Abstract: In one aspect, the present disclosure is generally directed to a hardware token for completing an out-of-band authentication. In one embodiment, the hardware token performs a method that comprises: receiving an out-of-band encryption key from a client computing device; deriving a security credential that uniquely identifies the hardware token; transmitting the derived security credential and received out-of-band encryption key over the out-of-band communication channel to a network backend over a wireless network; receiving an in-band encryption key over the out-of-band communication channel; and transmitting the received in-band encryption key to the paired client computing device.

Abstract: A system, computer-readable storage medium storing at least one program, and a computer-implemented method for controlling a local utility are disclosed. A first request originating from an application and including a first token is received at a local utility. The application received a web page, including a plurality of links and the first token, from a first server. The plurality of links are received by the application from a second server. The first token is authenticated. Authentication includes sending the first token to a third server. In response to authenticating the first token, a second token is generated at the local utility. The second token is sent to the application for inclusion in subsequent requests from the application.

Abstract: Methods and apparatus for preventing unauthorized access to online content, including in particular streaming video and other media, are provided. In various embodiments, techniques are provided to authorize users and to authenticate clients (e.g., client media players) to a content delivery system. The content delivery system may comprise a content delivery network with one or more content or “edge” servers therein. The requesting client is sent a program at the time of content delivery. The program may be embedded in the content stream, or sent outside of the stream. The program contains instructions that are executed by the client and cause it to return identifying information to the content delivery system, which can then determine whether the client player is recognized and, if so, authorized to view the content. Unrecognized and/or altered players may be prevented from viewing the content.

Abstract: Authentication and authorization can be performed with a bundled token, which encapsulates two or more security tokens in a single security token. The bundled token can be supplied in response to a request for a token from a token service, for example. Subsequently, the bundled token can be sent in conjunction with a request for resource access, wherein more than one token is required to access the resource.

Abstract: The described apparatus and methods may include a processor, a memory in communication with the processor, a removable module in communication with the processor and operable to store data, an initialization component executable by the processor and configured to initialize the removable module, and an authentication component executable by the processor and configured to: receive a command from the removable module to perform an authentication operation, wherein the command is a standard message having a command qualifier value or code that represents an authentication challenge; obtain a random value from the removable module in response to the command; calculate a response based on the random value and a terminal key stored in the memory; and transmit the response to the removable module.

Abstract: Systems and methods for enabling token-based access control to data are provided. In particular, some embodiments use a token-based access management system to allow or restrict an individual's ability to access data. The access management system uses tokens to define rules (e.g., a Boolean matching rule or algorithm that results in a true/false output indicating the decision) within the access management system to determine if the token is valid and if the individual should be granted access to the requested data. Tokens may further have tool constraints for controlling access. In some cases, the tokens may expire upon completion of a task or after a pre-set amount of time. A generic workflow utilizing tokens and at least one specific workflow showing employees utilizing tokens as part of performing a task responsive to a user.

Abstract: A wireless device may perform a local authentication to reduce the traffic on a network. The local authentication may be performed using a local web server and/or a local OpenID provider (OP) associated with the wireless device. The local web server and/or local OP may be implemented on a security module, such as a smartcard or a trusted execution environment for example. The local OP and/or local web server may be used to implement a provisioning phase to derive a session key, associated with a service provider, from an authentication between the wireless device and the network. The session key may be reusable for subsequent local authentications to locally authenticate a user of the wireless device to the service provider.

Abstract: The present invention discloses an anonymous biometric verification system and method. In an embodiment of the invention, the system comprises a non-anonymous sector that retrieves biometric data (probes) by using biometric client(s). A unique identifier (“token”) is retrieved from a database that contains biographic and demographic data associated to the token, but without comprising the biographic or demographic data. The biometric data in form of template(s) along with the token are then sent via a cloud network to an anonymous sector. A query router, located at the non-anonymous sector may receive probes with the token and send them to one or more biometric query engine(s), wherein query engine(s) may either work in stripped or mirrored operation mode. Query engine(s) may search for location of template(s) in a templates database linked to a query search engine.

