Abstract: Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.

Abstract: Described is a multiple-camera system and process for detecting, tracking, and re-verifying agents within a materials handling facility. In one implementation, a plurality of feature vectors may be generated for an agent and maintained as an agent model representative of the agent. When the object being tracked as the agent is to be re-verified, feature vectors representative of the object are generated and stored as a probe agent model. Feature vectors of the probe agent model are compared with corresponding feature vectors of candidate agent models for agents located in the materials handling facility. Based on the similarity scores, the agent may be re-verified, it may be determined that identifiers used for objects tracked as representative of the agents have been flipped, and/or to determine that tracking of the object representing the agent has been dropped.

Abstract: An apparatus and a method for registering a device in a cloud server are provided. The apparatus includes detecting the device by using short-range communication, requesting an authentication code used for registering the device in the cloud server from an account server in response to the device being detected, receiving the authentication code from the account server, and transmitting the received authentication code and connection address information of the cloud server to the device.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: A system and method are disclosed capable of parsing a spoken utterance into a natural language request and a speech audio segment, where the natural language request directs the system to use the speech audio segment as a new wakeword. In response to this wakeword assignment directive, the system and method are further capable of immediately building a new wakeword spotter to activate the device upon matching the new wakeword in the input audio. Different approaches to promptly building a new wakeword spotter are described. Variations of wakeword assignment directives can make the new wakeword public or private. They can also add the new wakeword to earlier wakewords, or replace earlier wakewords.

Abstract: A coupling of two electronic apparatuses for a wireless information exchange. The coupling is authenticated through the evaluation of motion patterns previously executed by the apparatuses.

Abstract: Disclosed herein are display techniques that will allow sensitive data displayed on a computer screen to only be viewed by authorized users and will render computer screen unreadable to unauthorized users. One or more display techniques are capable of automatically scrambling and unscrambling display screen of the computing device in which only an intended viewer is able to view data on the display screen using deciphering glasses.

Abstract: Methods, computer-readable media, software, and apparatuses are provided to assist a user and vendor in completing an online trusted transaction. Trusted vendor websites are verified and user identities are confirmed through a cyber-security safe logon credentialing system. The vendor can be confident that the user identity has been verified to be who they say they are and the user can be confident that they are using a trusted verified vendor website.

Abstract: A service processing method includes receiving, by a mobile phone, a first identifier from a head device of a vehicle after the head device receives a trigger request to perform a vehicle door opening service, determining, by the mobile phone based on the first identifier, to perform authentication, indicating, by the mobile phone, the head device to perform the vehicle door opening service when the authentication succeeds, or determining, by the mobile phone based on the first identifier, not to perform the authentication, and sending, by the mobile phone, location information of the mobile phone, and an indication that indicating a location of the mobile phone and a location of the head device are normal to the head device.

Abstract: A method for determining a key for securing communication between a user apparatus and an application server. An authentication server of a mobile communication network and the user apparatus generate a secret master key during an authentication procedure. The user apparatus sends the authentication server a request for a key to communicate with the application server and receives a random variable. The authentication server and the user apparatus calculate the requested key by using a key derivation function applied to at least the random variable, a user identifier and an application server identifier using the master key.

Abstract: The present embodiments relate to systems and methods for automatic sign in upon account signup. Particularly, the present embodiments can utilize a federated login approach for automatic sign in upon account signup for a cloud infrastructure. Specifically, the signup and sign in service (also known as SOUP) and an identity provider portal can be configured such that the nodes are aware of each other as Security Assertion Markup Language (SAML) partners. After new account registration, the signup service can redirect the user browser to a cloud infrastructure console to start with a federated login flow, where a sign in service can issue a SAML authentication request, and redirects it to signup service. Responsive to validating the browser using a SAML authentication process, the browser can be automatically signed into the new account and allowed access the account relating to the cloud infrastructure service.

Abstract: A method and system that allows authorized individuals access into controlled access locations and the ability to grant temporary and limited access to guests into these locations. The method and system allow for navigational services to be provided to members and guests, and real-time tracking and confirmation to members and administrators that guests have arrived at their destination and did not enter any unauthorized areas. The method preferably can work through a system of wireless radio, sound and/or light-based beacons communicating with member and guest's electronic devices. Members and administrators can send one or more temporary electronic access keys to a guest's smartphone or other electronic device. Wireless radio, sound and/or light-based beacons provide an access control and location tracking system with real-time data about the member and guest whereabouts, allowing for the confirmation and tracking.

