Abstract: A password management solution which provides a user with convenient access to multiple resources (e.g. systems and services), and also provides the flexibility to establish varying password security requirements for each resource is disclosed. In an embodiment, there is provided a password registry for registering resources and securely storing user ID and encrypted password information. An unencrypted user-provided password may be encrypted by a process associated with each resource, using an encryption algorithm specific to that resource, before storage of the encrypted password in the password registry. An encrypted password retrieved from the password registry may be decrypted by a process associated with each resource using a decryption algorithm specific to that resource.

Abstract: An organization-specific policy is implemented during establishment of an autonomous connection between computer resources includes evaluating a relative priority between default credentials and alternative credentials; and using the highest priority credentials to establish a connection between the computer resources. The alternative credentials are based organization-specific policy and provide for autonomous connections between computer resources differently than the default credentials.

Abstract: A system and method of assigning access privileges in a social network includes a first step (100) of determining a vector of social network characteristics of a member of the social network. A next step (102) includes computing a distance between vectors of social network characteristics of the member and other members of the social network already having defined access privileges. An optional next step (104) includes deciding whether the distance is less than a threshold. A next step (106) includes assigning the member the same access privilege of another member of the social network having the smallest distance from the vector of the member.

Abstract: A Content Sharing AS facilitates the sharing of IPTV content distribution sessions between users in an IMS network. A first user's request to share an ongoing IPTV session is routed to the Content Sharing AS, with a SIP URI of a second user with whom to share the content, identification of the desired content, and the Mcast address of the IPTV session. The Content Sharing AS joins the IGMP session group and sends the first user a SIP URI for the content and a unique authentication token. The first user sends the content URI and token to the second user, such as via a SMS message. The second user may then send an SIP INVITE message toward the URI, which the IMS system routes to the Content Sharing AS. The second user provides the authentication token, which the Content Sharing AS uses to authenticate the second user, and share the IPTV content.

Abstract: Techniques for managing the exchange of contact information are provided. Requests to establish connections on social networks and/or exchange contact information between users are held in escrow. The level of contact information and/or social network information shared between the users is configurable on a per user basis. Users may define levels of contact information and social network information to be shared with others based on the type of contact. Spam protection may be provided by requiring that both parties consent to a connection request before connections between the users are established.

Abstract: A method and system for securing dynamic discovery of an enterprise computing infrastructure is provided. One implementation involves maintaining enterprise credential information in a secured trust store, receiving an access request through a secure connection for access to a remote infrastructure component, determining the type of the access request, for a root-level type access request, responding to the request via the secure connection with enterprise root credentials from the trust store, and for an unprivileged type access request, responding to the request via the secure connection with unprivileged access enterprise credentials from the trust store.

Abstract: Systems, methods and consumer-readable media for providing a platform between a requesting associate and an authenticating entity associate are provided. The method may include receiving a request for authentication from the requesting associate and transmitting the request to the authenticating associate. The method may include receiving a request for a single-use verification code from the authenticating associate in response to the request for authentication. The method may also include generating the single-use verification code, or, perhaps retrieving the single-use verification code from storage and transmitting the single-use verification code to the authenticating associate. Once the requesting associate has receiving the code from the authenticating associate, the requesting associate may enter the code. The system may then display the identity of the requesting associate on a workstation associated with the authenticating associate.

Abstract: A system for authenticating one-time virtual secret information includes a display device and an input device separated from each other, the display device having a central processing unit (CPU) and a memory and the input device having a CPU and a memory. An authentication server generates matching information, for display on the display device via a communication network. A user views this matching information and inputs the one-time virtual secret information to the input device. The input device then transmits the input one-time virtual secret information to the authentication server via a communication network, and the authentication server interprets the input one-time virtual secret information.

Abstract: A method of providing access to an authenticated user, and restricting access to an unauthorized user, of a computer system, is provided. The method includes determining whether a user is authenticated to access at least one resource included in the computer system. The method also includes establishing a session and a session identifier such that the user has access to the at least one resource if the user is authenticated to access the at least one resource. The method also includes changing the session identifier each time the user completes an interaction with the computer system during the session.

