenticate security credentials with the internal authentication system.

Abstract: A method of establishing keys for at least partially securing media plane data exchanged between first and second end users via respective first and second media plane network nodes. The method comprises sending session set-up signalling from said first end point towards said second end point, said session set-up signalling including a session key generated by said first end point. The set-up signalling is intercepted at a first signalling plane network node and a determination made as to whether or not a signalling plane key has already been established for securing the signalling plane between said first end point and said first signalling plane network node. If a signalling plane key has already been established, then a media plane key is derived from that signalling plane key, and the media plane key sent to said first media plane network node for securing the media plane between said first end user and said first media plane network node.

Abstract: A method and system are disclosed for detecting interference with a remote visual interface, such as a HTML webpage, at a client computer, particularly to determine if a malicious attack such as at HTML attack has occurred. When the web server receives a request for a page, a script is embedded in the page, and as a consequence the client computer requests at least one session key and at least one one time password from an enterprise server. The client computer also performs a check of the HTML interface present on the client computer, which an attack of this type would change. The result of the interface check, encrypted with the session key and one time password, is sent to the enterprise server, so that a comparison with the expected value for the website can be performed.

Abstract: A method and apparatus for generating a password in real time by creating at least one password map during creation of an account associated with a user, and generating and providing a random password hint sequence grid to the user in real time, authenticating the user for accessing the account using a password created by the user, where the password is created by the user using the random password hint sequence grid and the at least one password map.

Abstract: A method of maintaining a blacklist for gesture-based passwords is provided. A data store of index values corresponding to gestures is maintained on a blacklist server. Upon receiving a new gesture based password, an electronic device converts the password to an index value and forwards that index value to the blacklist server. The blacklist server increases an occurrence of the received index value by one in a data store and if the increase results in a blacklist threshold being exceeded, the index value is inputted to the blacklist. A notification can be sent back to the electronic device if the forwarded index value is on the blacklist or is inputted to the blacklist.

Abstract: Systems for providing information on network firewall host application identification and authentication include an identifying and transmitting agent on a host computer, configured to identify each application in use, tag the application identity with a host identity, combine these and other information into a data packet, and securely transmit the data packet to the network based firewall. The embodiment also includes an application identity listener on the network based firewall, configured to receive the information data packet, decode the data packet and provide to the network based firewall the identity of the application. The network based firewall is provided with an application-awareness via an extension of firewall filtering or security policy rules via the addition of a new application identity parameter upon which filtering can be based. Other systems and methods are also provided.

Abstract: A simplified future mobile terminal system converging multiple wireless transmission technologies by utilizing a cost-effective and spectrum-efficient mobile cloud solution based on the innovative virtual mobile server system of the open wireless architecture (OWA) platform.

Abstract: An anonymous authentication-based private information management (PIM) system and method are provided. The PIM method includes receiving an anonymous certificate not including user information from an anonymous certification authority; generating an anonymous document including the anonymous certificate and some of the user information; and providing the anonymous document to a web service provider so as to be authenticated and thus provided with a web service by the web service provider. Thus, only a minimum of user information may be provided to the web service provider. In addition, it is possible to strengthen a user's right to self-determination and control over the exposure and use of his or her personal information by allowing a user to manage his or her own personal information or entrusting the PIM server to manage user information. Moreover, it is possible to protect the privacy of a user by preventing the exposure of user information.

Abstract: A method of submitting information as part of an authentication operation includes generating a one time password that is intended for use in an authentication operation. The method further includes providing the one time password in a display field, wherein the display field is adapted to work in conjunction with a browser to submit the one time password in response to a request for the one time password. A method of controlling submission of identity information within an authentication system includes receiving a trust list from the authentication system. The trust list identifies entities that are authorized to receive the identity information. The method further includes receiving a request to submit the identity information to a candidate entity for an authentication operation, and providing the identity information to the candidate entity if the trust list indicates that the candidate entity is authorized to receive the identity information.

Abstract: A method of identifying the originator of a message transmitted between a client and a server system is provided. The method includes modifying a message to be transmitted between a client and a server system to include a session identification flag and/or a session identifier 500 (e.g., at an end of the message). The method optionally includes one or more of the steps of re-computing a control portion of the message to reflect the inclusion of the session identification flag and the session identifier 502, transmitting the message between the client and the server system 504, and checking the transmitted message for the session identification flag 506, reading the session identifier of the transmitted message to determine the originator of the message 508, removing the session identification flag and/or the session identifier from the transmitted message 510, and re-computing the control portion of the message to reflect the removal of the session identification flag and/or the session identifier 512.

Abstract: A software application executing in a first local operating environment may be used to connect to a remote server that requires a credential of a user to complete a transaction. In a second local operating environment that operates external to the first local environment a user may be authenticated based on a user input received in the second local operating environment. The credential of the user may be securely communicated to the remote server from the second local operating environment. Other embodiments are described and claimed.