Abstract: A system for routing an identity validation request comprises at least one processor in communication with computer-readable storage, the computer-readable storage having stored thereon instructions for causing the at least one processor to: receive, from a requesting device, an identity validation request, the identity validation request comprising identity data and a payment credential; determine, from the payment credential, an issuer of the payment credential; transmit, to the issuer, a verification service request message that comprises the identity data and the payment credential; receive, from the issuer, a verification service response indicating whether or not the identity data has previously been associated with the payment credential; and based on the verification service response, transmit, to the requesting device, an indication as to validity of the identity data.

Abstract: A system for accessing protected data comprising a token retriever system operating on a processor and configured to receive a token from a user and to transmit a request including the token to a detokenization system over a data communications medium. The detokenization system configured to receive the token, to verify that the request has been received from an authorized source, and to transmit a response to the request that includes an account number associated with the token. The token retriever system is configured to receive the account number and to display the account number for a predetermined period of time.

Abstract: A method comprises monitoring a computing environment including a plurality of containers, determining, for one of the containers, a service type and an IP address, assigning the IP address of the container having the determined service type to a first list of IP addresses, assigning an IP address of each of the containers to a second list of IP addresses, applying a first security policy for a first source of network traffic for processing by the container having the determined service type and the IP address assigned to the first list of IP addresses, and applying a second security policy for a second source of network traffic for processing by the containers having the IP addresses assigned to the second list of IP addresses.

Abstract: Systems and methods providing authentication in a microservice system. In some embodiments, the method comprises receiving, from the user interface application, a user interface response corresponding to the user interface request; and sending the user interface response to the client computer. Some embodiments comprise when no cache entry corresponding to the user interface session token is present in the user interface session cache, directing the user interface request to a login service. Some embodiments comprise when the login service receives valid login credentials from the client computer, sending a new user interface session token to the client computer. Some embodiments comprise invalidating the cache entries in the user interface session cache according to a cache expiry policy; and determining whether the cache entry corresponding to the particular user interface session token is valid. In some embodiments, the user interface request session token consists of a single value.

Abstract: A method and system for a one-time authentication interaction to conduct electronic financial transactions using a wearable smart ring device is described. In one embodiment, a method includes detecting, by a mobile device, that a wearable smart ring device is being worn by a user. The method also includes receiving, by the mobile device, authentication information associated with the user, and comparing the received authentication information with stored authentication information associated with the user. Upon determining that the received authentication information matches the stored authentication information, the wearable smart ring device is authorized to conduct electronic financial transactions. Additionally, the wearable smart ring device remains authorized to conduct electronic financial transactions as long as it is worn by the user. Once removed from the user's finger, the wearable smart ring device is de-authorized.

Abstract: At least initially blocking client download of certain content and injecting a user verification step for such downloads is disclosed. In some embodiments, a notification page with an option to accept a response from a server is provided to a client, an indication of user selection of the option to accept in the notification page is received from the client, and requested content received from the server is provided to the client. Injecting a user verification step via the notification page before providing requested content facilitates protecting the client from security threats.

Abstract: A privacy-enhancing system, method, and non-transitory computer-readable medium for securely identifying or verifying an individual over time without retaining sensitive biometric data (e.g., biometric images or biometric templates) for the purpose of securely storing data regarding the individual.

Abstract: Methods and systems are disclosed for providing secure authentication in a virtual or augmented reality environment using an interactive icon. One method comprises: receiving, over a computer network, a request for payment authorization; identifying, based on the request for payment authorization, a virtual reality interface; generating an icon in the virtual reality interface, the icon having a randomized display of authentication characters; receiving user input associated with at least one character of the of payment authentication characters in the virtual reality interface; and generating a payment authorization response to the request for payment authorization based on the received user input.

Abstract: This invention relates to systems and methods for authenticating transactions using a mobile device based primarily on the introduction of a layer of middleware and wherein the Payment Networks, Merchants, Issuing Banks, Credit Reporting Bureaus, Insurance Companies, Healthcare Providers may customize the implementation of the services based on individual strategy and consumer preferences.

Abstract: A mechanism for building decentralized computer applications that execute on a distributed computing system. The present technology works within a web browser, client application, or other software and provides access to decentralized computer applications through the browser. The present technology is non-custodial, wherein a public-private key pair, which represents user identity, is created on a client machine and then directly encrypted by a third-party platform without relying on one centralized computing system.