Abstract: A communication transfer apparatus and a communication transfer method can transfer communications at low cost without the need of requesting a global IP network to switch any port number. The local internet protocol address of the origin terminal of transfer described in a record relating to a transfer out of the records of the masquerade table that is utilized for an internet protocol masquerade is rewritten as the local internal protocol address of the destination terminal of transfer, while maintaining the global port number of the record.

Abstract: When a management PC (as an address information display device in an address information display system) displays IPv6 addresses that have been assigned to a device in the system, the addresses may be displayed in a pull-down menu, for example. The display order in the pull-down menu may be determined according to a priority order which can be set arbitrarily by the user. Further, addresses judged to be important (according to settings by the user) may be displayed using a bold font, local addresses are displayed in italic, addresses close to the expiration of term of validity may be grayed out) and invalid addresses (addresses already expired) may be grayed out with strikethroughs. As a result, an address information display system may be realized that is capable of displaying addresses assigned to a device in a style easy for the user to understand.

Abstract: The present invention relates to a method of registering a one-time-password user in a one-time-password terminal by the one-time-password terminal, in an environment including the one-time-password terminal loaded with a program for creating one-time-passwords in a plurality of modes, an authentication server for authenticating authenticity of the one-time-password user, a one-time-password server, and a one-time-password database server for storing information on the one-time-password user.

Abstract: This disclosure describes methods, systems, and application programming interfaces for creating a credential managed account. This disclosure describes creating a new password managed account, defining the password managed account, wherein the password managed account is to access a service on a managed computing device, identifying the password managed account for a lifecycle, and automatically managing the password managed account by updating and changing a password for the password managed account on a periodic basis.

Abstract: A method for controlling access to a communication network such as a Wi-Fi network includes a user device (1) transmitting a network access request including an access token in at least one field of an authentication exchange. An access control server (4) determines a network access credit corresponding to the token, and allows access by the user device (1) to the network in real time to the extent of the credit. The authentication fields may be username and password fields under the RADIUS protocol. A network access server (2) processes the authentication field without recognising that it contains a token. It passes the network access request to a RADIUS authentication server (3), which in turn routes it to the access control server (4) again without recognising that the authentication fields include tokens. The invention therefore achieves real time network access without need for modification of network access servers or authentication servers.

Abstract: An accessor function interfaces among a client, a relying party, and an identity provider. The identity provider can “manage” personal (i.e., self-asserted) information cards on behalf of a user, making the personal information cards available on clients on which the personal information cards are not installed. The client can be an untrusted client, vulnerable to attacks such as key logging, screen capture, and memory interrogation. The accessor function can also asked as a proxy for the relying party in terms of invoking and using the information cards system, for use with legacy relying parties.

Abstract: A personal media player is arranged to capture information, such as wireless network information (including network ID and key) and other kinds of information such as credentials (e.g., user name and password), and then share the information with a wireless networkable device when the player is physically coupled to the device in a docking process. When the personal media player is docked, the information is automatically transferred from the player to the device to enable the device to perform some action without any additional effort by the user. This could include, for example, discovering and be securely admitted to the wireless network, or accessing a remote service using the transferred credentials.

Abstract: A method and apparatus are provided to allow a user of a communications device to utilize one-time password generators for two-way authentication of users and servers, i.e., proving to users that servers are genuine and proving to servers that users are genuine. The present invention removes the need for a user to have a separate physical device, e.g., token, per company or service, reduces the cost burden on the companies and allows for two-way authentication via multiple access methods, e.g., telephone, web interfaces, automatic teller machines (ATMs), etc. Also, the present invention may be utilized in consumer and enterprise applications.

Abstract: A method of controlling access to an interaction context of an application, including receiving login requests pertaining to an access account, each login request including a login password to be matched against an access password associated with the access account. A database includes at least one account record including a password state field indicating whether the access password is a temporary password or a permanent password and a security hold field indicating whether a security hold has been placed on the access account by an administrator. Access is denied upon receipt of a login request when the login password fails to match the access password. Access is denied upon receipt of a login request when the login password matches the access password, the password state field indicates that the access password is a permanent password, and the security hold field indicates that there is a security hold on the access account.

