Abstract: An information-security method for securely accessing a web site through non-password user authentication to an intermediary portal is disclosed. A hardware/biometric login authenticates a user to a portal, which provides 1-click user access to web sites. The portal generates a strong password for each web site. Private keys with the passwords embedded therein are generated by the portal and stored along with public keys for the web sites. Communications between the portal and web sites are asymmetrically encrypted using the keys. Passwords for the web sites are updated or autorotated by the portal on-demand, at periodic intervals, and/or in response to data breaches or threat vectors to provide enhanced security. Updated login credentials are communicated to the web sites when the passwords are changed by the portal. Passwords are managed transparently to the user such that users need not be aware or keep track of their passwords.

Abstract: An automated process for managing groups in a cloud-based environment receives a request to create a permission group. The permission group is built in a directory system, wherein the directory system is nonnative to the cloud-based environment. The permission group from the directory system is synced with an identity management system that is nonnative to the cloud-based environment. The process includes stashing a group creation job to a queue, wherein the group creation job is configured to create the group in the cloud-based environment. The system provisions the permission group in response to consuming the group creation job from the queue.

Abstract: A method includes receiving user credentials of a user from a user device. Access information for the user including a set of uniform resource locators (URLs) is received from a computing cluster. The set of URLs correspond to user interfaces (UIs) of the computing cluster accessible to the user. An authentication token is generated based on the user credentials and the access information. A first copy of the authentication token is assigned to a session variable of a browser application of the user device. A second copy of the authentication token is sent to the computing cluster. A first URL is inputted into the browser application to attempt accessing a first UI of the computing cluster. In response to the first URL being one of the set of URLs and the session variable matching the second copy of the authentication token, the first UI is accessed using the browser application.

Abstract: Techniques are described for client registration for authorizing an aggregator service to access data on behalf of an application, through self-registration of an application client identifier and issuance of authorization token(s) based on the application client identifier. Implementations provide a technique for dynamic client registration that avoids the need for manual vetting and manual generation of the client credential grant. Additionally, the implementations described herein enforce domain values around the scope and/or purpose of the client grant. This allows for support of application providers through a single point of registration that supports multi-layer and channel. This also allows for support of a scalable authorization solution for any suitable number of clients. The dynamic client registration process adds an additional layer of security through the OAuth client grant and mutual authentication.

Abstract: According to one or more embodiments of the disclosure, an example method herein may comprise: providing access to a plurality of solution packages in a global repository associated with an extensibility platform, wherein the extensibility platform is a multi-celled architecture, the plurality of solution packages having specific configurations for execution of the extensibility platform; determining one or more tenants of a particular cell of the multi-celled architecture; and synchronizing one or more particular solution packages of the plurality of solution packages from the global repository to the particular cell based on one or more tenants of the particular cell and subscriptions of the one or more tenants to the one or more particular solution packages.

Abstract: This disclosure relates to verifying the trustworthiness of web applications. In one aspect, a method includes obtaining, by a browser of a client device, an electronic resource comprising code for a web application. The browser renders the electronic resource, including processing the code of the web application. The code causes the browser to initiate a request to a remote server. In response to processing the code, the request is generated and modified to include at least a portion of an integrity element for the web application. The modified request is sent to the remote server. A response to the request is received from the remote server. The response is based on the remote server verifying that the web application is trustworthy using the integrity element. Data is displayed based on the response.

Abstract: Systems and methods for secure electronic data transfer utilizing an ephemeral key for encryption and decryption of data.

Abstract: A method may include an aggregator node in a distributed computer network: generating an aggregator node public/private key pair; communicating the aggregator node public key to participant nodes; receiving, from each participant node, a message comprising a local machine learning (ML) model encrypted with a participant node private key and the aggregator node public key, and a participant node public key encrypted with the aggregator node public key; decrypting the local ML models and the participant node public keys using the aggregator node public key; decrypting the local ML models using the participant node public keys; generating an aggregated ML model based on the local ML models; encrypting, with each participant node public key, the aggregated ML model; and communicating the encrypted ML models to all participant nodes. Each participant node decrypts one of the encrypted ML models and modifies its local ML model with the aggregated ML model.