Abstract: Techniques for extending federation services to access desktop applications are herein described. In addition to the foregoing, other aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Discussed is a method of operating a CPNS (converged personal network service) gateway apparatus. The method includes transmitting a registration request message including user information to a server; transmitting an installation request message including the user information to a terminal; generating first authentication data on the basis of authentication information received by a user input; transmitting a trigger message including the first authentication data to the terminal; receiving a key assignment request message including second authentication data from the terminal in response to the trigger message; transmitting the received key assignment request message to the server; receiving a key assignment response message including a user key for the terminal in response to the key assignment request message; and transmitting the received key assignment response message to the terminal.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure.

Abstract: The object of this invention is a method for securing an electronic document. In particular, this invention relates to a method that prevents the forging of documents in which an electronic chip is incorporated. To that end, the invention proposes a method in which the data on the document medium are associated with a fingerprint of the document, so as to make them inseparable. That fingerprint is determined on the basis of measurable physical units of the electronic chip or the medium. Thus, the invention allows the combination of the physical protection of the document and the protection of the chip so as to reinforce the security of said documents.

Abstract: A method is performed by a computing device. The method includes, (a) at the computing device, wirelessly receiving an authentication code from an authentication card via near-field communications (NFC), (b) providing the authentication code received wirelessly via NFC to an authentication service configured to authenticate the user of the computing device based on the authentication code, and (c) in response to the authentication service authenticating the user based on the authentication code received wirelessly via NFC, providing the user with access to a resource via the computing device. Analogous computer program products and apparatuses are also provided described.

Abstract: Systems and methods provide a storage media on a portable physical object associated with a set of credentials that enables access to a set of computing resources associated with a set of Web services. In some embodiments, information including a set of credentials is prepackaged onto the storage media of the portable physical object. A pre-activated subscription to the set of Web services in a distributed system is provisioned. Access to the set of Web services is enabled when the portable physical object is coupled with a computing device and the set of credentials is authenticated. In some embodiments, the portable physical object is purchased by a user on a prepaid basis without requiring the user to register an account with the set of Web services, allowing the user to remain anonymous with respect to interaction with the set of Web services.

Abstract: Method and apparatus for accepting a digital identity of a user based on transitive trust among parties are described. One aspect of the invention relates to managing a digital identity of a user. The digital identity is provided to a first party, where the digital identity includes a self-asserted claim. An acceptance token is obtained from the first party. The acceptance token purports authenticity of the self-asserted claim according to the first party. The digital identity and the acceptance token are provided to a second party to request validation of the self-asserted claim by the second party based on the acceptance token.

Abstract: A method and apparatus for managing virtual objects in a network is provided. The method includes creating a unique link between at least one virtual object and a physical token. The at least one virtual object is represented by a first set of distinct predefined properties and is associated with a data set. Further, the method includes maintaining information about the unique link between the at least one virtual object and the physical token and information about the first set of distinct predefined properties. Furthermore, the method includes regulating access to the at least one virtual object based on a second set of predefined properties and verification of the physical token.

Abstract: Cross-Domain guard with authentication and authorization function used to protect data transferred between two separate and secure networks. The guard utilizes an existing audit port to provide the capability augment or replace data-forwarding decisions, which were previously being based solely on whether the data is in a well-formed packet. The authentication and authorization may be resident in a partition, a side car processor or a separate network.

Abstract: The invention relates to a portable token (SC) comprising a capability query mechanism (CQM). The capability query mechanism (CQM) is set to inform entities (PC, MW) willing to communicate with the portable token (SC) of at least a subset of the command(s) (C) available in the portable token (SC). The portable token (SC) is arranged to set a flag when the capability query mechanism (CQM) is invoked. When a command (C) is called, the portable token (SC) enforces first access conditions (AC1) for the command (C) if the flag is set, or second access conditions (AC2) if the flag is cleared.

Abstract: Aspects relate to determining whether a security token has previously been used in order to gain access to premium content. When a security token is received, the token is evaluated to determine whether the token has been previously received, which indicates an attempt to reuse the token. If the token was previously received, the token is rejected and access to the premium content is denied. If the token was not previously received, the token is analyzed by a third party verification process. If the third party verification process authenticates the token, access to the premium content is granted. With the disclosed aspects, a security vulnerability related to reuse of a security token can be mitigated.

Abstract: Aspects of the disclosure relates to managed access to content and/or services. In certain aspects, tokens or other artifacts can be utilized for authentication and authorization.

