Abstract: Systems, devices methods and media are provided for selecting data received from or sent by a client device. In one example, a system is configured to initiate a user-configurable API data endpoint on the client device and issue a request for access to specified data residing on the client device. The specified data resides in a first user-designated storage area on the client device. In response to receiving an authorization by a user of the client device of the access request, the system communicates with the user-configurable API data endpoint on the client device to perform a data-pull of at least some of the requested specified data from a second user-designated data pull portion of data residing on the client device.

Abstract: Composite biometric authentication is provided to multiple users that share a financial account. The users can enroll the account for composite biometric authentication. The enrollment can include recording multiple biometrics of each user and storing them as a composite to use in authenticating user requests to authorize transactions involving the shared financial account. A unique combination of biometrics can be generated including a biometric of the multiple biometrics of each of the users and stored such that the unique combination must be provided to authenticate a future user request. To proceed with a transaction, a user of the multiple users initiates the transaction and provides their part of the unique combination. The other users provide their part of the unique combination by providing the specific biometric of the multiple biometrics they have previously provided. The transaction proceeds when all shares of the unique combination are provided and authenticated.

Abstract: A system manages security policy data used to provide access by a user to third-party applications without revealing sign-on credentials to the user. The system includes an access management server that hosts an administration portal for configuring the security policy data. The security policy data includes, for each user, a list of applications to which the user may request access and the corresponding sign-on credentials for accessing each of the applications. In response to inputs provided at the administration portal, the system associates applications with credentials and subsequently associates the credentials with a user. Before these associations are used to update the security policy data, a request for confirmation of user permission is sent to a permission server, which stores current permission data for users. If permission for the user is confirmed, security policy data is updated according to the associations provided via the administration portal.

Abstract: Disclosed is a method for continuously authenticating a user based on motion input data. The method includes recording motion input data from a keyboard such as starting coordinates, ending coordinates, and timestamps of key-up actions to determine that a key has been pressed, recording a timestamp of motion input at the starting coordinate, mapping the timestamp of said motion input at the starting coordinate to a key-down action for the key press, determining which key of said virtual keyboard said key-down action refers to, and granting or denying access to a device if the timing of the key which was pressed and released in the key-down action and the corresponding key-up action matches the press and flight timing of a key which was pressed and released in a previously-recorded key-down action and a previously-recorded key-up action.

Abstract: A registration and authorization method, device and system is used for solving the technical problem of relatively low safety of the existing authorization technology. The method is applied to an authorization server, the authorization server is a node in a blockchain network and stores a blockchain composed of a plurality of blocks, each block is used for storing authorization information, and the method comprises: receiving a registration request message sent by a user device, wherein the registration request message includes identification information, and the identification information is used for performing identity verification on a user; assigning authorization information to the user, wherein the authorization information is used for indicating a service that the user can access; and writing the identification information and the authorization information into the blocks of the blockchain through the authorization server.

Abstract: Method of authenticating a client to a server, the client having beforehand registered on the server by storing therein a valid identifier (ID) and a hashed word (H0; Hn) generated by applying a hash function to a disposable random variable (RAND0; RANDn; Rn) possessed/known by both the client and the server and concatenated with a sequence (ISC0; ISCn) resulting from hashing the concatenation of a password (PWD) known from the client, said disposable random variable (RAND0; RANDn; Rn) and an initialization sequence (ISCinit) possessed by the client.

Abstract: A system and method for supporting load balancing in a multi-tenant cluster environment, in accordance with an embodiment. One or more tenants can be supported and each associated with a partition, which are each in turn associated with one or more end nodes. The method can provide a plurality of switches, the plurality of switches comprising a plurality of leaf switches and at least one switch at another level, wherein each of the plurality of switches comprise at least one port. The method can assign each node a weight parameter, and based upon this parameter, the method can route the plurality of end nodes within the multi-tenant cluster environment, wherein the routing attempts to preserve partition isolation.

