Abstract: A session token can be requested to be sent to a first computing service from a second computing service, and a first computing service can receive the requested session token from the second computing service. The first computing service can send a message that includes the session token through a passive client to the second computing service. The second computing service can receive the message that includes the session token from the passive client, and the second computing service can verify that the message is valid. This verification of the validity of the message can include verifying that the session token received back from the passive client matches the session token the second computing service sent to the first computing service.

Abstract: There is provided a method for using a multi-user operating system. A user attempts to access the multi-user operating system. The user is prompted to enter a shared credential associated with the multi-user operating system and an individual credential of the user. The entered shared credential and the entered individual credential are verified. Access is granted to the user if both the entered shared credential and the entered individual credential are verified. Commands entered by the user granted the access are tracked via the entered shared credential while the user is using the multi-user operating system. The tracked commands indicate the entered individual credential.

Abstract: Methods, systems, and devices for determining a time-expiry algorithm based on a cached and verified security token, a disposition of the security token, and a cache table, where the disposition of the security token is based on whether the received security token is a single-use token or a multiple-use token and where the cache table is selected from two separate cache tables.

Abstract: Source information for requests submitted to a system are classified to enable differential handling of requests over a session whose source information changes over the session. For source information (e.g., an IP address) classified as fixed, stronger authentication may be required to fulfill requests when the source information changes during the session. Similarly, for source information classified as dynamic, source information may be allowed to change without requiring the stronger authentication.

Abstract: In one aspect, the present disclosure describes a server-implemented method for authenticating a login without a password. The method includes: a) receiving, from a request initiator, a request to authenticate a login, the request including a user identifier; b) providing, to a device pre-registered for use in association with the user identifier, an acknowledgement request, the device being configured to generate a prompt in response to receiving the acknowledgment request, the prompt requesting input to authenticate the login; c) initiating a timer; d) determining that a login confirmation message has been received from the pre-registered device before expiration of the timer; and e) in response to determining that the login confirmation message has been received from the pre-registered device before expiration of the timer, providing an authentication acknowledgment message to the request initiator.

Abstract: Source information for requests submitted to a system are classified to enable differential handling of requests over a session whose source information changes over the session. For source information (e.g., an IP address) classified as fixed, stronger authentication may be required to fulfill requests when the source information changes during the session. Similarly, for source information classified as dynamic, source information may be allowed to change without requiring the stronger authentication.

Abstract: The systems and methods described herein allow consumers to lock or unlock their credit files at multiple credit bureaus in real-time or near real-time. The service may allow a consumer to provide identifying information, such as a personal identifier to lock or unlock credit files at a plurality of credit bureaus over a network. Upon receiving the personal identifier, the system may use the personal identifier to translate the identifier into a plurality of access codes for respective credit bureaus, for example by accessing a data structure, such as a database or table, that stores a personal identifier and access codes that are associated with a consumer. The system may then use the access codes to automatically initiate locking or unlocking of credit files for the consumer at the respective credit bureaus.

Abstract: In one embodiment of the present invention a computerized method includes receiving at a personal-mobile device a first communication, which includes information for requesting user verification for logging into an account of a user, via a computing device. The account is with a service provided by an application server. The method includes starting a personal-authentication application on the personal-mobile device in response to receiving the first communication, and receiving in the personal-authentication application a user verification for confirming logging into the account. The method includes logging into the account via the computing device based on receipt of the user verification. Embodiments of the present invention provide enhanced security for logging into an account that a user may have with a service by providing that a personal-mobile device, such as a mobile telephone, which is personal to a user, is configured as a security token for login to the account.

Abstract: Systems and methods are disclosed for a single sign-on (SSO) enterprise system with multiple data centers that use a lightweight cookie on a user's client device. The lightweight cookie includes a reference to a data center in which the user is already authenticated, and a new data center contacts the old data center for creating a session for the user on the new data center. If the old data center is unavailable, then the new data center may fall back to accessing a local security store, a backup of keys, security tokens, and/or other security data, in order to create a local session for the user on the new data center.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: The present invention performs control to realize an appropriate access by executing mapping processing of single sign-on by associating SP side user information and IdP side user information using a unique AUID.

