Abstract: In some examples, a method of authenticating is described. The method may include sending first repair parameters representing one or more first repair operations applied to a first marked image to generate a first repaired image to a first entity. The method may also include receiving, from the first entity, a second repaired image. The method may also include authenticating the first entity when the second repaired image received from the first entity matches the first repaired image.

Abstract: Providing virtual private network (VPN) sessions or other types of secure or private access to data when a client authorized to access the data travels or otherwise roams from a home network to a partner network is contemplated. The VPN session may be established as part of or as a result of an authentication process undertaken by the client when gaining access to the partner network, such as but not necessarily limited to a home network authentication process undertaken at the partner network to authenticate the client to access partner network services.

Abstract: A database system comprising: a memory containing multiple data records, wherein each of the data records has a data record asymmetric key pair for cryptographic encryption and decryption, wherein each data record asymmetric key pair comprises a data record public key and a data record private key, wherein the data contained in each of the multiple data records is encrypted by the data record public key, wherein the data record private key of each data record asymmetric key pair is encrypted with the public key of another asymmetric key pair; a set of user accounts, wherein each of the user accounts has a user asymmetric key pair for encryption and decryption, wherein each user asymmetric key pair has a user public key and a user private key; wherein data is added to a data record by encrypting it with the data record public key; wherein access to the data record is granted to a user account by encrypting the data record private key with the public key of an asymmetric cryptographic key pair whose encrypted p

Abstract: Discussed is a method of operating a CPNS (converged personal network service) gateway apparatus. The method includes transmitting a registration request message including user information to a server; transmitting an installation request message including the user information to a terminal; generating first authentication data on the basis of authentication information received by a user input; transmitting a trigger message including the first authentication data to the terminal; receiving a key assignment request message including second authentication data from the terminal in response to the trigger message; transmitting the received key assignment request message to the server; receiving a key assignment response message including a user key for the terminal in response to the key assignment request message; and transmitting the received key assignment response message to the terminal.

Abstract: A method for securely transmitting medical data to and from a remote location includes configuring a first electronic computing device with provisioning information to access a firewall-protected electronic data network. Medical data is received at the first electronic computing device from a second electronic computing device. The medical data is transmitted to the firewall-protected electronic data network using the first electronic computing device. The provisioning information permits a secure connection between the second electronic computing device and a third electronic computing device on the firewall-protected electronic data network.

Abstract: An application launcher is disclosed for retrieving and permitting launch of multiple mobile applications through a single, secure authentication process, and a method of use. The method includes receiving a request to launch one or more applications through a single authentication process. The method further includes authenticating a user through an application launcher. The method further includes appending a security token to one or more applications upon authentication of the user to enable the user to launch the one or more applications through the single authentication process provided by the application launcher.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for managing a risk of access to an on-demand service as a condition of permitting access to the on-demand service. These mechanisms and methods for providing such management can enable embodiments to help prohibit an unauthorized user from accessing an account of an authorized user when the authorized user inadvertently loses login information. The ability of embodiments to provide such management may lead to an improved security feature for accessing on-demand services.

Abstract: In various exemplary embodiments, a system and associated method for providing a hybrid cloud computing environment are disclosed. For example, a system may authorize an enterprise user based on an enterprise identity. Once authenticated, embodiments may use mapping data and a cloud role to determine an identity to use when the enterprise user accesses a cloud.

Abstract: A method of authentication and accessing resources is provided. A client device may send a request to a proxy device to access a resource, such as an enterprise resource. The proxy device may authenticate with one or more servers associated with the resource. During authentication, the proxy device may receive a request for a signature controlled by the client device. In response, the proxy device may send a request to the client device for the signature. The request may also include context information that identify a data structure of authentication information exchanged (or to be exchanged) during the authentication session. If the client device verifies the context information, the client device may send the requested signature.

Abstract: The present invention provides, in one aspect, a system and method for managing authentication tokens that operate across multiple types of physical resources binding the tokens to one or more external electronic Identity Providers; generating tokens; authenticating the tokens at multiple physical resources; managing access to physical resources by linking the tokens to the electronic identities; translating the tokens to the appropriate physical token type based on infrastructure services available at the point of service; validating tokens at the physical resource; tracking and conveying usage information; and making use of social group relationships and other data defined by individual usage to, among other things, simplify the process of granting user-generated credentials to persons connected to a given individual via the Identity Provider or an external social network, for example.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for invocation of a secure web container which may display data representative of a requesting party's application at a user's machine. The secure web container is invoked upon receipt of an API call from the requesting party. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable web container), insulating the user and requesting parties from the threats associated with being online for the purposes of providing secure, policy-based interaction with a requesting party's online services.