Abstract: A service provider (SP) network device or system can operate to enable a WiFi protected access 2 (WPA2) pass-through with a user equipment (UE). The WPA2 pass-through can be an interface connection that passes through a computer premise equipment (CPE) or wireless residential gateway (GW) without the CPE or GW modifying or affecting the data traffic such as by authentication or security protocol. The SP network device can receive traffic data from a UE through or via the WPA 2 pass-through from a UE of a community Wi-Fi network at a home, residence, or entity network. Regardless of whether the UE is connected to any other home network at the CPE or is a subscriber to the SP network, the UE can communicate transparently by the WPA 2 pass-through with the SP network device to establish a secure initial access process with the SP network.

Abstract: Provided in some embodiments are systems and methods for determining a data flow path including a plurality of network devices for routing data from a first network device to a second network device; determining for the network devices one or more flow rules that specify an input for receiving data, an output for outputting data, and a role tag indicative of a role of a network device, where the role tag for one or more flow rules for a first network device of the network devices indicates a source role; distributing, to the network devices, the one or more flow rules; determining malicious activity on the data flow path; determining that the first network device is a source based at least in part on the role tag for the first network device; and sending, to the first network device, a blocking flow rule to inhibit routing of malicious data.

Abstract: Approaches presented herein enable challenge-response authentication of a user based on information captured by devices associated with the user. Specifically, in one approach, a plurality of devices associated with the user that each dynamically track and store on-device data points over a period of time are identified. A request initiated by a party claiming to be the user is received to authenticate the party as the user. An authentication question is generated in a natural language, the answer to which is a data point selected from data points on at least one device of the plurality, wherein the selected data point is discoverable by viewing data points on the at least one device. The requesting party is prompted to find the data point by presenting the authentication question to the requesting party. In the case that the requesting party returns the answer, the requesting party is authenticated as the user.

Abstract: The disclosed computer-implemented method for protecting passwords may include (i) intercepting network traffic indicating an attempted login procedure at a workload device to login to a protected resource, (ii) prompting a user, in response to intercepting the network traffic, and at an authentication device that has been registered to the user, to indicate whether to approve the attempted login procedure, (iii) collecting, at the authentication device, a credential for the attempted login procedure that was stored in a protected vault of the authentication device, (iv) providing, by the authentication device to the workload device, an authentication decision based on the collected credential, and (v) injecting, at the workload device, the authentication decision into a browser session to enable the user to complete the attempted login procedure to login to the protected resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method includes: receiving, by a computing device, a vault access request for vault credentials stored by a vault server; verifying, by the computing device, whether a source of the vault access request originated from a multitenant application server; preventing, by the computing device, access to the vault server and the vault credentials when the source of the vault access request has not been verified as originating from the multitenant application server; obtaining, by the computing device, vault credentials from a vault server based on verifying that the source of the vault access request originated from the multitenant application server; and executing, by the computing device, a multitenant application task using the vault credentials.

Abstract: The invention relates to a method to initiate the use of cryptography and authentication methods and to perform these methods. The method comprises the steps of: generating a URI (410), calling (420) a communication component (120) using the generated URI and a proprietory URI scheme; performing (430) the cryptography and authentication method by the local communication component (120); generating (440) at least one result (440) by the communication component (120).

Abstract: The present application provides a system and method for accelerated network service and/or network slice provisioning in response to customer requests or requirements. The provided system and method incorporate a network service/network slice instance that is responsible for constructing and maintaining status and models associated with the dynamics of network services. A modelling function can be operated based on collected network service information to maintain a model relating to network service dynamics, and transmit indications, such as predictions of future requirements, to a corresponding network management service. The indications can be used for creation, modification, and termination of the network service, or for advanced preparation of such actions.

Abstract: An approach is provided for controlling computer resource usage. A new event in an integration flow in an integration platform is detected. Sender and receiver information is identified and hashed. A portion of data being sent by the sender to the receiver is selected and hashed. It is determined that the hashed sender and receiver information matches a first entry and the hashed selected portion of the data matches a second entry in a pattern repository. A recurring event in the integration flow is identified, where the recurring event uses an amount of computer resources that exceeds a threshold amount. An action is performed which reduces the amount of computer resources used by the integration flow to a new amount that does not exceed the threshold amount.

