Abstract: Systems and methods for secure user authentication are described. In certain embodiments, a client device such as a smartphone may be provisioned with a secure key and/or other secret information. The client device may be used to generate unique secure tokens and/or other credentials used in connection with an authentication process. A user may provide the generated tokens and/or other credentials to a service provider in connection with a request to access a managed service. The validity of the generated tokens and/or other credentials may be verified by an authentication service in communication with the service provider.

Abstract: Disclosed are various approaches for performing biometric authentication of users using an application running on a client device. A biometric model can be trained using biometric data from a population of users. The biometric model can be used by the client application to authenticate users and can be separate from system-level biometric authentication capabilities of the client device.

Abstract: Systems and methods for passing account authentication information via parameters. A server can provide, to a client device, an account parameter derived from an account credential used to authenticate a first application to insert into a link. The link can include an address referencing a second application. The account parameter can be passed from the first application to the second application responsive to an interaction on the link. The server can receive from the second application of the client device, subsequent to passing the account parameter from the first application to the second application, a request to authenticate the second application including the account parameter. The server can authenticate the client device for the second application using the account parameter. The server can transmit, responsive to authenticating the client device for the second application, an authentication indication to the second application of the client device.

Abstract: Systems/Methods are disclosed of establishing a capability at a smartphone to be able to conduct a financial transaction and then using the established capability in performing the financial transaction by paying for a product. According to some embodiments, said establishing is performed responsive to sensing a physiological parameter and determining that the physiological parameter sensed satisfies a criterion. Then, an authorization to establish said capability is requested and, responsive to receiving the authorization, the capability to be able to conduct the financial transaction is established at the smartphone. The capability that has been established may then be used in performing the financial transaction responsive to the smartphone sensing proximity to an access point maintained by a vendor and responsive to the physiological parameter being sensed and satisfying the criterion.

Abstract: Methods, systems, and apparatuses are described herein for improving computer authentication processes by generating authentication questions based on the location of a user. Transaction data indicating a plurality of transactions associated with a user account may be received. Location data indicating a plurality of locations of a user device might be received. At least a subset of the plurality of transactions may be tagged, based on the location data, with an indication that a user was present for a respective transaction. For example, a location of a merchant might be compared to a user device location indicated by the location data. A plurality of authentication questions might be generated based on the subset of the plurality of transactions. Access to the user account might be provided based on responses to the plurality of authentication questions.

Abstract: A method is disclosed. The method includes establishing, by a first device, a wireless connection to a second device; transmitting a request, by the first device and to the second device, for location data indicative of a location of the second device; receiving, by the first device and from the second device, the location data indicative of the location of the second device; determining, by the first device, a distance between the first device and the second device based at least in part on the received location data; generating, by the first device, an altered value based on the received location data and the determined distance; and transmitting, by the first device and to the second device, the altered value and an account identifier associated with a user of the first device.

Abstract: A method is disclosed and includes receiving, by a record server computer from a first processing network computer, a token, a device identifier associated with a user device, a session identifier associated with a registration request, and metadata about the token, and then receiving a metadata request from a second processing network computer in response to the second processing network computer receiving an authorization request message comprising the token, and the device identifier and/or the session identifier. The metadata request comprises at least the device identifier and/or the session identifier. The method also includes retrieving, by the record server computer, metadata associated with the metadata request, and providing the metadata to the second processing network computer. The second processing network computer processes the authorization request message using the token and the metadata.

Abstract: Presented are user-friendly battery powered touchless identity card emulator systems and methods that allow existing ID management installations, such as physical card reader systems, to securely operate without requiring a physical key and irrespective of type, model, shape, and size of reader and card format. Various embodiments integrate wireless functionality to existing systems to enable mobile access to provide advanced user/identity management capabilities for access control systems.

Abstract: A smart door lock system and a control method thereof are proposed. More specifically, in the smart door lock system and the control method thereof, door-lock area information is displayed on an outer side of a door, the door-lock area information including: any one or more pieces of door-lock area state information on states of a door lock area entered through a door lock in which a smart door lock is installed; and door-lock area user information of users who use the door lock area.

Abstract: A method and a system for securely controlling a remote measurement device. A connection between at least one remote measurement device and a server, such as a server computer, connected to the Internet is established. By a firewall, the at least one remote measurement device is protected from unauthorized access via the Internet. In case of an event of the at least one remote measurement device, an event notification is sent from the at least one remote measurement device to the server via the firewall. A temporary access token is generated by the server in response to the event notification received from the remote measurement device. Access is temporarily granted to the at least one remote measurement device based on the temporary access token.