Abstract: In a method for using and maintaining user data stored on a smart card, a smart card receives a user data request for the user data stored on the smart card. The smart card determines whether the user data request is a data maintenance request or a data use request. A data maintenance request is for modifying user data stored on the smart card. A data use request is for read only access to user data stored on the smart card. The smart card uses a first process to determine whether to allow the user data request when the user data request is determined to be a data maintenance request. The smart card uses a second process, different from the first method, to determine whether to allow the user data request when the user data request is determined to be a data use request.

Abstract: A method for conditionally allowing fruition of broadcast contents, broadcast by a contents broadcaster and received by a user by means of a receiving equipment, includes: performing, locally at the receiving equipment of the user, a first fruition entitlement check based on first fruition entitlement data available locally at the receiving equipment; having the receiving equipment provide to the contents broadcaster the first fruition entitlement data exploiting a return communications channel of the receiving equipment; having the contents broadcaster perform a second fruition entitlement check based on a comparison between the received first fruition entitlement data and second fruition entitlement data available locally to the contents broadcaster; and conditioned on a result of the second check, having the contents broadcaster provide to the receiving equipment, exploiting the return communications channel, a fruition entitlement confirmation notification; at the receiving equipment, conditioning the fru

Abstract: A system is provided. The system comprises a processor, a memory, and an authorization application stored in the memory that, when executed by the processor, receives a first message from a first client device associated with a first domain, the first message containing a request to emulate a second client device associated with a second domain. The system also determines authorization for the first device to emulate the second device in the second domain. The system also associates an electronic cookie with a browser session initiated by the first device, the electronic cookie associated with access to the second domain. The system also provides the first device authorization to emulate the second device in the second domain using a generic login account wherein the second domain provides the first device limited cross-domain access based on the electronic cookie to targeted information associated with the second device.

Abstract: The invention relates to a method of controlling access to a processing device using an access token with a machine readable identity. The method comprises reading the identity of the access token at the location of the processing device and querying a database comprising valid identities of access tokens, wherein each identity is associated with an access permission level. If the identity is a valid identity, the method further comprises determining the associated level of access and allowing a level of access to the processing device according to the associated access permission level. In some embodiments, the processing device is an Automated Teller Machine (ATM).

Abstract: A first cryptographic device is configured to store a set of keys that is refreshed in each of a plurality of epochs. The first cryptographic device computes for each of at least a subset of the epochs at least one view based on at least a portion of the set of keys for that epoch, and transmits the views to a second cryptographic device in association with their respective epochs. At least one view computed for a current one of the epochs is configured for utilization in combination with one or more previous views computed for one or more previous ones of the epochs to permit the second cryptographic device to confirm authenticity of the set of keys for the current epoch. The first cryptographic device may include an authentication token and the second cryptographic device may include an authentication server.

Abstract: A cloud deployment appliance (or other platform-as-a-service (IPAS) infrastructure software) includes a mechanism to deploy a product as a “shared service” to the cloud, as well as to enable the product to establish a trust relationship between itself and the appliance or IPAS. The mechanism further enables multiple products deployed to the cloud to form trust relationships with each other (despite the fact that each deployment and each product typically, by the nature of the cloud deployment, are intended to be isolated from one another). In addition, once deployed and provisioned into the cloud, a shared service can become part of a single sign-on (SSO) domain automatically. SSO is facilitated using a token-based exchange. Once a product registers with a token service, it can participate in SSO. This approach enables enforcement of consistent access control policy across product boundaries, and without requiring a user to perform any configuration.

Abstract: A device, system and method for aggregating resources, services or data across a network in which data and services from various source networks can be converted into an internal, aggregatable form (or vice versa) that can be sent to relevant properties or systems on request or through scheduling. The framework of the device, system and method permits scalability and potentially support any number of users, applications and services.

Abstract: A method of accessing an internet based service, involves using a cellular telephony device to obtain a token from the provider of the internet based service, and within the cellular telephony device, using the token to calculate a time-limited password. The time-limited password is used in combination with at least one further user identification parameter to obtain access to the internet based service.

Abstract: An identity selector manages the identity requirements of an online interaction between a user and a service provider environment. The identity selector is adapted for interoperable use with a user-portable computing device. The user device enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The identity selector includes an agent module that facilitates communication with the user device. The identity selector imports the user identities from the user device and determines which user identities satisfy a security policy of a relying party. After the user selects one of the eligible user identities, the identity selector generates a token request based on the selected identity and forwards it to the user device, which in response issues a security token. The security token is returned to the identity selector and used to facilitate the authentication process.