Abstract: Aspects for secure access and communication of information in a distributed media network may include detecting when a legacy media peripheral is connected to a PC and/or a media processing system on the distributed media network. One or more identifiers associated with the legacy media peripheral may be established and utilized to facilitate communication of the legacy media peripheral over the distributed media network. At least one legacy media peripheral identifier and at least one identifier of a user utilizing the legacy media peripheral may be requested. The legacy media peripheral identifier may be a serial number of the legacy media peripheral, while the user identifier may be a user password and/or a user name. Media peripheral association software may be executed on the PC and/or the media processing system and utilized for media peripheral association and authentication in accordance with various embodiments of the invention.

Abstract: Architecture for generating a temporary account (e.g., an email address) with a user-supplied friendly name and a secret used to the sign the temporary account. For example, when a user wishes to create a temporary email address to use with an online organization, a friendly name is provided and the system generates a temporary email address including the friendly name. A signing component signs the temporary email address with a secret. One or more of these secrets can be provisioned prior to the user's creation of a friendly name, which eliminates propagation delay. During use, only incoming email messages having the temporary email address signed with the secret are validated. When the user revokes the temporary email address, the secret is revoked and the revocation is propagated to network gateways, rejecting any email sent to that address.

Abstract: A method is executed which is for managing the optional trusted components that are active within a device, such that the device itself controls the availability of trusted components. The device includes: a storing unit which stores a plurality of pieces of software and a plurality of certificates; a receiving unit which receives the certificates; and a selecting unit which selects one of the certificates. The device further includes an executing unit which verifies an enabled one of the plurality of pieces of software using the selected and updated one of the certificates.

Abstract: Technologies are described herein for generating and changing credentials of a service account. In one method, a credential schedule is retrieved. The credential schedule specifies when a plurality of credentials are scheduled to be changed. A determination is made whether a current credential associated with the service account is scheduled to be changed according to the credential schedule. Upon determining that the current credential is scheduled to be changed, at least part of a new credential is generated. The current credential is replaced with the new credential for the service account.

Abstract: Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

Abstract: A method, system and apparatus for federated identity brokering. In accordance with the present invention, a credential processing gateway can be disposed between one or more logical services and one or more service requesting clients in a computer communications network. Acting as a proxy and a trusted authority to the logical services, the credential processing gateway can map the credentials of the service requesting clients to the certification requirements of the logical services. In this way, the credential processing gateway can act as a federated identity broker in providing identity certification services for a multitude of different service requesting clients without requiring the logical services to include a pre-configuration for specifically processing the credentials of particular service requesting clients.

Abstract: The present invention provides a Digital Video Recorder (DVR) server and a method for controlling access to a monitoring device in a network-based DVR system, which only performs a user authentication in the DVR server and allows a direct access to a video providing unit by using an authentication token acquired from the authentication procedure, so that traffic of the DVR server can be reduced to maintain security while providing a smooth monitoring service.

Abstract: An extensible token framework is provided for identifying purpose and behavior of run time security objects. The framework includes a set of marker token interfaces, which extends from a default token interface. A service provider may implement one or more marker token interfaces for a Subject or a thread of execution. A service provider may also implement its own custom marker tokens to perform custom operations. The security infrastructure runtime recognizes behavior and purpose of run time security objects based on the marker or custom marker token interfaces the token implements and handles the security objects accordingly.

Abstract: An information providing system which includes: an IC card; a settlement center which monitors and holds contents information of the IC card, and upon receiving the contents information readout request, provides the information held therein to the requesting party; communication networks; an information center which, upon receiving a contents information request, outputs a contents information readout request to the settlement center and requests contents information of the IC card, and upon receiving the contents information, transmits this to the communication networks; and a communication terminal which transmits a contents information request to an information center, and upon receiving the contents information of the IC card transmitted from the information center, displays the contents information on a display unit.

Abstract: A method for facilitating an exchange of information anonymously comprising one or more individuals registering with a server and supplying information about one or more other individuals or entities in the form of a report that is stored on the server. Users of the system then search the reports for information about the one or more other individuals or entities. After completing a search, users receive the information about the one or more individuals or entities from the server and review the information to determine if contact should be made with the author of any of the reports. If such contact is desired the user through the system communicates anonymously with the author of any of the reports.