Abstract: A first domain ID information piece for a first domain is sent from a first domain managing entity to a second domain managing entity. The first domain managing entity manages the first domain. The second domain managing entity manages a second domain. A second domain ID information piece for the second domain is sent from the second domain managing entity to the first domain managing entity. The first domain is registered with the second domain as a domain higher in rank than the second domain in response to the first domain ID information piece sent from the first domain managing entity to the second domain managing entity. The second domain is registered with the first domain as a domain lower in rank than the first domain in response to the second domain ID information piece sent from the second domain managing entity to the first domain managing entity.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: A method and apparatus are provided for network security based on a security status of a device. A security update status of a device is evaluated; and one or more of a plurality of security policies are selected to apply to the device based on the security update status. The available security philosophies may include, for example, a “protect the good” philosophy, an “encourage the busy” philosophy and a “shut off the non-compliant” philosophy. The security update status can evaluate, for example, a version level of one or more security features installed on the device or can be based on a flag indicating whether the device satisfies predefined criteria for maintaining one or more computer security protection features up-to-date.

Abstract: A client computer and/or a user is authenticated via installation of an agent, permitting access to previously inaccessible resources. All users are initially denied access to a resource via a permission list, such as a by being a member of a group that is denied access. The user, once authenticated, is permitted to access the resource, e.g. by being temporarily removed from a cached copy of the group, by being temporarily added to a cached copy of a group allowed to access the resource, or both. Authentication is revoked when the agent is uninstalled. Subsequent accesses to the resource are not permitted, e.g. by undoing the temporary removal or addition. An optional resource firewall proxy server between client computers and a resource filters requests for the resource, and until a user is authenticated via an out-of-band communication from an agent, the user is denied access to the resource.

Abstract: A method of creating a DNS record in a DNS is provided. The method includes receiving one of an allocation record or information for obtaining the allocation record from a wireless device. The allocation record includes an expression. In addition, the method includes creating a DNS record for the expression. Furthermore, the method includes associating the DNS record with a credential.

Abstract: Attested identities are provided. An applicant requests an attested identity. Attesting resources provide assertions that include roles, rights, and privileges for the attested identity. The collection of assertions from each of the attesting resources represents the attested identity.

Abstract: A method and a system for access authentication. A shared services resource includes a second factor authentication module. At least one network resource each include a first factor authentication module. A trusted computing base communicates with the shared services and the at least one network resource through a pipe. An assertion may be obtained on a trusted computing base for accessing at least one network resource. At least one of the at least one network resource may be accessed with the trusted computing base when the assertion has been obtained by the trusted computing base and is valid.

Abstract: An access authentication method includes pre-establishing a security channel between the authentication server of the access point and the authentication server of the user terminal and performing the authentication process at user terminal and access point. The authentication process includes 1) the access point sending the authentication_activating message; 2) the user terminal sending the authentication server of user terminal request message; 3) the authentication server of the user terminal sending to the user terminal response message; and 4) completing the authentication.

Abstract: A network-based biometric authentication system includes a client computer (10), a third party server (24), and a biometric authentication server (26). A user requests access to a web site hosted by the third party server via the client computer, wherein the third party server communicates a deployable object to the client computer. The client computer executes the deployable object, wherein the object enables the client computer to receive a user name, password, and biometric data from the user and to communicate the user name, password, and biometric data to the biometric authentication server in a secure fashion. The biometric authentication server authenticates the user name, password, and biometric data, and communicates the user name and password to the third party server, which attempts to verify the user name and password in a conventional manner and grants access to the user if the user name and password are verified.

Abstract: A system for controlling access to a protected network includes a network access control module that is coupled to the protected network and which is configured to restrict access to the network to an authorized user through a computer coupled to the protected network. The system also includes a communication device associated with the computer. The communication device automatically transmits a unique identifier corresponding to the communication device to the network access control module when a user uses the communication device to request access to the protected network via the computer.

Abstract: An intermediate network device includes a local caching module that caches user information from a remote server before a local user requests the information. In particular, the local caching module securely obtains and caches one-time passwords for a local user. The local caching device maintains separate sets of one-time passwords for each user. The local caching module may access the locally cached one-time passwords to authenticate a local user to a resource protected by a one-time password.

Abstract: The present inventions relates to systems and techniques for authenticating or redeeming an electronic transaction, particularly through a mobile conduit.

Abstract: One embodiment of the present invention provides a system that facilitates accessing a credential. During operation, the system receives a request at a credentials-storage framework (CSF) to retrieve the credential. If a target credential store containing the credential is not already connected to the CSF, the system looks up a bootstrap credential for the target credential store in a bootstrap credential store, which contains bootstrap credentials for other credential stores. Next, the system uses this bootstrap credential to connect the CSF to the target credential store. Finally, the system retrieves the credential from the target credential store, and returns the credential to the requestor.