Abstract: In one embodiment, a method for managing information in a large capacity UICC is provided comprising storing content of a file in a mass storage file system of the large capacity UICC, associating the file in the mass storage file system with a file in an ISO file system of the large capacity UICC, wherein the ISO file is associated with a security configuration defining security requirements for allowing its access; and hiding the content of the file in the mass storage file system in order to make it inaccessible. The method can further comprise requesting access from the mass storage file system to content of a file in the mass storage file system; and, if hidden, delivering security requirements to the ISO file system and determining whether the delivered security requirements agree with the security configuration of the file in the ISO file system associated with the file in the mass storage file system; and, if so, revealing the content to make it accessible.

Abstract: A system and method for troubleshooting errors that occur during token requests. An identity provider generates a session ID and uses the session ID when logging events that occur during handling of the request. Multiple servers, processes, or threads may use the same session ID. The session ID may be sent with an error message to the requester. An ID of one or more servers that processed the request may also be sent to the requester. Upon receiving the error message, the requester may provide the error information to an administrator, who uses the information to retrieve associated logged events.

Abstract: An authorization server receives a request for an access token, for accessing a protected resource, from a client application executing on a device, wherein the request includes a client identifier that uniquely identifies the client application and a device identifier that uniquely identifies the device. The authorization server performs authentication of the client identifier and the device identifier. The authorization server returns a valid access token to the client application, based on the authentication of the client identifier and the device identifier, to enable the client application access to the protected resource.

Abstract: A wireless communications system may include a user-wearable device including a clasp having open and closed positions, a first wireless security circuit (WSC), and a first controller coupled to the clasp and the first WSC. The system may further include a mobile wireless communications device including a portable housing, an input device(s), a second WSC carried by the portable housing and configured to communicate with the first WSC when in close proximity therewith, and a second controller carried by the portable housing and coupled to the second WSC and the input device(s). The second controller may be configured to enable mobile wireless communications device(s) function based upon a manual entry of an authentication code via the input device(s), and bypass the manual entry and enable the mobile wireless communications device function(s) based upon a communication from the user-wearable device and a position of the clasp.

Abstract: A biometric-information processing apparatus and method including storing sample biometric information of a user each time biometric authentication processing for verifying sample biometric information of a user against enrolled biometric information registered in a first storage unit succeeds, where the user's sample biometric information is stored in a second storage unit, and selecting an update-candidate biometric information for updating the user's enrolled biometric information from the user's sample biometric information stored in the second storage unit, based on a result of verification of multiple pieces of the user's sample biometric information stored in the second storage unit against enrolled biometric information of other users.

Abstract: A lightweight throttling mechanism allows for dynamic control of access to resources in a distributed environment. Each request received by a server of a server group is parsed to determine tokens in the request, which are compared with designated rules to determine whether to process or reject the request based on usage data associated with an aspect of the request, the token values, and the rule(s) specified for the request. The receiving of each request can be broadcast to throttling components for each server such that the global state of the system is known to each server. The system then can monitor usage and dynamically throttle requests based on real time data in a distributed environment.

Abstract: Remote sign-out of web based service sessions. As a part of remote sign-out of web based service sessions, a user authentication token is accessed that is used to establish a web based service session and this user authentication token is stored in memory of an authentication server and returned in a cookie to the device. User access and deletion of the user authentication token from memory is accommodated using a device different from that which initially established the web based service session. Upon receipt of a browser request involving the user authentication token, it is determined whether the user authentication token is stored in memory. An access denial indication is provided to a web based service that indicates that the user authentication token is not stored in memory.

Abstract: The present invention disclose a system for securing managing usage rights of plurality of software applications in plurality of client computers devices to be authorized by a server application.

Abstract: A tamper-resistant security device, such as a subscriber identity module or equivalent, has an AKA (Authentication and Key Agreement) module for performing an AKA process with a security key stored in the device, as well as means for external communication. The tamper-resistant security device includes an application that cooperates with the AKA module and an internal interface for communications between the AKA module and the application. The application cooperating with the AKA module is preferably a security and/or privacy enhancing application. For increased security, the security device may also detect whether it is operated in its normal secure environment or a foreign less secure environment and set access rights to resident files or commands that could expose the AKA process or corresponding parameters accordingly.