Abstract: A control system includes a control target device communicable with an information terminal and a server system. The server system includes an issue unit issuing a registration code in accordance with an input format of the information terminal in response to an issue request of a registration code from the control target device and a reply unit replying the registration code to the control target device. The control target device presents the replied registration code. If the presented registration code is inputted to the information terminal, information including the inputted registration code and an ID of the information terminal is transmitted to the server system. If the registration code transmitted from the information terminal and an input format thereof coincide with the registration code issued from the issue unit and an input format thereof, the server system performs registration processing for associating the information terminal with the control target device.

Abstract: A system comprising: a wireless kill switch and a computer; said wireless kill switch comprising: a housing, a radio transmitter, a microcontroller, an operable button, and a battery; said housing encasing the radio transmitter, the microcontroller, and the battery and allowing for operation of the operable button; the radio transmitter transmitting a continuous service signal to be received by a receiver on said computer and a heartbeat signal generated as a data packet on a first predetermined time basis; wherein said system maintains an operational state upon receipt of the continuous service signal and receipt of the heartbeat signal at a second predetermined time basis; and wherein the system modifies the computer to a different state than the operational state upon omission of the continuous service signal or the heartbeat signal.

Abstract: A Secure Access Gateway and Registry is provided for secure access to security related service information, to operate a security feature of a motor vehicle, by a validated Individual. The system is implemented with a general purpose computer, internet, mobile device, and secure data release Registry software application. An Individual is employed as a vehicle service professional. The Individual inputs a Registry Application data. The Registry uses the Registry Application data to generate a background search result data. The Registry uses the search result data to determine eligibility, and assign a Registered Vehicle Service Professional Identification code. The Individual uses the Registered Vehicle Service Professional Identification code to input a Form D1 authorization data, and to access an Automaker website. The Registry uses the D1 authorization data to determine a legal possessory interest in a motor vehicle, to be serviced.

Abstract: A method for transmitting data in a computer network is provided, which comprises, at a first node of the network: receiving a computing puzzle from a puzzle server node of the network distinct from the first node; determining a solution to the puzzle for transmitting a message to a second node of the network distinct from the puzzle server node; and transmitting data to the second node, wherein the transmitted data comprises a message and the determined solution to the puzzle.

Abstract: Techniques described herein are directed to point-of-sale (POS) authorization and access control. A POS application operating in a first state can send a first instruction to a reader device to prepare to read payment data associated with a payment instrument and, responsive to receiving the payment data from the reader device, can process a transaction using the payment data. In a second state, the POS application can send a second instruction to the reader device to prepare to read non-payment data associated with an identification instrument of a user and, responsive to receiving the non-payment data from the reader device, can verify an identity of the user and/or grant the user permission to perform an operation. The POS application can transition between the first state and the second state based at least in part on a type of instrument to be read by the reader device.

Abstract: A system and a method are disclosed for securing sensitive data for transaction requests using tokenization and encryption. A secure transfer system secures sensitive information of transaction requests. The secure transfer system may receive a transaction request file and generate a modified transaction request file by tokenizing values in the received file. For each transaction request in the file, the system may store a representation of the untokenized values in a datastore in conjunction with an identifier of the transaction request. This identifier may be generated from the tokenized values. The secure transfer system may use the identifier to query the datastore for the representation of the untokenized values. The system may decrypt encrypted values in the representation to generate a transaction request file of detokenized values, which may be provided to an automated clearing house to fulfill the transaction requests.

Abstract: A physical access control system enables acceptable portal entry codes upon receiving each physical access request by operating on the elapsed time from a previous physical access request to generate a temporal credential. The controller receives a plurality of physical access requests from a plurality of mobile application devices. Upon authenticating the first access request, the controller eliminates repetition from the space of acceptable successor requests from each mobile application device. Monotonic nonces advance the range of temporal code matches. Entry code generation is decentralized to distributed application devices and is inherently unknowable until a successor access request is initiated by the same application device.

Abstract: Methods are disclosed for setting up a microservice, enhancing a ledger of microservices with a further microservice and accessing medical datasets stored in a microservice. The microservice contains the medical dataset in an encrypted form. The microservice includes an access logic based on accessing entity information. The access logic defines access conditions to the medical dataset and is configured to grant access to the medical dataset upon the access conditions being fulfilled.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises: (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a service, the request comprising the signed first token binding information and timestamp, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp; and (d) providing the requested secure data according to the determination.