Abstract: Systems and methods for passporting credentials provide a mechanism by which a native app on a client device can invoke a service provider's core web site web addresses (URL) while keeping the existing session active and shared between the two experiences (native app and web flow) so that the end user does not need to re-login at each context switch. The mechanism can include a unique way for the web flow context to communicate conditions and pass control back to the native app context of the shared session.

Abstract: An approach for authorizing access to computing resources (e.g., electronic files) based on calendar events (e.g., meetings of a user) in a networked computing environment (e.g., a cloud computing environment) is provided. A portion/segment (e.g., private cloud) of the networked computing environment may be designated for storing at least one electronic file to be shared (e.g., as stored in a computer storage device associated with the portion). The portion of the networked computing environment may then be associated (e.g., graphically) with an electronic calendar entry (e.g., a meeting having a set of attendees). Based on the calendar entry, a set of users (e.g., the meeting attendees) authorized to access the at least one electronic file may be determined based on the electronic calendar entry. Thereafter, access (e.g., a related permissions) to the at least one electronic file may be authorized for the set of users.

Abstract: A system is configured to: receive a message from a gateway device; identify one or more sessions corresponding to an identifier included in the message; and clear the one or more corresponding sessions. The identifier may correspond to a part of the gateway device where a session is stored or maintained for a mobile device to connect to a server device.

Abstract: A method and system for user authentication uses photos, pictures, images, pictures of words, logos, graphics, icons, or pictures of colors (graphical elements) as password elements (graphical password) to gain access to a secure platform, section of a platform, specific content, website, computer, mobile device or other electronic device (secure content). The Method and system provide the creation, use in authentication and maintenance of the graphical password. Graphical password creation is initiated through user selection and platform storage of a subset of one or more platform provided or user provided graphical elements (secret graphical elements). The graphical elements are photos, pictures or images that are memorable to the user and are from within one or more relevant categories, e.g. colors, playing cards, animals. A graphical user interface (GUI) having virtual dials, wheels, reels or keypads to display images is used to implement the login/authentication process.

Abstract: Disclosed are a method and a system for synchronizing and providing data requiring digital rights protection, to a portable device, wherein a contents providing server is connected with a contents synchronization server to which the portable device is connected.

Abstract: A system and method for authenticating user requests issued from embedded applets running on web-accessible user devices. The server system generates authentication tokens associated with user credentials, in response to user requests for HTML pages that include the embedded applets. The server system stores the authentication tokens on the server system, and includes the authentication tokens in URLs within applet tags in the HTML pages returned to the user devices. When the applets download and request content from the server system, the applets supply the previously included authentication tokens in the URLs that identify the requested content. Upon finding a match between the applet-supplied authentication tokens and the stored authentication tokens, the server identifies the user as a trusted user, and responds with the requested content. This can be used to eliminate HTTP- based authentication challenges for subsequent user access.

Abstract: The subject disclosure is directed towards securely synchronizing passwords that are changed at a source location (e.g., an on-premises directory service) to a target location (e.g., a cloud directory service), so that the same credentials may be used to log into the source or target location, yet without necessarily having each domain controller handle the synchronization. The plaintext password is not revealed, instead using hash values computed therefrom to represent the password-related data. The target may receive a secondary hash of a primary hash, and thereby only receive and store a password blob. Authentication is accomplished by using the same hashing algorithms at the target service to compute a blob and compare against the synchronized blob. Also described are crypto agility and/or changing hashing algorithms without requiring a user password change.

Abstract: Various embodiments provide methods, apparatus, and systems for logging in an application account. A request for logging in an application account sent from a first terminal can be received. It is detected if the first terminal can be included in frequently used terminals corresponding to the application account. First verification information can be sent to a second terminal bound with the application account, when it is detected the first terminal is not included in the frequently used terminals corresponding to the application account. Second verification information can be received from the first terminal to detect if the second verification information matches the first verification information. When it is detected that the second verification information matches the first verification information, the request for logging in the application account can be responded.

Abstract: Disclosed herein is a computer-implemented system and method for hosting companies to offer a service of securely retrieving, storing and distributing critical documents for their clients. This can be done for the client by a hosting company administrator on a company administrative site, or by the hosting company's client, the end user, through a private labeled interface provided by a hosting company, via a hosting company's private label entry page. Additionally, the hosting company can administer many functions of the client's accounts through a series of Batch Interfaces thereby working on multiple accounts and functionalities done via one batch function. Also disclosed is a computer-implemented method of permanently storing critical documents in an online retrieval, storage and distribution system created to act as an interface that has predesigned storage boxes, categories and subcategories allowing the client/hosting company to immediately use the system, not having to create a structure for storage.