Abstract: A modular identity authentication apparatus for a computer system includes at least two different authentication technologies, such as biometric fingerprint readers, NFC-RFID receivers, and BYOD sensors. Each modular apparatus provides multiple authentication sensors that are connected through a single port at a computer terminal location. System software permits terminal use when all module devices are authenticated, and shuts down the terminal whenever the module is disconnected.

Abstract: Guest user are enabled to access network resources through an enterprise network using a guest user account. A guest user account may be created for a guest for a limited time. Guest account credentials of the guest account may be provided to the guest to use the guest account using any of a variety of techniques described herein, for example, by scanning a guest access card, credit card or mobile telephone of guest user, and providing the guest account credentials to the user based on the information obtained. A guest access management server may be configured to generate and maintain guest accounts, authenticate guest users, and track and log guest activity. A VLAN technology may be used to separate guest traffic from host enterprise traffic on the host enterprise network. After a guest user is authenticated, communications to and from the guest user may be routed to a guest VLAN.

Abstract: Aspects of the invention relate to systems and methods for securely retaining profile data and the use of such data for the targeted delivery of content. In one embodiment, a unique profile that represents the user location and is keyed to profile attributes selected from both a first set of data collected from the user location and the second set of profile data collected from an external source, is generated. The key does not allow a third party to identify the end-user location or a user associated with the end-user location. Electronic content transmitted to end-user locations may be encoded such that it may only be accessed by an authorized user and/or on a specific electronic device at the user location. A graphical user interface may be utilized to allow a third-party to provide selection criteria for determining user locations to receive targeted content. Further aspects of the invention relate to an electronic device configured to present targeted content to a user at a user location.

Abstract: A host validation system runs on a portable storage device, and protects data stored thereon from unauthorized access by host computers. The system identifies a host to which the portable device is coupled, for example by using the host's TPM. This can further comprise identifying the host's current configuration. The system uses the identification and configuration information to verify whether the host is approved to access data stored on the portable device. The system provides the host a level of data access responsive to this verification. This can involve denying all data access to the host, or providing at least some access to data stored on the portable device, for example based on a stored access policy specifying levels of access to provide to specific hosts with specific configurations.

Abstract: A personalization of a batch of smart cards is provided. A user is provided with a plurality of queries regarding smart card features. Responses to the plurality of queries are received from the user. A personalization data file is generated using the responses to the plurality of queries, where the personalization data file comprises values, which may be used to provide features on a batch of smart cards.

Abstract: Methods and systems provide secure functions for a mobile client. A circuit may include a memory configured to store a server access key and a first function authentication key. The circuit may also include authentication circuitry configured to access the server access key to authenticate access to a server to download a function capsule comprising a first function and to access the first function authentication key to authenticate use of the first function of the function capsule.

Abstract: Some embodiments of the present disclosure provide a system for providing access control. The system may include an extension module for extending a host website; and a marketplace server that is configured to: receive a request to access the extension module from a browsing device, the browsing device is for maintaining a browsing session with the host website, and the extension module is for exchanging data with the host website; generate a first authorization token that is associated with the browsing session; and send, to the browsing device, the first authorization token. The extension module may be configured to receive a second authorization token from the browsing device. One of the extension module or the marketplace server may then be further configured to: verify that the second authorization token matches the first authorization token; and if verification is successful, the extension module can be allowed to exchange data with the host website and communicate with the browsing device.

Abstract: This document describes tools capable of enabling cloud-based movable-component binding. The tools, in some embodiments, bind protected media content to a movable component in a mobile computing device in a cryptographically secure manner without requiring the movable component to perform a complex cryptographic function. By so doing the mobile computing device may request access to content and receive permission to use the content quickly and in a cryptographically robust way.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A system and method is provided for generating a one-time passcode (OTP) from a user device. The method includes providing a passcode application and a cardstring defined by a provider account to the user device. The passcode application is configured to generate a passcode configured as a user OTP for the provider account, using the cardstring. The cardstring is defined by at least one key camouflaged with a personal identification number (PIN). The key may be camouflaged by modifying and encrypting the modified key under the PIN. The key may be configured as a symmetric key, a secret, a seed, and a controlled datum. The cardstring may be an EMV cardstring; and the key may be a UDKA or UDKB. The cardstring may be an OTP cardstring, and the key may be a secret configurable to generate one of a HOTP, a TOTP, and a counter-based OTP.