Abstract: The present disclosure relates to a SDN-based method for mirroring packets, wherein a SDN controller is coupled to an upper layer application and at least one data switching exchange respectively, and the method including: a) the upper layer application sends a mirroring instruction to the SDN controller through a first northbound interface of the SDN controller; b) the SDN controller generates a second flow table based on the mirroring instruction and a first flow table sent by a first data switching exchange; wherein the first data switching exchange initiates transmission of the packets, the first flow table encapsulates the packets, and the second flow table includes at least an action command corresponding to the mirroring instruction; and c) a second data switching exchange extracts the packets from the second flow table, and mirrors the packets to the designated node based on the action command.

Abstract: In an approach to securing data using alternative value identification schemes, one or more computer processors receive user registration data, wherein the user registration data includes one or more authentication parameters, wherein the one or more authentication parameters includes one or more physical pressure-based inputs by a user. The one or more computer processors receive an access request requiring an authentication from the user, wherein the access request includes the one or more physical pressure-based inputs by the user associated with the one or more authentication parameters. The one or more computer processors determine whether the one or more authentication parameters match the user registration data. Responsive to determining that the authentication data matches the registration data, the one or more computer processors authenticate access for the user.

Abstract: Disclosed are various embodiments for an authentication manager. In one embodiment, the authentication manager performs an identity verification on a network site. The authentication manager determines that a particular portable data store is present in the client computing device, and then reads a security credential from the particular portable data store. The authentication manager automatically sends data encoding the security credential to the network site.

Abstract: Various embodiments comprise systems, methods, architectures, mechanisms, apparatus or protocols configured to provide seamless authentication of devices to secure networks via an Extensible Authentication Protocol (EAP) using credentials based on device information and/or service information visible to third party mobile services providers.

Abstract: A method for recovering data. Identity factors are collected at a device, wherein hashes of the identity factors are configured to be stored at a server. A dynamic password is generated at the device based on the identity factors and a Salt generated by the server and configured to be delivered to the device. A selfie is captured of a user. The device generates a symmetric key used to encrypt the selfie. The symmetric key is encrypted using the dynamic password. The encrypted symmetric key and the encrypted selfie are stored on the server. One or more data items are stored on the server. The dynamic password is recoverable by presenting the plurality of identity factors that are hashed to the server. The symmetric key is recoverable using the recovered dynamic password. The data items are recoverable by presenting the symmetric key and a second selfie of the user.

Abstract: An end-to-end security communication method includes, when receiving a security key generation request packet from a first host, generating, by a communication controller, a security key for end-to-end security communication between the first host and a second host, transmitting the generated security key to each of the first host and the second host, and setting a forwarding rule for transmission of a packet destined for a Media Access Control (MAC) address of the first host or a MAC address of the second host to a first switch and a second switch connected respectively to the first host and the second host. According to the end-to-end security communication method, the communication controller performs the process of generating a security key that will be shared between hosts using Software Defined-Networking (SDN), so that MAC security communication technology can be applied to communication between hosts belonging to different networks.

Abstract: The user interface associated with the item is improved. The information processor 1 displays the first item display screen 22 in which the first item icons 221 corresponding to the types of the possessed items are displayed in a list correspondingly to the possessed number. The information processor 1 switches the second item display screen 23 to display in which the second item icons 231 corresponding to the possessed items are displayed in a list correspondingly to the expiration date when the first item icon 221 in the first item display screen 22 is operated by being pressed for a long time.

Abstract: Provided is a vehicle including: a communication unit configured to communicate with a user terminal; and a control unit configured to, upon receiving a response signal including terminal information of the user terminal from the user terminal, determine an authentication allowed time for authenticating the user terminal on the basis of the terminal information, generate user information including the terminal information and the authentication allowed time corresponding to the terminal information, and authenticate the user terminal on the basis of the generated user information.