Abstract: Embodiments of the present disclosure relate to a method, apparatus and computer readable storage media for processing an Internet Protocol Security (IPsec) stream. A method comprises determining a security association for an incoming stream, the incoming streaming comprising a plurality of packets; performing pre-processing on the plurality of packets based on the security association; and in response to the pre-processing being performed on at least one of the plurality of packets, performing parallel processing on the at least one of the plurality of packets.

Abstract: Disclosed embodiments may include a method for authentication using partitioned authentication tokens. The system can receive an indication of a first and second user device associated with a user. The indication can include a priority order of the first and second user device. The system can then receive an authentication request associated with the user from an application. The system can generate an authentication token to authenticate the user and partition the authentication token to create a first token portion and a second token portion. The system can determine which device of the first and second user device has a higher priority based on the priority order and can transmit the first token portion and the second token portion to the devices in order of priority. The system can receive a receipt of the token portions and transmit instructions to the application to authenticate the user.

Abstract: Disclosed herein are embodiments that provide for accessing a cloud environment with Zero Trust Network Access (ZTNA). In particular, the embodiments provide managing communications via an identity broker through a secure tunnel between at least one network device and a cloud environment via an access device. The access device is preconfigured to contact the identity broker to establish the secure tunnel. At least one policy may then be applied to the at least one network device via the access device. In such a configuration, the at least one network device, such as a legacy device or a plurality of network devices, does not require a software client to communicate directly with the identity broker.

Abstract: Techniques are described for providing a multi-cloud control plane (MCCP) in a first cloud infrastructure (included in a first cloud environment provided by a first cloud services provider) that enables services and/or resources provided in the first cloud infrastructure to be utilized by users of a second cloud environment. The first cloud infrastructure receives a request from a user associated with an account in the second cloud infrastructure. The request corresponding to using a service provided by the first cloud infrastructure. A tenancy is created for the user in the first cloud infrastructure to enable the user to utilize the service, and a link-resource object is created that includes information linking the tenancy of the user in the first cloud infrastructure to the account of the user in the second cloud infrastructure, the link-resource object enabling the user to utilize the service provided by the first cloud infrastructure.

Abstract: An example methodology includes, by a container hosted on a computing device, receiving a request to access the container, the request including a temporary username and password and an access group to which a user associated with the request belongs. The method also includes, by the container, creating a temporary user credentials based on the temporary username and password, adding the user to the container, mapping the access group passed with the request to an equivalent predefined access group within the container, and assigning the user to the equivalent predefined access group, wherein the predefined access group within the container specifies permissions to be granted to the user. The method further includes, by the container, providing access to the container based on the temporary user credentials and the equivalent predefined access group and sending a response to the request, the response including information about the provided access to the container.

Abstract: A method for providing a token code in conjunction with a value token is disclosed. The token code serves as a shared secret for authenticating the use of the value token. Multiple token holders can possess the same value token, but each token holder may have a different token code for use with the value token.

Abstract: A system that uses an enriched token to dynamically authorize and/or manage access to endpoint(s). The enriched token defines a scope of access with respect to the endpoint(s) and may be generated based at least in part on user context information obtained from an identity provider.

Abstract: Techniques are provided for automated sharing of remote devices by multiple users using a file system. One method comprises maintaining public keys for source devices associated with users; configuring a primary target device to provide a file system that comprises: (i) a user-specific directory for each of the users, and (ii) a global directory accessible by the users, wherein the user-specific directory for a given user comprises the public key for the source devices associated with the given user; and configuring a secondary target device to provide a copy of the file system, wherein updates to the file system are provided to the secondary target device, and wherein the given user accesses the primary and/or the secondary target device, using a particular source device, based on an evaluation of the public key for the particular source device obtained from the user-specific directory for the given user.