Abstract: An apparatus for recording additional information hard to analyze in an information recording medium, a reproducer, a recording medium, a method, and a computer program for the same are provided. Bit values set at a plurality of DC control bit information setting positions set in a recording frame are decided based on constituent bit information of additional data, and additional data such as key information used for decoding contents is recorded in the information recording medium. In the reproducer, the additional data constituent bit information can be acquired by detecting the bit position set at a selected DC control bit storage position in the additional data-associated recording frame. With the configuration, it is possible to embed additional information such as key information used for decoding contents, key production information, contents reproduction control information, and copying control information with a format hard to analyze and also to accurately read out for data reproduction.

Abstract: The invention authorizes an individual's access to computer networks from a comparison of an individual's biometric sample gathered during a bid step with at least one biometric sample gathered during a registration step and stored at a host system data processing center. The invention comprises a host system data processing center with means for comparing the entered biometric sample, and is equipped with various databases and memory modules. Furthermore, the invention is provided with: at least one biometric input apparatus; at least one terminal to provide information for execution of the requested transactions and transmissions by the host system once the identity of the individual is determined; and at least one computer network to which the individual seeks access. The invention is also provided with means for connecting the host system with the terminal and the biometric input apparatus.

Abstract: Method and systems for user authentication are provided according to the embodiments of the invention. The method mainly includes: sending, by a management station, an authentication request message of an authentication protocol to a managed device via a management protocol, and sending user authentication information to the managed device; and authenticating the user by the managed device via the authentication protocol or a authentication server based on the received user authentication information, and returning an authentication acknowledgement message of the authentication protocol carrying the authentication result to the management station via the management protocol. The system mainly includes a management station and a managed device; or, a management station, a managed device and a backend authentication server. With the present invention, methods and systems for user authentication with a good extensibility and a widened application are provided.

Abstract: An identity selector manages the identity requirements of an online interaction between a user and a service provider environment. The identity selector is adapted for interoperable use with a user-portable computing device. The user device enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The identity selector includes an agent module that facilitates communication with the user device. The identity selector imports the user identities from the user device and determines which user identities satisfy a security policy of a relying party. After the user selects one of the eligible user identities, the identity selector generates a token request based on the selected identity and forwards it to the user device, which in response issues a security token. The security token is returned to the identity selector and used to facilitate the authentication process.

Abstract: A method of generating an authentication token using a cryptographic based application downloaded to a mobile telephony device and a method of authenticating an online transaction using such a token. The method may be employed in a two factor authentication method uitilising a user password and an authentication token. The method allows a two factor authentication method to be provided by a wide range of mobile telephony devices operating either online or offline. Other authentication systems and methods of authentication are also disclosed.

Abstract: Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

Abstract: In wireless networking, such as per the IEEE 802.11 standard, a technique automatically republishes an authentication credential to a global credential repository. A station can have a first credential, as is created when the station connects to a first access node of a wireless network. Upon trying and failing to connect to a second access node of the wireless network, the station can have a second credential created and published to the global credential repository. In some situations, the station then roams back to the first access node using the first credential. Efficiently, when the station uses the first credential at the first access node, the first credential can be automatically republished as a global credential. The automatic republishing of the first credential can ensure that the station is able to access the wireless network via various access nodes when roaming.

Abstract: An apparatus and a method for an authentication protocol. In one embodiment, a server generates a sequence number, and a server message authentication code based on a server secret key. The server sends the sequence number, an account identifier, and the server message authentication code to the client. The client generates a client message authentication code over the sequence number, a request specific data, and a shared secret key between the client and the server. The client sends a request to the server. The request includes the sequence number, the account identifier, the server message authentication code, the request specific data, and the client message authentication code. The server determines the validity of the client request with the shared secret key.

Abstract: A method of granting access to a computing system includes: receiving a connection request from a remote computing system; generating a first message indicating a session identification number and an access number; receiving the session identification number from a telephone system; performing a verification of the session identification number; and granting access to the computing system based on the verification of the session identification number.