Abstract: Improved techniques for secure access to cloud-based services via a gateway proxy. The improved techniques can efficiently manage remote access to cloud-based services by local processing agents in a secure manner using an intermediate authentication token issued by a gateway proxy to authorized local processing agents. The intermediate authentication token can be used to obtain authentication credentials of service providers that are needed to access the cloud-based services that are offered by service providers. In some embodiments, the authentication credentials of service providers need only be distributed to the gateway proxy and need not be distributed beyond the gateway proxy. The improved techniques are well suited for used with robotic process automation systems in which local processing agents, such as software agents, perform user tasks in an automated fashion.

Abstract: Facilitating the generation of ephemeral credentials and verification thereof within a distributed storage system is provided herein. Based on a request for ephemeral credentials from a first account client to a first node of a first storage instance of a distributed system, generating the ephemeral credential comprising a session token and a secret session key for the first account client by a method that derives the secret session key using a first account private key and a first storage instance public key. This session token along with a signature generated using the secret session key of the ephemeral credential is subsequently used to make further requests to a second node of a second storage instance of the distributed system where the secret session key is independently derived using information in the request and the previously shared first account private key to verify the signature in the request.

Abstract: Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.

Abstract: Described is a multiple-camera system and process for detecting, tracking, and re-verifying agents within a materials handling facility. In one implementation, a plurality of feature vectors may be generated for an agent and maintained as an agent model representative of the agent. When the object being tracked as the agent is to be re-verified, feature vectors representative of the object are generated and stored as a probe agent model. Feature vectors of the probe agent model are compared with corresponding feature vectors of candidate agent models for agents located in the materials handling facility. Based on the similarity scores, the agent may be re-verified, it may be determined that identifiers used for objects tracked as representative of the agents have been flipped, and/or to determine that tracking of the object representing the agent has been dropped.

Abstract: An apparatus and a method for registering a device in a cloud server are provided. The apparatus includes detecting the device by using short-range communication, requesting an authentication code used for registering the device in the cloud server from an account server in response to the device being detected, receiving the authentication code from the account server, and transmitting the received authentication code and connection address information of the cloud server to the device.

Abstract: A system and method are disclosed capable of parsing a spoken utterance into a natural language request and a speech audio segment, where the natural language request directs the system to use the speech audio segment as a new wakeword. In response to this wakeword assignment directive, the system and method are further capable of immediately building a new wakeword spotter to activate the device upon matching the new wakeword in the input audio. Different approaches to promptly building a new wakeword spotter are described. Variations of wakeword assignment directives can make the new wakeword public or private. They can also add the new wakeword to earlier wakewords, or replace earlier wakewords.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: A coupling of two electronic apparatuses for a wireless information exchange. The coupling is authenticated through the evaluation of motion patterns previously executed by the apparatuses.

Abstract: Disclosed herein are display techniques that will allow sensitive data displayed on a computer screen to only be viewed by authorized users and will render computer screen unreadable to unauthorized users. One or more display techniques are capable of automatically scrambling and unscrambling display screen of the computing device in which only an intended viewer is able to view data on the display screen using deciphering glasses.

Abstract: Methods, computer-readable media, software, and apparatuses are provided to assist a user and vendor in completing an online trusted transaction. Trusted vendor websites are verified and user identities are confirmed through a cyber-security safe logon credentialing system. The vendor can be confident that the user identity has been verified to be who they say they are and the user can be confident that they are using a trusted verified vendor website.

Abstract: A service processing method includes receiving, by a mobile phone, a first identifier from a head device of a vehicle after the head device receives a trigger request to perform a vehicle door opening service, determining, by the mobile phone based on the first identifier, to perform authentication, indicating, by the mobile phone, the head device to perform the vehicle door opening service when the authentication succeeds, or determining, by the mobile phone based on the first identifier, not to perform the authentication, and sending, by the mobile phone, location information of the mobile phone, and an indication that indicating a location of the mobile phone and a location of the head device are normal to the head device.

Abstract: The present embodiments relate to systems and methods for automatic sign in upon account signup. Particularly, the present embodiments can utilize a federated login approach for automatic sign in upon account signup for a cloud infrastructure. Specifically, the signup and sign in service (also known as SOUP) and an identity provider portal can be configured such that the nodes are aware of each other as Security Assertion Markup Language (SAML) partners. After new account registration, the signup service can redirect the user browser to a cloud infrastructure console to start with a federated login flow, where a sign in service can issue a SAML authentication request, and redirects it to signup service. Responsive to validating the browser using a SAML authentication process, the browser can be automatically signed into the new account and allowed access the account relating to the cloud infrastructure service.