Abstract: A method for providing multimedia data including receiving multimedia data, from a second user; determining user information relating to the second user; defining a first authenticity value based on the user information; determining multimedia data characteristics relating to the multimedia data; defining a second authenticity value based on the multimedia data characteristics; defining a multimedia data authenticity value using the first and the second authenticity value; and maintaining, by the operator, the received multimedia data associated with the multimedia data authenticity value, wherein the multimedia being available for a third user.

Abstract: Techniques are shown for executing a web browser on a client computing device and requesting access to applications available from a hosting server over a network in communication with the client device. The web browser stores authorization credentials for accessing designated applications available from the hosting server in a lockbox. A message received at the web browser provides instructions to lock all designated applications by rendering at least partially blanked-out or partially obscured visual displays for the designated applications, with no viewing of, access to, or operation on selected data within the designated applications permitted, while the locked designated applications remain logged-in. This Abstract is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.

Abstract: An embodiment may include circuitry to establish, at least in part, a secure communication channel between, at least in part, a client in a first domain and a server in a second domain. The channel may include a first and second domain sessions in the first and second domains. The circuitry may generate first and second domain session keys that may encrypt, at least in part, respectively, the first and second domain sessions. The first domain session key may be generated based upon a first domain key assigned to the first domain and a first data set associated with the first domain session. The second domain session key may be generated based upon a second domain key assigned to the second domain and a second data set associated with the second domain session.

Abstract: Methods, systems and apparatuses for an operator provisioning a trustworthy workspace to a subscriber are disclosed. One method includes providing the subscriber with the trustworthy workspace, where in the trustworthy workspace comprises a virtualized content repository with trustworthy workflows for storing, sharing and processing a digital content across a plurality of repositories. The method further includes allowing the subscriber authority to sub-provision the trustworthy workspace to one or more authorized parties, wherein only the one or more authorized parties can view or modify at least a portion of the digital content.

Abstract: Active learning-based fraud detection techniques are provided in adaptive authentication systems. An authentication request from an authentication requestor is processed by receiving the authentication request from the authentication requester; comparing current data for the user associated with the user identifier with historical data for the user; generating an adaptive authentication result based on the comparison indicating a likelihood current user data is associated with a fraudulent user; and performing one or more additional authentication operations to improve learning if the request satisfies one or more predefined non-risk based criteria. The predefined non-risk based criteria comprises, for example, (i) the request receiving a riskiness score below a threshold based on current data and wherein the request was expected to have a risk score above a threshold, or (ii) the request being in a bucket having a number of tagged events below a threshold.

Abstract: An authentication apparatus receives an authority delegating request from an apparatus, acquires information of authorities possessed by the user from a storage unit, presents information of the acquired authorities to the user, and receives an instruction indicating which of the authorities possessed by the user is delegated to the apparatus. A storage unit stores, when the instruction to delegate the authority to the apparatus is received, an identifier required to uniquely identify the instruction and the authority instructed by the user to delegate, in association with each other. Authentication information indicating delegation of the authority is transmitted to the apparatus based on the instruction from the user.

Abstract: A technique controls a soft token running within an electronic apparatus. The technique involves providing an initial series of authentication codes based on a first set of machine states. The initial series of authentication codes is provided from the electronic apparatus to a server through a forward channel to authenticate a user. The technique further involves receiving a command from the server through a reverse channel between the electronic apparatus and the server. The reverse channel provides communications in a direction opposite to that of the forward channel. The technique further involves changing the first set of machine states to a second set of machine states in response to the command, and providing a new series of authentication codes based on the second set of machine states. The new series of authentication codes is provided from the electronic apparatus to the server through the forward channel for user authentication.

Abstract: Methods, devices, and products provide for restricting access to mature content by individuals for whom access to the mature content is designated as inappropriate. A content filter receives a communication, determines that the communication includes an image, and extracts the image. The image is scanned for mature content. A content restrictor component restricts access by various classes of users to the mature content.

Abstract: The invention relates to a method of controlling access to a processing device using an access token with a machine readable identity. The method comprises reading the identity of the access token at the location of the processing device and querying a database comprising valid identities of access tokens, wherein each identity is associated with an access permission level. If the identity is a valid identity, the method further comprises determining the associated level of access and allowing a level of access to the processing device according to the associated access permission level. In some embodiments, the processing device is an Automated Teller Machine (ATM).