Abstract: A method including receiving, by a server computer, a request message from a token requestor computer on behalf of a user device. The request message comprising a first current token tracking value and a first function index value. The server computer can determine a second function index value. The server computer can then compare the first function index value to the second function index value. If the first function index value and the second function index value match, the server computer can determine a function based on the first function index value and a stored function table associated with the user device. The server computer can then determine a second current token tracking value based on the function, then compare the first current token tracking value to the second current token tracking value. The server computer can generate a response message in response to the comparing.

Abstract: Provided are a payment card, system and method for storing and reading tokenized payment account information from a payment card. In an exemplary embodiment, a payment card may include a substrate forming a body of the payment card, and an electronic chip attached to or included in the substrate. According to various exemplary embodiments, the electronic chip may include a storage storing tokenized payment account information corresponding to a payment account linked to the payment card. The electronic chip may be read by a payment terminal and may provide the tokenized payment information to the payment terminal during reading.

Abstract: proviced is an authentication method based on a GBA, and the method includes: a BSF receives an initialization request message sent by a UE, wherein the initialization request message carries a first identifier of the UE, and the first identifier comprises at least one of the following: a SUCI, an identifier converted from the SUCI, and a TMPI associated with the subscriber identity; the BSF acquires an AV of the UE according to the first ID; the BSF completes GBA authentication with the UE according to the acquired AV. In this way, the privacy of the SUPI is protected for the UE, and the SUCI or the identifier converted from the SUCI is used to perform the bootstrapping process of the GBA, thereby improving the security of the GBA authentication process.

Abstract: Disclosed are systems and methods for improving interactions with and between computers in an authentication system supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data across platforms, which data can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods enable users to access web-based resources on a first device by authenticating themselves on a second device. A user can provide identifying information to a web-based resource on a first device, and as a result, the user receives a message at his/her already registered second device. The user then authenticates himself/herself on the second device by reusing the means of authentication that exist on the user's second device, which results in the user being granted entry to the web-based resource on the first device.

Abstract: An information handling system may include at least one processor; and a memory coupled to the at least one processor. The information handling system may be configured to: execute an application on the at least one processor, wherein at least a portion of data of the application is stored encrypted in a secure enclave region of the memory; and securely transfer execution of the application to a second information handling system by: transmitting platform configuration register (PCR) measurement data to the second information handling system; and transmitting the data of the application to the second information handling system; wherein the PCR measurement data is usable by the second information handling system to perform a remote attestation, the remote attestation including verification of the PCR measurement data to confirm that the data of the application has not been changed.

Abstract: One embodiment provides a method, including: receiving, at a server from a device, a request for device authentication across an unsecure network, the request including a device registration token; generating, at the server, a shared registration key utilizing the device registration token; verifying, at the server, the device registration token by comparing the device registration token to a function of the shared registration key; and producing, at the server and responsive to verifying the device registration token, a one-time activation token and sending the one-time activation token to the device. Other aspects are described and claimed.

Abstract: Systems and methods for generating and implementing a real-time multi-factor authentication policy across multiple channels, are configured to: during a pre-authentication stage: receive, via a user interface, information defining one or more scenarios; receive, via the user interface, information defining one or more authentication flows; for each of the one or more scenarios, map one of the one or more authentication flows to a given scenario; and generate a multi-factor authentication policy associated with each of the one or more scenarios; and during a real-time authentication stage: upon receiving an interaction, identify, by a decision engine, a relevant scenario of the one or more scenarios; implement, by the decision engine, the multi-factor authentication policy associated with the relevant scenario; and determine, by the decision engine, an authentication result.

Abstract: This Application sets forth techniques for provisioning and activating electronic subscriber identity modules (eSIMs) for mobile wireless devices. An eSIM is reserved during a sales order process and later activated during device activation after receipt by a user. An option for eSIM installation in place of (or in addition to) physical SIM installation is provided when purchasing the mobile wireless device. The reserved eSIM can replace a previous SIM/eSIM or be a new eSIM. During device activation, installation and activation of the eSIM occurs. Activation of the eSIM can occur before or after deactivation of a transferred SIM/eSIM. The mobile wireless device accounts for propagation delay of eSIM activation through MNO servers by disabling and re-enabling the eSIM until initial attachment to an MNO cellular wireless network succeeds or a maximum number of retry attempts is reached.

Abstract: A security application on the terminal uses a client application in a rich execution environment (REE), a general trusted application in a trusted execution environment (TEE), and a secure element (SE) application in a SE. The general trusted application is shared by a plurality of security applications. A method includes receiving, by the general trusted application, a first request from a first client application, determining a corresponding first SE application, sending the first request to the first SE application, sending, by the first SE application, a first command to the general trusted application, executing, by the general trusted application, the first command, returning a first execution result to the first SE application, sending, by the first SE application, a first response to the general trusted application based on the first execution result, and sending, by the general trusted application, the first response to the first client application.