Abstract: A method for determining a key for securing communication between a user apparatus and an application server. An authentication server of a mobile communication network and the user apparatus generate a secret master key during an authentication procedure. The user apparatus sends the authentication server a request for a key to communicate with the application server and receives a random variable. The authentication server and the user apparatus calculate the requested key by using a key derivation function applied to at least the random variable, a user identifier and an application server identifier using the master key.

Abstract: A method and system that allows authorized individuals access into controlled access locations and the ability to grant temporary and limited access to guests into these locations. The method and system allow for navigational services to be provided to members and guests, and real-time tracking and confirmation to members and administrators that guests have arrived at their destination and did not enter any unauthorized areas. The method preferably can work through a system of wireless radio, sound and/or light-based beacons communicating with member and guest's electronic devices. Members and administrators can send one or more temporary electronic access keys to a guest's smartphone or other electronic device. Wireless radio, sound and/or light-based beacons provide an access control and location tracking system with real-time data about the member and guest whereabouts, allowing for the confirmation and tracking.

Abstract: A system for routing an identity validation request comprises at least one processor in communication with computer-readable storage, the computer-readable storage having stored thereon instructions for causing the at least one processor to: receive, from a requesting device, an identity validation request, the identity validation request comprising identity data and a payment credential; determine, from the payment credential, an issuer of the payment credential; transmit, to the issuer, a verification service request message that comprises the identity data and the payment credential; receive, from the issuer, a verification service response indicating whether or not the identity data has previously been associated with the payment credential; and based on the verification service response, transmit, to the requesting device, an indication as to validity of the identity data.

Abstract: A system for accessing protected data comprising a token retriever system operating on a processor and configured to receive a token from a user and to transmit a request including the token to a detokenization system over a data communications medium. The detokenization system configured to receive the token, to verify that the request has been received from an authorized source, and to transmit a response to the request that includes an account number associated with the token. The token retriever system is configured to receive the account number and to display the account number for a predetermined period of time.

Abstract: A method comprises monitoring a computing environment including a plurality of containers, determining, for one of the containers, a service type and an IP address, assigning the IP address of the container having the determined service type to a first list of IP addresses, assigning an IP address of each of the containers to a second list of IP addresses, applying a first security policy for a first source of network traffic for processing by the container having the determined service type and the IP address assigned to the first list of IP addresses, and applying a second security policy for a second source of network traffic for processing by the containers having the IP addresses assigned to the second list of IP addresses.

Abstract: Systems and methods providing authentication in a microservice system. In some embodiments, the method comprises receiving, from the user interface application, a user interface response corresponding to the user interface request; and sending the user interface response to the client computer. Some embodiments comprise when no cache entry corresponding to the user interface session token is present in the user interface session cache, directing the user interface request to a login service. Some embodiments comprise when the login service receives valid login credentials from the client computer, sending a new user interface session token to the client computer. Some embodiments comprise invalidating the cache entries in the user interface session cache according to a cache expiry policy; and determining whether the cache entry corresponding to the particular user interface session token is valid. In some embodiments, the user interface request session token consists of a single value.

Abstract: A method and system for a one-time authentication interaction to conduct electronic financial transactions using a wearable smart ring device is described. In one embodiment, a method includes detecting, by a mobile device, that a wearable smart ring device is being worn by a user. The method also includes receiving, by the mobile device, authentication information associated with the user, and comparing the received authentication information with stored authentication information associated with the user. Upon determining that the received authentication information matches the stored authentication information, the wearable smart ring device is authorized to conduct electronic financial transactions. Additionally, the wearable smart ring device remains authorized to conduct electronic financial transactions as long as it is worn by the user. Once removed from the user's finger, the wearable smart ring device is de-authorized.

Abstract: At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, a notification page with an option to accept a response from a server is provided to a client, an indication of user selection of the option to accept in the notification page is received from the client, and requested content received from the server is provided to the client. Injecting a user verification step via the notification page before providing requested content facilitates protecting the client from security threats.

Abstract: A privacy-enhancing system, method, and non-transitory computer-readable medium for securely identifying or verifying an individual over time without retaining sensitive biometric data (e.g., biometric images or biometric templates) for the purpose of securely storing data regarding the individual.