Abstract: A virtualization system supports secure, controlled execution of application programs within virtual machines. The virtual machine encapsulates a virtual hardware platform and guest operating system executable with respect to the virtual hardware platform to provide a program execution space within the virtual machine. An application program, requiring license control data to enable execution of the application program, is provided within the program execution space for execution within the virtual machine. A data store providing storage of encrypted policy control information and the license control data is provided external to the virtual machine. The data store is accessed through a virtualization system including a policy controller that is selectively responsive to a request received from the virtual machine to retrieve the license control data dependent on an evaluation of the encrypted policy control information.

Abstract: A host controller associates each virtual machine with at least one label from a hierarchy of labels, where each label represents a distinct virtual machine parameter. The host controller also associates a user with one or more roles and with one or more labels from the hierarchy of labels, where each role defines at least one action permitted to be performed with respect to virtual machines. The host controller further facilitates control over user actions pertaining to virtual machines based on the roles and the labels associated with the user.

Abstract: Provided is an off-line two-factor user authentication system. The off-line two-factor user authentication system is designed to use, as a password, a one-time-password derivation rule to be applied to certain pattern elements included in a presentation pattern at specific positions so as to create a one-time password, and further use, as a second authentication factor, information identifying a client to be used by a user. A plurality of pattern seed values each adapted to uniquely specify a presentation pattern in combination with a client ID, and a plurality of verification codes corresponding to respective ones of the pattern seed values, are stored in an off-line two-factor authentication client. A presentation pattern is created based on a selected one of the pattern seed values and a client ID, and an entered one-time password is verified based on a verification code corresponding to the selected pattern seed value.

Abstract: A computer server system includes a processor that executes a number of modules. The number of modules includes a receiving module to receive an account name inputted by a user, and a password generating module to generate a unique, unchangeable password corresponding to the account name. The computer server system further includes a storage unit to store the account name and the password.

Abstract: A portable computing device can enable an accessory to access a wireless network. In particular, the portable computing device can provide a wireless network access credential to the accessory. The accessory can thereafter use the wireless network access credential to access a wireless network. The portable computing device can additionally configure an access point that manages the wireless network to permit the accessory to join the wireless network.

Abstract: Methods and devices for NFC tap login with automatically-generated login information are disclosed. A user can launch a browser application and log in a desired website without having to enter the user's username and password. The user can achieve this by tapping a Near Field Communication-enabled computing device with an NFC-enabled wireless device. The wireless device generates and stores the user's usernames and passwords corresponding to a number of websites, and provides the username and password for the desired website to the computing device via an NFC-based communication link. Through a browser application running on the computing device, the user can sign up an account at and log in the desired website.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.

Abstract: A method of configuring a first device, such as a monitoring device, to be controlled by a second, user device, via a network, comprises connecting the user device to the monitoring device to be configured, via an audio cable, providing a network password to a wireless network to the monitoring device from the user device, via the audio cable, connecting the monitoring device to the wireless network; and associating the monitoring device to the user device by a processing device, so that the user device can interact with the monitoring device and the processing device, via the wireless network. The user device may be a mobile user device, which may be connectable to a WiFi network and/or a cellular network, or example. A cryptographic key may be issued between the monitoring device and the user device for secure communication.

Abstract: The user authentication method comprises: a central processing server generates an encoded data, such as a QR code, from encoding a session number, which can be randomly generated; a first client computing device displays a login page that includes the QR code to a user for authentication; the user uses a mobile communication that has already been registered and paired with the user account stored in the central processing server to image-capture the QR code, and sends the decoded QR code data to the central processing server; the central processing server validates the decoded QR code data against the session number; upon a positive validation, the user may need to enter his/her security PIN according to configuration in the second mobile communication and be sent to the central processing server for validation; and upon a positive validation, the user authentication is completed.

Abstract: A first interface is transmitted from the server computer system to a user computer system, the first interface having a field for entering a mobile telephone number. A mobile phone number entered into the field for the mobile phone number is received from the user computer system at the server computer system. A password is generated and transmitting from the server computer system to a mobile device having a mobile phone number corresponding to the mobile phone number received from the user computer system and a second interface is transmitted from the server computer system to the user computer system, the second interface including a field for entering the password. A follow-up message is transmitted from the server computer system to the mobile device if the password is not received from the user computer system at the server computer system within a predetermined period of time.

Abstract: A smart card is disclosed which includes a mass storage memory for storing biometric information of a user and private data. A radio is used as an interface to the card. When the user of the card wishes to invoke an application for the private data, biometric information about the user is provided to a device in communication with the card, enabling the card to authenticate the user as an authorized user of the private data, and in response to that authentication provide the data to the application in a manner that maintains privacy and integrity of data.