Abstract: An example method is provided and includes intercepting an action request from an entity for an action to be performed with respect to a resource in a cloud environment, where the action request comprises a resource facet that controls access to the resource. The method also includes determining whether the resource facet is valid for the action by evaluating a policy associated with the resource; and allowing the action.

Abstract: Methods and systems for detecting an electronic intrusion are described. The system receives a notification, over a network, from a first application server that is hosting a first electronic service that is hosting a first user account. The notification reports the detection of a user activity associated with the first user account. The first user account is monitored for user activity. Next, the system may identify the notification reporting the detection of the user activity associated with the first user account as a possible electronic intrusion into the first account.

Abstract: A proxy hardware system includes at least one processor configured to initiate and/or perform the following. A login page being sent to a browser executing on a client associated with a user from a back-end server is intercepted. A routine is added to the login page to generate a modified login page. The modified login page is forwarded to the browser. The browser, upon executing the routine, loads an asynchronous engine configured to execute a login process with an authentication profiling service to retrieve login information for the back-end server, and complete an authentication process with the back-end server.

Abstract: A login page being sent to a browser executing on a client associated with a user from a back-end server is intercepted. A routine is added to the login page to generate a modified login page. The modified login page is forwarded to the browser. The browser, upon executing the routine, loads an asynchronous engine configured to execute a login process with an authentication profiling service to retrieve login information for the back-end server, and complete an authentication process with the back-end server.

Abstract: A system is configured to generate an email with a main hyperlink and a verification hyperlink; transmit the email to an email account of a user; receive an indication of a selection of the verification hyperlink; and transmit a confirmation message to a recipient device of the user when the verification hyperlink is selected.

Abstract: A computer implemented method, computer program product, and computer system is provided for receiving a service request to obtain service from a second application, the service request including a client context and a signed ticket obtained by the first application from a system computer, validating the received signed ticket based on the key associated with the system, determining that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of one or more attributes of the received client context to an access control list associated with the second application, and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.

Abstract: Key retrieval can include accessing a password for a keystore from a source. Key retrieval can include placing the password in memory. Key retrieval can include deleting the password from the source. Key retrieval can include retrieving an encryption key from the keystore with the password in memory.

Abstract: Method and system for determining the total processing time required for executing a plurality of jobs (n). The plurality of jobs along with a mean processing time (?), and a queue length (k) are received. A number of preliminary jobs (p) of the plurality of jobs (n) are distributed across computing resources based upon the queue length (k). A first processing time (TF) required for the execution of the number of preliminary jobs (p) is determined. Further, a number of remaining jobs (n?p) of the plurality of jobs (n) are distributed for execution across the plurality of computing resources. A second processing time (TS) required for the execution of the set of remaining jobs (n?p) is computed. Finally, the total processing time is determined by summing TF and TS.

Abstract: Requests for User Services on networked computers running on different platforms with different Authentication, Authorization and Auditing (AAA) Security Systems are processed through an AAA Services Manager Server and Web Services Servers. The AAA Services Manager Server communicates requests for User Services to Web Services Servers using corresponding URL Web addresses. Web Services correspond to their respective Authentication Security Systems and Authorization Security Systems through which User Services may be obtained. The Web Services Servers act to access, for User validation, the respective Authentication Security Systems and Authorization Security Systems according to their individual languages and computing platform requirements.

Abstract: Methods, devices, systems and computer program products are provided to facilitate cryptographically secure retrieval of secret information that is embedded in a device. The embedded secret information can include a random number that is not custom-designed for any specific requestor of the secret information. Upon receiving a request for the embedded secret information, an encrypted secret is provided to the requestor that enables the recovery of the embedded secret information by only the requestor. Moreover, a need for maintenance of a database of the embedded secret information and the associated requestors is eliminated.

Abstract: Methods and systems are provided for controlling access to an electronic device. The electronic device, for example, may include, but is not limited to, a processor, a memory communicatively coupled to the processor, wherein the memory is configured to store a password for accessing the electronic device, and a communication interface communicatively coupled to the processor, wherein the processor is configured to receive a request to access the electronic device from the communication interface, and transmit an encrypted version of the password for accessing the electronic device via the communication interface.