Abstract: Methods and systems are disclosed for providing secure authentication in a virtual or augmented reality environment using an interactive icon. One method comprises: receiving, over a computer network, a request for payment authorization; identifying, based on the request for payment authorization, a virtual reality interface; generating an icon in the virtual reality interface, the icon having a randomized display of authentication characters; receiving user input associated with at least one character of the of payment authentication characters in the virtual reality interface; and generating a payment authorization response to the request for payment authorization based on the received user input.

Abstract: A control system includes a control target device communicable with an information terminal and a server system. The server system includes an issue unit issuing a registration code in accordance with an input format of the information terminal in response to an issue request of a registration code from the control target device and a reply unit replying the registration code to the control target device. The control target device presents the replied registration code. If the presented registration code is inputted to the information terminal, information including the inputted registration code and an ID of the information terminal is transmitted to the server system. If the registration code transmitted from the information terminal and an input format thereof coincide with the registration code issued from the issue unit and an input format thereof, the server system performs registration processing for associating the information terminal with the control target device.

Abstract: This invention relates to systems and methods for authenticating transactions using a mobile device based primarily on the introduction of a layer of middleware and wherein the Payment Networks, Merchants, Issuing Banks, Credit Reporting Bureaus, Insurance Companies, Healthcare Providers may customize the implementation of the services based on individual strategy and consumer preferences.

Abstract: A mechanism for building decentralized computer applications that execute on a distributed computing system. The present technology works within a web browser, client application, or other software and provides access to decentralized computer applications through the browser. The present technology is non-custodial, wherein a public-private key pair, which represents user identity, is created on a client machine and then directly encrypted by a third-party platform without relying on one centralized computing system.

Abstract: A system comprising: a wireless kill switch and a computer; said wireless kill switch comprising: a housing, a radio transmitter, a microcontroller, an operable button, and a battery; said housing encasing the radio transmitter, the microcontroller, and the battery and allowing for operation of the operable button; the radio transmitter transmitting a continuous service signal to be received by a receiver on said computer and a heartbeat signal generated as a data packet on a first predetermined time basis; wherein said system maintains an operational state upon receipt of the continuous service signal and receipt of the heartbeat signal at a second predetermined time basis; and wherein the system modifies the computer to a different state than the operational state upon omission of the continuous service signal or the heartbeat signal.

Abstract: A Secure Access Gateway and Registry is provided for secure access to security related service information, to operate a security feature of a motor vehicle, by a validated Individual. The system is implemented with a general purpose computer, internet, mobile device, and secure data release Registry software application. An Individual is employed as a vehicle service professional. The Individual inputs a Registry Application data. The Registry uses the Registry Application data to generate a background search result data. The Registry uses the search result data to determine eligibility, and assign a Registered Vehicle Service Professional Identification code. The Individual uses the Registered Vehicle Service Professional Identification code to input a Form D1 authorization data, and to access an Automaker website. The Registry uses the D1 authorization data to determine a legal possessory interest in a motor vehicle, to be serviced.

Abstract: A method for transmitting data in a computer network is provided, which comprises, at a first node of the network: receiving a computing puzzle from a puzzle server node of the network distinct from the first node; determining a solution to the puzzle for transmitting a message to a second node of the network distinct from the puzzle server node; and transmitting data to the second node, wherein the transmitted data comprises a message and the determined solution to the puzzle.

Abstract: Techniques described herein are directed to point-of-sale (POS) authorization and access control. A POS application operating in a first state can send a first instruction to a reader device to prepare to read payment data associated with a payment instrument and, responsive to receiving the payment data from the reader device, can process a transaction using the payment data. In a second state, the POS application can send a second instruction to the reader device to prepare to read non-payment data associated with an identification instrument of a user and, responsive to receiving the non-payment data from the reader device, can verify an identity of the user and/or grant the user permission to perform an operation. The POS application can transition between the first state and the second state based at least in part on a type of instrument to be read by the reader device.

Abstract: A physical access control system enables acceptable portal entry codes upon receiving each physical access request by operating on the elapsed time from a previous physical access request to generate a temporal credential. The controller receives a plurality of physical access requests from a plurality of mobile application devices. Upon authenticating the first access request, the controller eliminates repetition from the space of acceptable successor requests from each mobile application device. Monotonic nonces advance the range of temporal code matches. Entry code generation is decentralized to distributed application devices and is inherently unknowable until a successor access request is initiated by the same application device.