Abstract: A method for electronically storing and retrieving at a later date a true copy of a document stored on a remote storage device comprises: sending a document in electronic format from a document owner's computing device to a store entity for storing the document; generating a digest of the document while the document is at the store entity by applying a hash function to the document; signing the digest electronically with a key while said document is at the store entity; generating a receipt that includes the digest and the key; sending the receipt to the document owner; and verifying, at the document owner's computing device, that the received receipt corresponds to the document sent from the owner's computing device.

Abstract: Disclosing a secure personal identification number (“PIN”) associated with a financial account to an account holder. A PIN reveal application can interact with a hardware security module (“HSM”) to decrypt and disclose the PIN to the account holder one or more PIN character(s) at a time. The account holder also can set a new PIN in a secure manner. A PIN set application can interact with the HSM to encrypt PIN characters received by the PIN set application from the account holder. The HSM provides a secure platform to encrypt and decrypt the secure PIN.

Abstract: In an embodiment, a verifier receives requirements for membership in a group from a service and receives proof of attributes from users. The verifier verifies whether the proof of attributes meets the membership requirements and sends acceptance or rejection to the service. If the proof meets the requirements, the service allows the users to become members of the group and allows the members to transfer data to and from other members. If the proof does not meet the requirements, the service prevents the users from becoming members. In this way, the service and group members know that other group members satisfy the group membership requirements without needing to know the identity of the group members or other information unrelated to the group membership requirements.

Abstract: An apparatus and method for pairing a base and a detachable device. A query module queries a detachable device in response to the detachable device connecting to a base. The detachable device provides a display for the base if the detachable device and base are connected. A determination module determines if the detachable device is paired with the base. A credential module obtains a pairing credential for a pairing in response to the determination module determining that the detachable device is unpaired with the base.

Abstract: A system to manage a key license includes an information handling system having non-volatile memory accessible to a processor. The non-volatile memory stores feature enablement information related to a feature that the information handling system is adapted to provide. The non-volatile memory stores instructions that are accessible to the processor and executable by the processor to send the feature enablement information to an external system after the information handling system is deployed, and to request the feature enablement information, or other feature enablement information, from the external system in response to receiving a request for the information handling system to provide the feature.

Abstract: One aspect relates to a process and associated device for managing digital ID lifecycles for application programs, and abstracting application programs for multiple types of credentials through a common Digital Identity Management System (DIMS) and Application Programming Interface (API) layer.

Abstract: A computer system, method and/or computer-readable medium provide independent data objects to a token in compressed form. The independent data objects are representative of security information associated with the token. The system includes an interface operable to communicate with a token, and a processor cooperatively operable with the interface. The processor is configured to determine a set of independent data objects that are associated with the token, and to aggregate the set of independent data objects associated with the token into a group. Also, the processor is configured for compressing the group into a unit of contiguous data, and writing the unit of contiguous data to the token via the interface.

Abstract: A system and method for more efficiently establishing a chain of trust from a registrant to a registry. A registrant credential is associated with a Shared Registration command and is sent by a registrar to a registry. Upon successful validation, a token is generated and bound to a registrant identifier. The token is included along with the registrant identifier in subsequent discrete Shared Registration commands submitted to the registry on behalf of the registrant. The registrant thus needs to submit its credential only once for changes that require several discrete commands. Also, it is more efficient for the Shared Registration System to validate a token for a set of commands than to validate different registrant credential for each discrete command.

Abstract: When copying a guest from a source virtual environment to a target virtual environment, policy control of the target environment is provided. A configuration specification is created based on the source virtual environment and the guest to be copied. The configuration specification contains specific policies and/or requirements of the guest. The guest and the configuration specification are copied to the target virtual environment. The target virtual environment is examined to determine whether it is compliant with the copied configuration specification. If so, the copied guest runs in the target virtual environment. If not, the target virtual environment can be modified to be in compliance with the configuration specification.

Abstract: In an embodiment, a method is provided. The method of this embodiment provides receiving a packet having a wake-up pattern, and waking up if the wake-up pattern corresponds to one of a number of dynamically modifiable passwords on a pattern wake list, each of the dynamically modifiable passwords being based, at least in part, on a seed value.

Abstract: The present invention facilitates access to a restricted service related to secure transactions via a network. The present invention allows a user to select a minimum security level of authentication for its own login to a restricted service. The user's selected minimum security level of authentication may be registered in an authentication method system, so that the user must use the selected minimum security level for authentication in order to gain access to the restricted service. Alternatively, the user may specify that the selected minimum security level for authentication may be over-turned by the user, or optionally re-set to a new authentication method depending on the needs of the user. As such, the present invention allows the user the flexibility to select its own authentication method for accessing a restricted service.