Abstract: A device determines that a data breach of an application has been reported and determines that an individual has an account with the application based on identifying an association between an application identifier and a username the individual uses to access the application. The device receives, from a user device associated with the individual, password information used to access the application. The device uses the password information and usernames for a group of applications with which the individual has accounts to perform a login procedure for the group of applications to determine that login information for one or more of the applications includes the password information used to access the application affected by the data breach. The device provides, to the user device or another device, a recommendation to change the password information used to access the application and the one or more applications.

Abstract: The present teaching relates to method, system, medium, and implementations for authenticating a user. A first request is received to set up authentication information with respect to a user, wherein the first request specifies a type of information to be used for future authentication of the user. It is determined whether the type of information related to the user poses risks based on a reverse information search result. The type of information for being used for future authentication of the user is rejected when the type of information is determined to pose risks.

Abstract: It is presented a method for determining whether a user with a credential should be granted access to a physical space. The method is performed in an access control device and comprising the steps of: identifying the credential presented to the access control device; obtaining a set of at least one assignment of a permission, associated with the physical space, to external organisations from a database; determining a credential organisation being associated with the credential; and granting access when, and only when, the permission is assigned to the credential organisation.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device is configured to implement a first ledger node of a first cloud having a first set of cloud resources. The first ledger node of the first cloud is configured to communicate over one or more networks with a plurality of additional ledger nodes associated with respective additional clouds having respective additional sets of cloud resources, to monitor auditable information relating to cloud resources of the first cloud and cloud services provided by the first cloud, to associate the auditable information with one or more cloud service transactions, and to generate a cryptographic block characterizing the one or more cloud service transactions and the associated auditable information. The cryptographic block is entered into a blockchain distributed ledger collectively maintained by the first and additional ledger nodes.

Abstract: A method and system for operating an appliance scanner system. A device can maintain at least two isolated communication channels, one to connect to a configuration service and others for connecting to document processing and management services. This can enable the configuration service to reside outside of a secure network. Firewalls and policies can prevent content generated at the scanner from exiting the secure network and reaching the configuration service. To set up the scanner, it can be initiated and connect to the configuration service via a operations communication channel. The configuration service can then instruct the scanner how to connect to various document services through one or more generated content communication channels. Furthermore, document services can communicate validation information back to the scanner.

Abstract: A system and method for providing cyber defense for electronic identification, vehicles, ancillary vehicle platforms, and telematics platforms using blockchain. The vehicle may be a ground-based vehicle, air-based vehicle, roadable aircraft vehicle, sea-based vehicle, autonomous vehicle, or unmanned aerial vehicle. Wherein ancillary vehicle platforms may include, but not limited to, aviation platforms, urban air mobility platforms (UAM), and unmanned aircraft systems (UAS). The system and method include determining whether a user is an authorized operator of a vehicle, the vehicle including an external display of a digital license tag. If the user is determined to be an unauthorized operator of the vehicle, the system activates a primary kill switch which prevents the activation of the vehicle's digital license tag.

Abstract: A method and an associated device for detecting fraud during automatic face recognition, the method comprising the following steps: acquiring a first image of the face by means of a first sensor having a first field angle, and a second image of the face by means of a second sensor having a second field angle that is narrower than the first field angle; analyzing the first image to verify that there is no frame around the face; and analyzing the second image to verify that there is no moiré effect.

Abstract: Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Abstract: An embodiment provides data driven role permissions. Computer executable instructions are received. The computer executable instructions define a role behavior with respect to a process based on a data condition. A role member user is provided different types of interactions with different instances of the process based on execution of the computer executable instructions defining the role behavior.

Abstract: A system may generate a seed one-time password (OTP). The system may also perform steps including transmitting the seed OTP to a user device, receiving a response OTP from the user device, and calculating an expected response OTP by applying a function to the seed OTP. The system may then compare the response OTP to the expected response OTP and send a result in response to comparing the response OTP to the expected response OTP.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The host computer system may be configured to receive a request to communicate with a first network destination. On a condition that the first network destination is determined to be trusted, the processor may be configured to communicate with the first network destination via a first browser process executed in the workspace. On a condition that the first network destination is determined to be untrusted, the processor may be configured to communicate with the first network destination via a second browser process executed in the isolated computing environment.