Abstract: Systems and methods are described for accessing resources of a Unified Endpoint Management (“UEM”) system through an enrolled device. In an example, an unenrolled device can be paired with an enrolled device. The unenrolled device can connect to the enrolled device on a local network. The enrolled device can verify the unenrolled device using a key provided during pairing. The unenrolled device can send requests for UEM resources to the enrolled device, which the enrolled device can send to a UEM server. The UEM server can send the requested UEM resources to the enrolled device, and the enrolled device can send the UEM resources to the enrolled device over the local network.

Abstract: Systems, methods, and storage media for assessment of identity resources in an identity infrastructure are disclosed. Exemplary implementations may: assess the identity infrastructure with at least one discovery agent element; identify, by the at least one discovery agent element, one or more infrastructure elements within the identity infrastructure; intercept, by the at least one discovery agent element, first network traffic in the identity infrastructure; assess, by the at least one discovery agent element, at least one of a status and a structure of the identity infrastructure; and report, by the at least one discovery agent element, at least one of the status and the structure of the identity infrastructure to one or more of an administrator and a centralized server.

Abstract: An enhanced certificate authority system and method allows for the enhanced security, validation, and Multi-Factor Authentication of user's within a digital signature, digital identity and general user data and transaction system through the creation and management of a user's Digital Identity certificate and users data elements to be share in a secure environment, so that through an enhanced certificate authority a user's identity, users general data to be shared and bona fides may be both protected and established across a diversity of electronic devices and transactions.

Abstract: A lightweight and extensible information model for machine-to-machine systems is disclosed. A service layer information management architecture uses three categories of atomic objects, subjects, actions, and descriptions. Information for use within the model is built using the atomic information objects. Application programming interfaces are used to perform operations and information processing by different nodes. Common service functions are used in the model as instances of a generic common service information model.

Abstract: A device configured to receive a data sample about a configuration for one or more network devices in a public network. The device is further configured to compare one or more threat indicators to the data sample where each threat indicator is associated with a configuration setting. The device is further configured to identify a first network device in the public network that comprises a configuration that matches a threat indicator and to generate a bad actor profile for the first network device. The device is further configured to receive data traffic for a second network device in a private network and to block data communications between the second network device in the private network and the first network device in the public network in response to determining that the first network device is associated with the bad actor profile.

Abstract: A primary request is received that includes a primary identity. The service is within a service container group project hosted by a cloud provider. A shadow request is generated from the primary request. The shadow request includes a shadow identity linked to the primary identity. The shadow request is authorized by verifying that the shadow identity has access to the service. A tenant token is generated for the shadow identity in response to authorizing the shadow request. An access token is obtained using native authorization of the cloud provider in exchange for the tenant token. Tenant data is accessed from a tenant data repository using the access token. A shadow response is obtained that is generated for the shadow identity and includes processed tenant data generated. A primary response is sent that is for the primary identity and is generated from the shadow response.

Abstract: According to some embodiments, the disclosed systems and methods provide non-native functionality to a distributed network for administrative customizations and control of network-hosted and/or blockchain-related application program interfaces (APIs). The disclosed technology provides novel techniques and mechanisms for administrating and/or configuring microservice API requests, whereby customized definitions, operations and executable instructions may cause and/or otherwise have associated information stored in a distributed ledger (e.g., blockchain). In some embodiments, the disclosed functionality and capabilities provided by the disclosed framework enable capabilities for API administration and configuration respective to how workflows of microservices are hosted, executed and stored within and respective to data structures and nodes of a blockchain.

Abstract: In a user credential control system, an access control server includes a token issuing unit that issues, to a service provider server, a token in which a user credential that can be acquired by the service provider server is described according to the company name and the type of a service of the service provider server described in an electronic certificate, a policy registration unit that registers a policy of an access authority of the service provider server to the user credential based on the company name or the type of the service of the service provider server, and a notification reception unit that, when the user credential of the user terminal has been changed, acquires the service provider server with the access authority to the user credential from a token according to the registered policy to notify the service provider server of the change of the user credential.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: The disclosed embodiments relate to authenticating devices to a cellular network. In one embodiment, a method is disclosed comprising reading a mobile identifier from a storage area of a memory device, the mobile identifier comprising a value associated with a subscriber of a cellular network; signing the mobile identifier using a private key to generate a digital signature, the private key generated using a physically unclonable function (PUF); transmitting the digital signature and a public key to a cellular network, the public key associated with the private key; and receiving, from the cellular network, a confirmation of access to the cellular network, the confirmation generated based on the public key and the digital signature.