Abstract: Methods are disclosed for setting up a microservice, enhancing a ledger of microservices with a further microservice and accessing medical datasets stored in a microservice. The microservice contains the medical dataset in an encrypted form. The microservice includes an access logic based on accessing entity information. The access logic defines access conditions to the medical dataset and is configured to grant access to the medical dataset upon the access conditions being fulfilled.

Abstract: A system and a method are disclosed for securing sensitive data for transaction requests using tokenization and encryption. A secure transfer system secures sensitive information of transaction requests. The secure transfer system may receive a transaction request file and generate a modified transaction request file by tokenizing values in the received file. For each transaction request in the file, the system may store a representation of the untokenized values in a datastore in conjunction with an identifier of the transaction request. This identifier may be generated from the tokenized values. The secure transfer system may use the identifier to query the datastore for the representation of the untokenized values. The system may decrypt encrypted values in the representation to generate a transaction request file of detokenized values, which may be provided to an automated clearing house to fulfill the transaction requests.

Abstract: A method including receiving, by a server computer, a request message from a token requestor computer on behalf of a user device. The request message comprising a first current token tracking value and a first function index value. The server computer can determine a second function index value. The server computer can then compare the first function index value to the second function index value. If the first function index value and the second function index value match, the server computer can determine a function based on the first function index value and a stored function table associated with the user device. The server computer can then determine a second current token tracking value based on the function, then compare the first current token tracking value to the second current token tracking value. The server computer can generate a response message in response to the comparing.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises: (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a service, the request comprising the signed first token binding information and timestamp, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp; and (d) providing the requested secure data according to the determination.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in an authentication system supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data across platforms, which data can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods enable users to access web-based resources on a first device by authenticating themselves on a second device. A user can provide identifying information to a web-based resource on a first device, and as a result, the user receives a message at his/her already registered second device. The user then authenticates himself/herself on the second device by reusing the means of authentication that exist on the user's second device, which results in the user being granted entry to the web-based resource on the first device.

Abstract: proviced is an authentication method based on a GBA, and the method includes: a BSF receives an initialization request message sent by a UE, wherein the initialization request message carries a first identifier of the UE, and the first identifier comprises at least one of the following: a SUCI, an identifier converted from the SUCI, and a TMPI associated with the subscriber identity; the BSF acquires an AV of the UE according to the first ID; the BSF completes GBA authentication with the UE according to the acquired AV. In this way, the privacy of the SUPI is protected for the UE, and the SUCI or the identifier converted from the SUCI is used to perform the bootstrapping process of the GBA, thereby improving the security of the GBA authentication process.

Abstract: An information handling system may include at least one processor; and a memory coupled to the at least one processor. The information handling system may be configured to: execute an application on the at least one processor, wherein at least a portion of data of the application is stored encrypted in a secure enclave region of the memory; and securely transfer execution of the application to a second information handling system by: transmitting platform configuration register (PCR) measurement data to the second information handling system; and transmitting the data of the application to the second information handling system; wherein the PCR measurement data is usable by the second information handling system to perform a remote attestation, the remote attestation including verification of the PCR measurement data to confirm that the data of the application has not been changed.

Abstract: Provided are a payment card, system and method for storing and reading tokenized payment account information from a payment card. In an exemplary embodiment, a payment card may include a substrate forming a body of the payment card, and an electronic chip attached to or included in the substrate. According to various exemplary embodiments, the electronic chip may include a storage storing tokenized payment account information corresponding to a payment account linked to the payment card. The electronic chip may be read by a payment terminal and may provide the tokenized payment information to the payment terminal during reading.

Abstract: Systems and methods for generating and implementing a real-time multi-factor authentication policy across multiple channels, are configured to: during a pre-authentication stage: receive, via a user interface, information defining one or more scenarios; receive, via the user interface, information defining one or more authentication flows; for each of the one or more scenarios, map one of the one or more authentication flows to a given scenario; and generate a multi-factor authentication policy associated with each of the one or more scenarios; and during a real-time authentication stage: upon receiving an interaction, identify, by a decision engine, a relevant scenario of the one or more scenarios; implement, by the decision engine, the multi-factor authentication policy associated with the relevant scenario; and determine, by the decision engine, an authentication result.

Abstract: One embodiment provides a method, including: receiving, at a server from a device, a request for device authentication across an unsecure network, the request including a device registration token; generating, at the server, a shared registration key utilizing the device registration token; verifying, at the server, the device registration token by comparing the device registration token to a function of the shared registration key; and producing, at the server and responsive to verifying the device registration token, a one-time activation token and sending the one-time activation token to the device. Other aspects are described and claimed.