Abstract: Methods and systems described herein may monitor, by a browser, activity of a user within a web page displayed by the browser. Based on detecting, by the browser, an attempt by the first user to perform a financial transaction with an online vendor and associated with a financial account, biometric information associated with the user may be captured by the browser. Based on the captured biometric information, the browser may determine whether the first user is authorized to perform financial transactions with the online vendor and associated with the financial account. Based on a determination that the user is not authorized to perform the financial transaction, the browser may modify at least one element of the webpage to block the user from performing the financial transaction with the online vendor.

Abstract: A profile downloading method and apparatus is provided for a terminal to download and install a profile in a communication system. The communication method of the terminal includes transmitting a first message including information on a profile to be received from a profile provision server; receiving a second message including information indicating whether an encryption code input is required and a first modified encryption code; generating, when the first modified encryption code is successfully authenticated, a second modified encryption code; transmitting to the profile provision server a third message including information requesting to the profile provision server for the second modified encryption code and profile download, and receiving a fourth message including information on the profile from the profile provision server.

Abstract: A method for a communication network in a motor vehicle, wherein data are transmitted in at least one communication path for communication in the communication network. Also disclosed is an electronic monitoring unit.

Abstract: A directional display apparatus including a directional display device that is capable of directing a displayed image into a viewing window of variable width is provided with a privacy control function. A control system detects the presence of one or more secondary viewers in addition to a primary viewer, and decides whether the one or more secondary viewers is permitted to view the displayed image. The control system directs a displayed image into a viewing window which is adjusted, for example by decreasing the width, in dependence on that detection. In addition, the control system detects relative movement between the primary viewer and the display device, and the width of the viewing window is increased in response to detection of said relative movement.

Abstract: Techniques are provided for account recovery using an identity assurance scoring system. One method comprises providing multiple available identity assurance techniques, each assigned a corresponding identity assurance value indicating a level of assurance for the corresponding available identity assurance technique; in response to a user request to obtain access to a protected resource following a loss incident of a user authenticator: receiving, from the user, authentication information associated with the available identity assurance techniques; aggregating the corresponding assigned identity assurance values for the received available identity assurance techniques to determine an aggregate identity assurance value; determining if the aggregate identity assurance value satisfies a predefined identity assurance level criteria; and evaluating the user request to access the protected resource based on the determining.

Abstract: Providing an end-to-end citizen engagement, in one aspect, may comprise obtaining data of multiple disintegrated sources from one or more of communication and social computing channels via one or more adapters. Data refactoring and management, integration and process orchestration of the data according to a data model as data attributes of the data model may be provided. One or more analytics may be performed based on the data attributes stored according to the data model and input specified to the one or more analytics. One or more results computed by performing the one or more analytics may be provided. One or more application logics supporting one or more front-end applications may be produced. One or more front-end applications for automated sensing of user activities and sensor-based individual assistant capability may be provided.

Abstract: Techniques for reviewing transaction information are provided. A reviewer computer can review transactions that are marked for review by a resource provider. The reviewer computer can review the transaction based on user information obtained from third party servers. The reviewer computer can also review the transaction based on historical transaction information obtained from a history database. The reviewer computer can aggregated the user information and the historical transaction information in order to generated a consolidated view.

Abstract: While managing private data in cognitive surveys, a method, system, and computer program product may deploy a set of gather agents. Access credentials for a plurality of participants may be obtained from an encrypted data store and verified. The set of gather agents may gather a set of target data associated with the plurality of participants, and the set of target data may be collected according to a set of policy criteria. It may be determined whether one or more participants of the plurality of participants has requested to review a subset of the target data, and those participants may be prompted to review the subset of target data. It may be determined whether the one or more participants rejected the subset of target data. The subset of target data may be filtered, and the filtered subset of target data may be posted to a results database.