Abstract: Provided are a method for realizing a video conference, and a terminal and an SIP gateway. The method for realizing a video conference is applied to a WebRTC terminal, and comprises: performing interaction of SIP signaling with an SIP gateway by means of an SIP account, so as to establish a video conference connection with an SIP terminal, wherein SIP signaling between the WebRTC terminal and the SIP gateway is transmitted by means of a WebSocket protocol, and the WebRTC terminal can parse the received SIP signaling transmitted by means of the WebSocket protocol; and sending a locally collected video stream, and/or receiving a video stream of the SIP terminal, and playing same by means of a browser.

Abstract: A system, method, and computer-readable medium for performing a data center monitoring and management operation. The data center monitoring and management operation includes: receiving data center asset workload data; capturing a set of the data center asset workload data at predefined time intervals; monitoring data center workload performance using the set of the data center asset workload data; and, predicting an anomaly associated with data center workload performance based upon the monitoring.

Abstract: An authentication device includes an authentication unit, a history information generator and a communication unit. The authentication unit executes, when a user terminal accesses a service provider system, an authentication process based on an authentication request that includes a description pertaining to an authentication condition and an authentication method that correspond to the service provider system. The history information generator generates history information. The history information includes information indicating whether the authentication condition is satisfied and information indicating a result of executing the authentication process by using the authentication method. The communication unit transmits the history information to the user terminal.

Abstract: A method for facilitating application authentication bypass based on proximate with time using device authentication is disclosed. The method includes receiving a request from a user to access an application on a user device, the request including an application authentication request; accessing the user device via a device application programming interface; retrieving, via the device application programming interface, device authentication data, the device authentication data including a timeline of successful device authentications; determining whether the device authentication data is within a predetermined threshold; authenticating the request by using the device authentication data when the device authentication data is within the predetermined threshold; and permitting access to the application based on a result of the authenticating.

Abstract: Systems and methods for conducting direct peer-to-peer real time communications are disclosed. The system comprises a domain communication server. The system includes logic to receive a request on behalf of a first user, to initiate a direct peer-to-peer communication session specifying a domain name of a second user. The second user is a registered and authorized user having the domain name registered with a domain name server and authorized by the domain communication server to participate in the direct peer-to-peer real time communication with other users using the domain name. The system includes logic to offer to the second user based upon the domain name specified in the request, to initiate direct peer-to-peer communications with the first user. The system includes logic to, upon acceptance from the second user, initiate the direct peer-to-peer communication session between the first user and the second user.

Abstract: Examples provide a cloud-based distributed secure shell (SSH) file transfer protocol (SFTP) server system for responding to client requests. A load balancer assigns client requests to available SFTP servers within the cloud based distributed SFTP server cluster. Each SFTP server is hosted on an individual VM associated with a cloud server. An authentication service authenticates the client requests using a single user profile. A registry table on a first cloud storage maintains metadata describing all the data records stored within a second cloud storage. The registry table and the data records are accessible to all the SFTP servers within the server cluster. In this manner, any server within the cluster can authenticate a user and respond to a client request while providing a seamless and uniform user experience while simultaneously reducing resource usage and improving scalability.

Abstract: An information processing system includes a linkage database in which a person is linked with a property; a person database in which the person is associated with a role of the person and one or more functions that can be used by the person; a property database in which the property is associated with one or more functions used in the property; a first permission management unit configured to manage one or more functions that can be used by the person in the property, by using the person database and the property database; and a second permission management unit configured to manage one or more properties whose information can be accessed by the person, by using the linkage database.