Abstract: Methods and systems are provided for collecting, storing, and transmitting account information in a matchable form, and for using this information to quickly set up accounts. Account information is maintained and shared between one or more client devices and an intermediate server. Account information can be reconciled locally to determine whether to add or enable an active account or an account proxy to a client device. Account proxies can be quickly enabled by a single user action. The methods and systems allow enabled accounts and account proxies to be removed from a first client device without propagating the deletion to a second client device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automated mobile device management profile distribution. One of the methods includes receiving a first request for access to a first network resource from a client device, the first network resource corresponding to one of a plurality of restricted resources accessible only by devices enrolled with a mobile device management system, determining that the client device is not enrolled with the mobile device management system, preventing the client device access to the first network resource, providing to the client device a redirect to a mobile device management resource that is different from the first network resource, providing instructions for presentation of a user interface to the client device, and enrolling the client device with the mobile device management system, the enrolling comprising providing a copy of the mobile device management profile to the client device.

Abstract: In one example embodiment, a card payment system includes a card payment apparatus, having an audio jack, configured to: read account information stored on a payment card, encode a counter value of the card payment apparatus into a onetime password, transmit the account information and onetime password via a microphone contact of the audio jack, and receive an acoustic signal via at least one earphone contact of the audio jack; and a client device, having an audio jack socket to receive the audio jack, configured to: receive the account information and onetime password via the microphone contact, transmit, to the card payment apparatus, the acoustic signal via the at least one earphone contact, decode the onetime password into the counter value, and authenticate the card payment apparatus based on the counter value of the card payment apparatus and a counter value of the client device.

Abstract: One or more techniques and/or systems are disclosed herein for assigning familiar pseudonames to anonymous user members in a shared online environment. Creation of a name pool is provided for using a programmed processor disposed in a computing device. The name pool includes familiar names that may be contextually relevant to a group of user members in the shared online environment. A name from the name pool is provided for assignment to an anonymous user member in the shared online environment, where assignment of the name is, at least in part, based on characteristics of the anonymous user member relative to the shared online environment.

Abstract: The disclosed embodiments relate to a session continuity feature that allows a user to access an online content management system through different instances of a third-party application located on different computing devices without having to log in to the online content management system separately from each computing device. When the user signs on to the online content management system, the session continuity mechanism provides a session continuity token to the third-party system. When the user subsequently accesses an instance of the third-party application located on another computing device, the third-party system provides the session continuity token to the new instance of the third-party application. This enables the user to access the online content management system through the new instance of the third-party application without having to sign on again.

Abstract: A secure single sign on is extended to a legacy web application that does not support the specific user authentication technique being used, such as SAML or OAuth. A proxy intercepts a request by a client computer to access the legacy application, and forwards the intercepted request to a single sign on identity provider. The identity provider authenticates the user, using the specific authentication technique not supported by the legacy application, and provides an indication of success to the proxy. The proxy transmits a user id and master password wrapped in an HTTP request to the legacy web application, which authenticates the request, creates a session and provides corresponding cookies to the proxy. The proxy forwards the cookies to the client, which utilizes them to continue the session with the legacy application.

Abstract: The invention relates to a method for requesting users access to an application by a network. The application is provided by an entity that is not part of the network. The invention allows a unified access to the application independent from the network used to access it. Therefore a network receiving an access request for the application from a user determines through which network the user attempted to access the application the first time. It then requires the identifier used by the network of first access and uses the same identifier towards an entity providing said application.

Abstract: A method for generating revenue by growing sales of third-party applications, including: receiving, at a server communicatively coupled with a second application and from the second application located at a first device, an indication of a first application launching request, wherein the server includes a set of messaging functionalities that are available for implementation by the second application and are available for implementation by the first application upon delivery of an authentication token from the first application to the server; based on the receiving the indication of the first application launching request, generating an authentication token, wherein the authentication token is configured for providing an authentication pass to the server when delivered thereto by the first application, thereby allowing the first application access to the set of messaging functionalities; and sending the authentication token to the second application for delivery to the first application.

Abstract: As individuals increasingly employ their wireless devices to engage in different types of activities they face a growing threat from, possibly among other things, identity theft, financial fraud, information misuse, etc. and the serious consequences or repercussions of same. Leveraging the ubiquitous nature of wireless devices and the popularity of (Short Message Service, Multimedia Message Service, etc.) messaging, an infrastructure that enhances the security of the different types of activities within which a wireless device user may participate through dynamically configurable levels of authentication. The infrastructure may optionally leverage the capabilities of a centrally-located Messaging Inter-Carrier Vendor.