Abstract: A device that includes a network interface configured to communicate with a remote database and a memory operable to store a set of applications. The device further includes an authentication engine implemented by a processor. The authentication engine is configured to receive log-in credentials for a user on a first application, to send a user information request to the remote database, and to receive user information in response to sending the request. The authentication engine is further configured to send a user profile information request to a second application and to receive user profile information in response to sending the request. The authentication engine is further configured to identify corresponding information between the user information and the user profile information, to determine that at least a portion of the corresponding information between the user information and the user profile information matches, and to authenticate the user in response to determination.

Abstract: In response to detected attempts to gain unauthorized access to user accounts of an online system, a security module of an online system applies an attack response policy to take actions in response to the attempts. Possible responses of the policy include reordering credential types requested by the online system during multi-factor authentication-enabled login, switching to a mode in which login requests are accepted but login is not permitted for the requesting user, and logging information about the login requests. Logged information may be applied to enhance the ability to prevent future unauthorized accesses, such as adding credential values to a list of common credential values and prohibiting users from associating those values with their accounts, or training a model based on the logged information to predict a probability that a given login request is unauthorized.

Abstract: There are provided systems and methods for vehicle identification and device communication through directional wireless signaling. A user's device may include a directional wireless transceiver that may be used to provide wireless signaling in a specific target direction. The user may direct the device at a particular vehicle, where the vehicle may has a transceiver located within or attached to the vehicle that responds to the particular wireless signaling. The vehicle's transceiver may respond to the device of the user with a unique identifier that allows for communication with the vehicle's operator. The unique identifier may therefore allow for message content to be sent directly to a device for the vehicle's operator, or may allow for a service provider to process the message. Additionally, the vehicle's operator may establish privacy settings for communications, which may be utilized to determine whether the message content will be provided to the device.

Abstract: Multiple profiles are received in association with a first user account in an asynchronous messaging system. One or more of the profiles are associated with other user accounts. The associated profiles are transmitted to user clients associated with the other user accounts for storage as a local copy. The association may include inclusion in a contact list of the first user, or a contact list of the other users. The associated profiles are transmitted when messages are sent from the first account to the other user clients, or the profiles are created or updated. A public profile may include a version identifier which is updated when the public profile is updated. Updates to local copies of the public profile at other user clients may occur only when a local copy of the associated version identifier indicates that the local profile is outdated, thereby reducing network traffic.

Abstract: A device and method to accurately detect list-based attacks without reducing the convenience for authorized users. An acquirer acquires information on accounts used for log-in trials to a plurality of websites. An analyzer calculates the degree of use of each account used in common for log-in trials to different websites in a predetermined period of time out of the accounts acquired by the acquirer and determine the log-in trials using the account to be attacks when the degree of use exceeds a predetermined threshold. A detector detects, as an attack, a log-in trial to the website using the same account as the account used for the log-in trials determined to be attacks by the analyzer.

Abstract: A method for operating an SDN-based mobile communication system, which includes a mobile network having a control plane and a data plane, with a network controller being implemented therebetween, includes: providing a control plane function that possesses information from an access network about location and/or proximity of devices and information about rules and/or policies for setting up sessions for the devices; and the network controller, by collaborative operations with the control plane function, selecting one or multiple data plane nodes that are, based on a particular device's request for session establishment, suitable to act as policy enforcement points for enforcing rules in the data plane that are for enabling connectivity for the particular device.

Abstract: A system and method comprising a server that automatically configures and sets up a restaurant's or business' information technology (IT) infrastructure, more specifically relating to point-of-sale devices (POS) and other networked devices such as scanners, tracking displays, and any other device that any business may use. Communication between the networked devices and the server is facilitated by a preconfigured router, wherein after initial communication with the server, the server may update firmware, operating parameters, and software packages of the preconfigured router and other networked devices.

Abstract: Account recovery control systems and methods are provided to support a self-service account recovery process for registered users of an information system. Account recovery protocols implement a secret sharing scheme between trusted referees and registered users of the information system to enable a registered user to regain access to the user's registered account when one or more authentication factors of the registered user are lost (e.g., forgotten, misplaced, damaged, stolen, etc.).