Abstract: The present disclosure generally relates to managing passwords. In some examples, a computer system displays an autofill user interface object corresponding to a one-time password generated by the computer system and for use in authenticating a user with a remotely-authenticated service. In some examples, a computer system enters, saves, and submits a new username and a new password created via a password manager to a remotely-authenticated service.

Abstract: A method for delegated authorization at a security edge protection proxy (SEPP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) service request for accessing a service provided by a producer NF that requires access token based authorization. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by the first producer NF. The SEPP may also operate as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method for facilitating identity and access management in a cloud environment based on a zero-trust configuration is provided. The method includes retrieving, via a job, a token from a corresponding identity provider, the job including a unit of work and a unit of execution that corresponds to a change; retrieving, via the job, a change authorization from a change management system, the change authorization including a signed change authorization; retrieving, via the job, a change artifact from an artifact repository, the change artifact including a signed change artifact; requesting, via the job, a change orchestrator to execute the change, the request including the token, the change authorization, and the change artifact; instructing, via the change orchestrator, a service broker to execute the change; and executing, via the service broker, the change within the cloud environment.

Abstract: A method of providing a chat service in a map-based virtual space includes receiving a place selection signal based on map information and/or a motion detection signal from user terminals, determining location information and FoV information of the corresponding account in the virtual space, determining image information of a perspective view and one or more other accounts to be displayed on the corresponding user terminal, receiving a chat request from a first user terminal, receiving a result regarding whether to accept a chat in response to the chat request from a second user terminal, determining whether an account of the first user terminal and the other account of the second user terminal on the street view satisfy a preset condition, and providing the chat service between the first user terminal and the second user terminal based on whether the chat is accepted and whether the preset condition is satisfied.

Abstract: A method of providing login information may include sending, from a service web page executed on a browser, a login request to an authentication web page executed on the browser, executing, by the authentication web page, a single sign on (SSO) agent in an electronic device, sending, by the authentication web page, a request for authentication information of a user to the SSO agent, generating and transmitting, by the SSO agent, a random number to the authentication web page, generating and transmitting an encrypted eigenvalue on an authentication web server based on the random number to the SSO agent, calling, by the SSO agent, an authentication application programming interface (API) server, and transmitting the eigenvalue, validating the eigenvalue on the authentication API server, and receiving, by the SSO agent, a result of the validating from the authentication API server, and transmitting the authentication information to the authentication web server.

Abstract: Methods and systems for a media guidance application that provides advanced parental control features such as allowing parents to establish parental controls in a dynamic and individualized manner and allowing parents to track and/or limit the amount of time that a child views media content of a particular type.

Abstract: A method, system, and computer program product is provided for third-party authorization. The method includes generating an authorization code, encrypting the authorization code with a public key associated with a first system, resulting in an encrypted authorization code, transmitting the encrypted authorization code to the first system, receiving, from the first system, a digitally signed authorization code generated by the first system based on the authorization code and a private key corresponding to the public key associated with the first system, verifying the digitally signed authorization code based on the public key and the authorization code, and in response to verifying the digitally signed authorization code, transmitting an access token to the first system, wherein the access token is configured to authorize a user with the first system.

Abstract: A method for providing secure single sign on includes receiving a first data object from an application hosting server, the first data object indicating at least a service provider name and identifying a configuration file corresponding to the service provider name, wherein the configuration file includes at least trusted identity information. The method also includes determining, using the configuration file corresponding to the service provider name, whether the first data object is valid and, in response to a determination that the first data object is valid, generating a response message.

Abstract: A system and method for onboarding and managing assets in a decentralized identity network is disclosed. The method may include receiving an authorization proof from a member of a team of an enterprise to access an asset in the decentralized identity network. The method may further include validating the member of the team through a set of validator nodes. The method may further include provisioning the asset on the decentralized identity network. The method may further include onboarding the provisioned asset on the decentralized identity network. The method may further include generating a set of derived credentials of the onboarded asset. The method may further include validating a user access request corresponding to at least one of owners of an application and user to access the asset. The method may further include dynamically validating an employee access request from an employee and the unique asset DID to access the asset.