Abstract: Disclosed are a television apparatus and a display method. The television apparatus includes a display configured to display an image, a communication interface configured to communicate with a mobile device and one or more servers, and a controller in connection with the display and the communication interface. The controller is configured to receive authentication information from a second server of the one or more servers, display the authentication information on the display of the display apparatus, receive a display request for displaying an item in actual physical size from the second server, and display the item in actual physical size on the display of the television apparatus.

Abstract: A network access control system includes a communication device and an authorization system. The communication device is configured to communicate time-critical messages through a time-sensitive network during scheduled time windows. The communication device is further configured to be communicatively connected to a candidate device and to receive a network access request from the candidate device while blocking the candidate device from communicating through the time-sensitive network. The authorization system is communicatively connected to the communication device and configured to authorize the candidate device via a multi-factor authentication protocol that requires a user of the candidate device to successfully provide multiple identification factors. In response to the authorization system authorizing the candidate device, the communication device is configured to grant the candidate device restricted access to one or more of send or receive approved messages through the time-sensitive network.

Abstract: The technology teaches a distributed gaming system, comprising a server-side node configured to administer transactions for a gambling casino, selling and redeeming chips using a private database, and recording transactions on a distributed ledger using crypto-tokens for a house account, with a token vault wallet that has a unique identifier and private key to track transactions. Customer wallets, intermediary accounts and one-way redemption wallets track transactions on the distributed ledger.

Abstract: A computing device may include a memory and a processor configured to cooperate with the memory to establish a connection with a client device, with the client device having a first credential to connect the client device to a computing service, and the first credential being provided by a proxy. The processor may further receive a request from the client device via the connection to validate the first credential before use of the first credential by the client device, and validate the first credential with use of a second credential for the computing service obtained independent of the proxy.

Abstract: A user, using a user-computing device connected to a computer network, is authenticated to access a computing resource managed by a system on the computer network. The user computing device presents a user interface to prompt the user to input a value for each of a set of user-defined credentials that the user has previously defined for a SAIF server to authenticate the user to access the computer resource, thereby forming a set of input values. Modified values, each generated from and representing a corresponding one of the input values, are transmitted and validated by comparing them with corresponding modified forms of user-defined credential values stored in a memory, thereby determining whether the user is authenticated to access the computing resource on the system.

Abstract: In some embodiments, a user device may detect, via pattern recognition by a user application, a pattern (indicative of a given code type) presented on a physical object. The user device may cause, via the user application, a code scanning application to be launched based on the detection to scan the pattern. The user device may obtain, via the user application, a code (associated with a biller entity) of the given code type from the code scanning application based on the code scanning application's scan. The user device may cause, via the user application, the code or information derived from the code to be provided over the Internet to a computer system hosting accounts of a user of the user application. The code or the derived information may be used by the computer system to complete transactions between the biller entity and at least one of the accounts.

Abstract: An approach to allow cloud-based positioning systems to use their own identity provider. An extra field is included in a token that is used to look up the identity provider for token verification for each user. Each access claim of the access token is checked for invalidity. If no invalid claims are found, accepting the authorization request. If an invalid claim is found, rejecting the authorization request.

Abstract: An information processing apparatus includes a processor configured to receive target authorization information to be collated, from an execution request source of a plug-in that extends access from an outside, in a case of executing the plug-in, and perform a process of controlling availability of execution of the plug-in, by using unique predetermined authorization information owned by the plug-in and the target authorization information.

Abstract: An apparatus (308) comprising means for: receiving, from a second user equipment (312), a request for communication with a first user equipment (302), after a period of time during which the apparatus was not operating; receiving information from a home subscriber server (310) comprising an expiry value for registration of the first user equipment with the apparatus; and determining that the registration has expired.

Abstract: The disclosed computer-implemented method for running applications on a multi-tenant container platform may include (1) receiving, at a host administrator service on a container host computing device and via a host administrator service socket handle, a request for a privileged operation from an application running in a non-privileged container, (2) performing, based on a user identifier of the application, a security check of a user associated with the application, (3) comparing, when the security check results in approval, a process identifier of the requested privileged operation against a whitelist of permitted operations to determine the requested privileged operation is permissible, and (4) initiating running, when the requested privileged operation is permissible, the requested privileged operation. Various other methods, systems, and computer-readable media are also disclosed.