Abstract: A token issuer and an authentication device provide an identity confirmation device. A token issuer is programmable by a central identity provider to issue certification tokens for use in e-commerce whereby transactions can be certified with suppliers without need for additional communication with a central server.

Abstract: A computer implemented method, a computer program product, and a data processing system manage a set of federated log-in authentications at secure web sites. A client logs into a security context using a first alias from a list of existing federated single sign-on authentication aliases associated with an account. Responsive to logging into the security context, the client can receive the list of existing federated single sign-on authentication aliases. The client can then manage the list of authentication aliases.

Abstract: An approach is provided for a method including initiating an information distribution session based on instructions from a first participant of a plurality of participants. The method also includes assigning access information and a passcode to the information distribution session, receiving posting information sent from two or more active participants of the plurality of participants using the access information with the passcode, and transmitting to the active participants the posting information of other active participants.

Abstract: An exemplary method includes receiving a request to register a peer in a peer-to-peer system; generating or selecting a transaction key for the peer; storing the transaction key in association with registration information for the peer; transmitting the transaction key to the peer and, in response to a request to perform a desired peer-to-peer transaction by another peer, generating a token, based at least in part on the transaction key. Such a token allows for secure transactions in a peer-to-peer system including remote storage of data and retrieval of remotely stored data. Other exemplary techniques are also disclosed including exemplary modules for a peer-to-peer server and peers in a peer-to-peer system.

Abstract: An upload apparatus includes: an outputter configured to output a code image including information of an ID and a password necessary for uploading content onto a network; and an uploader configured to upload the content onto said network by use of said code image outputted by the outputter.

Abstract: A management system for remote services may use an administrative server within a local area network to manage the remote services for many manageable entities. The administrative server may connect to a clearinghouse server outside the local area network to obtain information about available remote services and to consolidate some operations for interfacing to the remote services. In some embodiments, the clearinghouse server may act as a proxy for many different remote services and may enable some functions to be aggregated across different remote services, such as billing, authentication, provisioning, and other functions. The administrative server may configure the managed entities to access the remote services as well as other functions.

Abstract: A method of authenticating an identity of a user includes launching a user interface and obtaining biometric data of a user at the user interface. The method further includes comparing the biometric data of the user to stored biometric information of the user that was previously obtained during an enrollment process.

Abstract: A method that accesses a data processing system formed from data processing units that are networked, and enables a system technician to access protected data according to the two-person principle is provided.

Abstract: A method for using a policy for software distribution to computer systems on a computer network is disclosed. A first policy for software distribution is created. Software is provided on a first computer system to be distributed to a second computer system. The first policy to be used in distributing the software is identified. The software to be distributed is identified. The software to computer systems or groups is distributed.

Abstract: Methods for preventing unauthorized scripting. The invention generates a human interactive proof to distinguish a human from a machine by generating a random set of characters and altering each of the characters individually to inhibit computerized character recognition. The invention also includes concatenating the altered characters into a character string to be rendered to a user as a test. The character string may be altered to further inhibit computerized character recognition. Other aspects of the invention are directed to computer-readable media for use with the methods.

Abstract: Provided are a method, a system, an article of manufacture, and a computer program product, wherein a first indicator is stored for a first entity, and wherein the first indicator identifies groups to which the first entity belongs and operations associated with the groups. The first entity receives a second indicator from a second entity, wherein the second indicator indicates privileges granted to the second entity for at least one operation on at least one group. A determination is made locally by the first entity, whether an operation requested by the second entity is to be executed by the first entity, based on a comparison of the second indicator to the first indicator.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: An information processing apparatus that can easily and safely transmit data. A registering unit registers first authentication information in association with user information indicating a first user. The first authentication information is necessary for the first user to log on to the information processing apparatus. A generating unit generates an address data that is used to transmit data from an external apparatus to the information processing apparatus and includes the user information and second authentication information. A transmitting unit transmits the address data to the external apparatus. An authenticating unit authenticates by utilizing the second authentication information included in the address data when the data is transmitted based on the address data from the external apparatus. A storing unit stores the received data in association with the first user when the authentication by the authenticating unit succeeds.