Abstract: Methods and systems are described for verifying an identity of a user through contextual knowledge-based authentication. The system described uses contextual knowledge-based authentication. By verifying an identity of a user through contextual knowledge-based authentication, the verification is both more secure and more intuitive to the user. For example, by relying on confidential and/or proprietary information, the system may generate verification questions, the answers to which are known only by the user.

Abstract: The systems and methods described herein can enable the indirect transmission of session data between different domains. The system can pass the session data through a hashing function so that the data from a given domain remains private and secure to the specific domain. The system can generate clusters of associated domains for a given client device that the system can use to maintain a session between the client device and the domain.

Abstract: Systems and methods for authorizing data transfers are disclosed. Exemplary implementations may: receive a data transfer authorization request based on a data transfer initiated by a customer computing device; when the customer computing device is associated with a system of trust: send a third-party second-factor authentication message to trustee computing device(s) without sending any message to the customer computing device, and authorize the data transfer system to complete the data transfer request in response to receipt of a third-party authentication confirmation from the trustee computing device(s) and in the absence of any authentication confirmation from the customer computing device.

Abstract: First and second devices store respective device data and private keys. The first-device data is additionally stored by the second device and by a proxy; and the second-device data is additionally stored by the first device and by the proxy. In a commitment phase, each of the first and second devices uses its respective device data, private key and a random nonce to generate a respective one-time first-device or second-device commitment value, which it sends to the proxy. In a checking phase, the devices communicate secret-key information to the proxy, which verifies the received one-time commitment values. In a digest phase, the proxy calculates a one-time digest, which it sends to the second device. The second device then verifies the received one-time digest to authenticate the first device.

Abstract: A computing platform is configurable to cause initiating a communication session with a user, the user having a user account associated with a workflow data object, the workflow data object being configured to represent a plurality of operations included in a workflow. The computing platform is also configurable to cause identifying a verified status indicator associated with at least one of the plurality of operations, the verified status indicator comprising a verified credential associated with at least one of the plurality of operations. The computing platform is also configurable to cause identifying a transfer operation associated with the verified status indicator and identifying a target entity associated with the transfer operation. The computing platform is also configurable to cause implementing the identified transfer operation based, at least in part, on identified target entity.

Abstract: A connection request is received from a user device associated with a user. The connection request includes an identifier associated with a profile associated with the user, the profile being a static profile or a dynamic profile. An observability profile associated with the user is identified based on the profile when the profile is a static profile and based on a current traffic profile associated with the user device when the profile is a dynamic profile. Measurements associated with a data session are executed for the user device based on the observability profile and one or more configurations are adjusted in a network to improve performance of the data session based on the measurements.

Abstract: A system uses a keyboard application to encrypt and decrypt e-mail, messages, and other digital data. By using quantum random number generators, the system has improved data security. Using a quantum random number, an agent (at a sender side) generates an encryption key which is used to automatically encrypt a message. The encryption key is stored at a key server. The encrypted message will be sent by an application using its standard transmission means such as SMTP, SMS, and others. The encrypted message can be automatically unencrypted by using an agent (at a recipient side) and retrieving the key from the key server. The system also provides an optional double encryption, where the message is encrypted with a user-generated password before being encrypted using the encryption key.

Abstract: In embodiments, a computer system of a primary entity receives from a secondary entity a first communication about a relationship instance between the primary entity and the secondary entity, and transmits to an Online Service Provider (OSP) a second communication with a dataset. The dataset has dataset parameters about the relationship instance. The second communication causes the OSP to select a file template per the dataset, to produce a resource for the dataset, and to prepare a digital exhibit that is arranged to report the resource as answering the identified requirement. The OSP then transmits to the computer system a third communication that includes an access indicator adapted to facilitate viewing the digital exhibit. Upon receiving the third communication, the computer system transmits a fourth communication to the device of the secondary entity, the fourth communication including the access indicator.