Abstract: A system maintains a workspace environment of enterprise applications on a mobile device. The system receives enterprise applications for installation on the mobile device, wherein functionality has been inserted into binary executables of the enterprise applications to force the enterprise applications to communicate with an application management agent to obtain a security policy including a validity time period value related to keeping the workspace valid. The application management agent provides cryptographic keys to the enterprise applications to share encrypted messages. Upon launching, an enterprise application stores a workspace expiration time value as an encrypted message. The workspace expiration time value is extended if the user continues its use or, by another enterprise application, if the other enterprise application is launched by the user before an expiration of the expiration time value.

Abstract: A system provides a remote electronic device with secure access to a web service. The system generates an alphanumeric character set, encodes the character set in a barcode, and outputs the barcode on a login page. When the system receives an access request from a remote electronic device, it will determine whether the request or a following communication includes the character set and a unique identifier for an authentication application that is installed on the remote electronic device. If so, then the system will use the unique identifier to identify a user account for a user who is using the remote device, generate a home page that includes one or more functions for which the user account is authorized, and output the home page. The system will output the home page in a manner that permits the remote electronic device to securely access and display the home page.

Abstract: Apparatus and method for managing password information associated with a service account are disclosed. In some embodiments, a service account management system is configured to include a security account utility and a password information data store. In some embodiments, a security account utility is used when registering, tracking, and adjusting password change information. In some embodiments, notification of a password change date is transmitted to a service account owner and a security auditor for enforcement. Use of a security account management system with a middleware application is also disclosed.

Abstract: A second information processing system to communicate with a first information processing system includes an acquisition unit, an acceptance unit, a confirmation unit, and a setting unit. The acquisition unit acquires authentication information from the first information processing system and from a memory of the second information processing system. The acceptance unit accepts correspondence information indicating correspondence between first authentication information and second authentication information. The confirmation unit confirms, as a condition, whether the acquired authentication information in the first information processing system is identical to the accepted first authentication information and confirms, as a condition, whether the acquired authentication information in the second information processing system is identical to the accepted second authentication information.

Abstract: A method for a Personal Network Entity (PNE) to individually join a desired Personal Network (PN) is provided. When the PNE transmits a PN connection request message to a PN gateway, the PN gateway inserts its information into the connection request message and forwards the connection request message to a Converged Personal Network Service (CPNS) server. The CPNS server, upon receipt of the connection request message through the PN gateway, generates and manages information about a PN related to the PN gateway. The information about the PN is provided to the PNE at execution of authentication with the PNE, such that the PNE can determine whether to join the PN.

Abstract: Disclosed are methods and systems for providing cloud services to personal computing devices that store large personal files such as personal videos and personal photographs in a lossless format. The methods and systems include a cloud server that synchronizes large personal files in a lossless format between first and second local computing devices. The cloud server may also store the personal large files in a lossy format on the cloud server. The lossy file can be used to facilitate syncing of the lossless file between a first and second local computing device. The lossy file stored on the cloud can also be provided to a third local computing device having limited capabilities (e.g., a mobile device with a limited internet connection or limited screen resolution).

Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time, To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record, if they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

Abstract: Method and systems for validating a client user in a secured network are provided. Upon authentication, a user is supplied a login cookie that includes verification data. When requesting access to a secured resource, the verification data is compared to the data in the request to confirm that the requestor is a legitimate user and not a user who has stolen the login cookie.

Abstract: The invention discloses system and method for data authentication among processors. The method comprises: generating a first key, by a first processor, according to a first identification data and a first algorithm; generating a first digest, by the first processor, according to data to be transmitted, the first identification data and a second algorithm; generating a digital signature, by the first processor, according to the first key, the first digest and a third algorithm; and transmitting the data and the digital signature from the first processor to a second processor.

Abstract: An information processing device including a controller configured to accept a selection of a service from among a plurality of services including a first service and a second service, control a display unit to display an authentication screen, when accepting a selection of the first service, control a communication unit to transmit authentication information input on the authentication screen displayed in response to acceptance of the selection of the first service, to a first external device configured to perform authentication for the first service, store into a storage the authentication information transmitted to the first external device, and when accepting a selection of the second service and determining that the authentication information is stored in the storage, control the communication unit to transmit the authentication information stored in the storage, to a second external device configured to perform authentication for the second service.