Abstract: A method including querying a service provider for functional and nonfunctional qualifications of the service provider to provide a service having functional and nonfunctional requirements; responsive to input from the service provider, receiving by a requestor the functional qualifications and nonfunctional qualifications of the service provider including attesting by a third party, not the service provider or requestor, to at least the nonfunctional qualifications of the service provider; evaluating the functional qualifications and attested to nonfunctional qualifications of the service provider; and selecting a service provider having functional and attested to nonfunctional qualifications complying with the functional and nonfunctional requirements of the requestor. The method may be performed on one or more computing devices. Also disclosed is a computer program product.

Abstract: An apparatus may include a processor configured to receive a security certificate request from a remote device comprising a public key of the remote device and an authentication credential based upon a legacy authentication mechanism of the remote device. The processor may be further configured to validate the received authentication credential in accordance with the legacy authentication mechanism. The processor may be additionally configured to generate a security certificate for the public key. The processor may be further configured to provide the generated security certificate to the remote device.

Abstract: Embodiments may comprise logic such as hardware and/or code to provide a secure device area network. Many embodiments comprise a gateway node or enterprise enhanced node with a services distribution frame installed on a customer's premises. The gateway node or enterprise enhanced node may interconnect the secure wireless device area network at the customer's premises with a cellular network. In many embodiments, the cellular network core may provision authentication credentials and security keys, and manage access polies to facilitate access by Application Service Providers to devices on premises including smart devices via a security and policy enforcement function of a services distribution frame of the gateway node or enterprise enhanced node, Authorized members of the secure wireless device area network may connect to the Wide Area Network (WAN) through the gateway node and the cellular network core.

Abstract: A security system and method for authenticating a user's access to a system is disclosed. The security system receives an authentication request from the user and responds by generating a security matrix based on a previously stored user keyword and user preference data, the security matrix being different for each authentication request. The security system sends the security matrix to the user and awaits a one-time code in response to the security matrix. The user forms the one-time code based on the user keyword, the user preferences, and the security matrix. The security system validates the one-time code against the security matrix, the keyword, and the user preferences, and responds by sending an authentication result to the user that either permits or denies access to the system. Additionally, the security system sends a success or fail message to the system to be accessed.

Abstract: Embodiments dynamically manage privileged access to a computer system according to policies enforced by rule engine. User input to the rule engine may determine an extent of system access, as well as other features such as intensity of user activity logging (including logging supplemental to a system activity log). Certain embodiments may provide access based upon user selection of a pre-configured ID at a dashboard, while other embodiments may rely upon direct user input to the rule engine to generate an ID at a policy enforcement point. Embodiments of methods and apparatuses may be particularly useful in granting and/or logging broad temporary access rights allowed based upon emergency conditions.

Abstract: A method for authenticating users over networks includes requesting a one-time password, entering a personal identification number into a communications device, and retrieving a replaceable shared secret stored in the communications device. Moreover, the method includes generating a hashed personal identification number from the entered personal identification number, combining the hashed personal identification number with the replaceable shared secret to generate a modified shared secret, and generating a one-time password with the modified shared secret and the time of requesting the one-time password.

Abstract: One embodiment includes a non-transitory computer readable medium having instructions executable by a processor to implement a method. The method includes receiving user configuration data for a network device, the configuration system being coupled to a service network. The method also includes storing device configuration data in a configuration database coupled to the service network, the device configuration data being based on the user configuration data and service network data. The method also includes receiving a configuration request at the configuration system from the network device in response to the network device being unconfigured and connected in a user network. The method further includes transmitting the device configuration data from the configuration database to the network device in response to the configuration request.

Abstract: A method of accessing an internet based service, involves using a cellular telephony device to obtain a token from the provider of the internet based service, and within the cellular telephony device, using the token to calculate a time-limited password. The time-limited password is used in combination with at least one further user identification parameter to obtain access to the internet based service.

Abstract: Verifying a user includes: receiving a service request; generating a text based first dynamic password upon receiving the service request; converting the first dynamic password into sound information; transmitting the sound information to a user terminal over a communication network; receiving over the Internet a second dynamic password entered by the user based on the sound information, the second dynamic password being a text based password; comparing the first and second dynamic passwords for consistency; and indicating that verification is successful if the first and the second dynamic passwords are consistent.

Abstract: Various aspects are discussed, for example, a method is decsribed for authentication of devices in a wireless network involving NFC (Near Field Communication), wherein a device periodically switches its mode from a read mode, in which it is able to receive authentication data from one or more other devices, to a write mode, in which it sends out authentication data to the one or more other devices, according to a random time slot scheme. The device authenticates itself after having received authentication data from another device during the read mode, and the device switches permanently its mode to the write mode after being authenticated.