Abstract: A system includes authentication of a user with a first server, reception of a request from the user to authenticate the user with a second server, requesting, from the first server, in response to receiving the request, user credentials to access the second server, reception of the user credentials from the first server, and transmission of the user credentials to the second server.

Abstract: A system, method and computer program product for using delegation as a mechanism to manage business activity by taking on a shared identity. In some implementations, the system includes a user interface module for receiving input signals from and sending information to a user, a delegate authentication module and an identity translation module. The delegate authentication module is operable to determine that an individual user identity is authorized to act as a delegate for an organization having an identity on a network-based software application and generate a verification signal. The delegate authentication module is coupled to the user interface module to receive the input signals from the user. The identity translation module is operable to translate the input signals from the user to a format such that they appear to be from the identity of the organization.

Abstract: A method performed by one or more processing devices, comprising: receiving a request for a quick response code associated with the hosted resource; generating a reference code that references information included in the request; and encoding the reference code into the requested quick response code; transmitting information indicative of the quick response code to the system hosting the resource; receiving a request for access to a resource, the request for access comprising a decoded version of the quick response code; determining that access is requested for the hosted resource; determining that a user who is requesting access to the hosted resource is permitted to access the hosted resource; responsive to determining that the user is permitted to access the hosted resource, transmitting a token for permitting the user to access the hosted resource; and transmitting a message specifying that the user is granted access to the hosted resource.

Abstract: The present disclosure is directed to methods and systems for user registration, where a user is logged in to a first device in communication with a server, including: receiving an anonymous registration of a second device comprising a token, where the second device is in communication with the server; receiving a credential of the user and the token; finding the second device using the token; and registering the user on the second device using the credential.

Abstract: Centralized single sign-on service for entitlement for multiple different application interface objects to relational database objects is provided as a function of a set of relational extensible mark-up language links. Roles are mapped to a unique user identification by a first extensible mark-up language link. A permission value within a second extensible mark-up language link that specifies a type of access to a unique data object identification is linked to the roles mapped in the first link. An object type and an object name within another extensible mark-up language link are linked to the determined permission value and to the unique data object identification. Access to a data object within a database by different external applications is enabled pursuant to the determined permission value as a function of the data object having the unique data object identification, the first and the second external applications using different application formats.

Abstract: Methods for the authentication of a web site by a visitor to the web site. The visitor uses a device, such as a portable device like a cell phone to compute a dynamic identification string and a one-time password. The dynamic identification string is sent to a service provider, such as a certification service server associated with the web site. In response, the server computes a one-time password that is transmitted to the visitor's device. The device computed one-time password can then be compared to the server computed one-time password in order to authenticate the web site.

Abstract: Systems and methods that provide secure single sign-on are described herein. When a user provides credentials to a client device, the credentials may be intercepted and cached at a secure location, such as within a trusted environment. When a client process, such as a remote desktop program running on the client device, requests the credentials for single sign-on to a server providing remote desktop services, the credentials may be secured, such as within an opaque container that may be accessed only components running in trusted environments, and provided to the client process. The client process may be running in an untrusted environment, such as an operating system session. The client device may forward the secured credentials to a trusted environment in the server, effectuating single sign-on.

Abstract: An application to be installed is acquired. Security policy geographic information, which is geographic information of an application's target distribution area where a user permits installation, is acquired from security policy that defines processing regarding the application. Application geographic information, which is geographic information of an application's target distribution area, is acquired from the acquired application. Based on a comparison result of comparing the security policy geographic information with the application geographic information, whether or not to permit installation of the acquired application is determined.

Abstract: A method for realizing Single Sign-On (SSO) includes verifying, using prior information, whether authorization information issued by a first information processing system in response to successfully authenticating a user satisfies security requirements, providing, in a case where the authorization information is verified as satisfying the security requirements, a service without performing the user authentication, and performing, if an instruction to register a first information processing system that performs user authentication is received from the user, the registration by a method different from a method according to a management method of the prior information in the first information processing system.