Abstract: Systems and methods for processing tokenization requests to facilitate safe storage of tokens. An epoch is identified as a current epoch based on a current system time of a node. A seed value is computed by the node based on a start time of the epoch and a secret. A plurality of ephemeral tokens is generated by a randomization service of the node for a set of sensitive data based on the seed value. Each ephemeral token of the plurality of ephemeral tokens has a usable life defined by the epoch. Each sensitive data instance in the set of sensitive data is associated with a particular ephemeral token of the plurality of ephemeral tokens to create a mapping structure in a main memory of the node. A tokenization service of the node is configured to process tokenization requests using the mapping structure.

Abstract: A method at a computing device is described. The method comprises executing an application for verifying a location of a user requesting to access a location-based service, receiving, at the application, information indicating a location of the computing device, and encoding, with the application, at least the location to thereby generate a location token for responding to a challenge for the location token. The method further comprises outputting the location token from the application, the location token configured for use in applying a location-based access policy that controls access by the user to the location-based service.

Abstract: To ensure that clients use the most current versions of schemas and provide requests to particular Application Programming Interfaces (APIs) in a desired order, identifiers associated with resources may be used to determine client requests that comply with desired schemas and API interactions. When a request to access a first resource is received, a link to a second resource and an identifier may be provided. When a request to access the second resource is received, if the identifier associated with the request is absent or does not match the expected identifier, the request may be denied without using computational resources to process the request. Identifiers may include strings included in Uniform Resource Identifiers (URIs) or query parameters. Identifiers may also include modified field names, arrangements, or other characteristics of schemas associated with the requests. Schemas of received requests may be converted to standard schemas to prepare a response.

Abstract: A server for providing media files for download by a user with an operating system in which the user is created, a media table stored in a memory, in which at least a first media ID is assigned to a first media file and a second media ID is assigned to a second media file, an identification table stored in a memory, in which an identifier that can be assigned to an identification carrier is stored and assigned to the user, and an assignment table stored in a memory, wherein the first media ID and/or the second media ID can be assigned, in the allocation table, to the identifier and the first media ID is not assigned to the identifier, with a program routine provided on the server, with which the user changes the allocation table and assigns the first media ID to the identifier in the allocation table.

Abstract: Methods, systems, and computer-readable storage media for receiving, from a first component and by a second component in a cloud platform, a call, a token, and a first client certificate, determining, by the second component, a first client identifier associated with the first component, and determining, by the second component, that the first client identifier is included in a manifest of the token, the manifest defining at least a portion of a communication path between components within the cloud platform, and in response: executing functionality responsive to the call.

Abstract: Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. At the completion of the authorization process, the PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.

Abstract: A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Abstract: The real-time data acquisition and recording data sharing system works in conjunction with a real-time data acquisition and recording system and a viewer which provides real-time, or near real-time, access to a wide range of data, such as event and operational data, video data, and audio data to remotely located users such as asset owners, operators and investigators. The data sharing system allows the user to share data obtained from the data acquisition and recording system to remotely located users. The user can share data with remote recipient end users that have internet access and a modern web browser in a secure, controlled, tracked, and audited way. The user, instead of sharing files, shares a URL to the data. URL based data sharing enables the user to control, track, and audit sensitive data. The user will be able to share data to improve the safety of the world's transportation systems without fear of unauthorized data dissemination.

Abstract: The invention is a method for managing a tamper-proof device comprising a processor and an operating system able to handle a set of communication protocols with external entities. The operating system accesses a ruling data specifying for each communication protocol of the set whether Card Lock, Card Terminate and Final Application privileges as defined by GlobalPlatform Card Specification (V2.3) are authorized or forbidden. Upon receipt of a command from one of said external entities, the operating system uses the ruling data to deny or to authorize execution of the command based on the communication protocol used to convey the command.

Abstract: The invention is a method for managing a tamper-proof device comprising a plurality of software containers and an operating system. The operating system is able to handle a set of communication protocols with external entities. The operating system accesses a pairing data in which each communication protocol of said set has been associated with a single software container and upon receipt of a message from one of the external entities, the operating system uses the pairing data to route the message to the software container associated with the communication protocol used to convey the message.

Abstract: A security mechanism, e.g., a computing system, security server, can effectively serve as a centralized security mechanism, e.g., a computing system, security server, for an ecosystem that can include diverse clients and servers. The security mechanism can obtain redirected requests for services, authenticate credentials of a client and generate a (client-side) token that can be provided by the client to the server for verification of the identity of the client. The security mechanism can also obtain a token from a server that can be similar to a (client-side) token provided to a client and then generate a (server-side) token that can be provided to a server. The server-side token can include authorization information that allows access to one or more services of one or more other servers.

Abstract: A method includes receiving, at a mobile device management (MDM) server, a message indicating a location at a healthcare facility. The method also includes identifying, at the MDM server, a mobile device assigned to the location. The method further includes sending a remote reset command from the MDM server to the mobile device.

Abstract: A portable storage device for connecting to a computer. The storage device includes a digital memory storage, a digital lock mechanism coupled to the digital memory storage, a wireless communication system coupled to the digital lock mechanism and a communication interface coupled to the digital lock mechanism. The communication interface is for connecting the portable storage device to the computer. The digital lock mechanism operates to prevent data in the digital memory storage from being transferred over the communication interface to the computer unless the digital lock mechanism is unlocked using the wireless communication system. A method for connecting and the portable storage device to a computer and then unlocking the portable storage device using the communication interface and the wireless communication system is also provided.

Abstract: An identification adapter for an identification device has a reading unit and a control unit. The control unit is connected to the reading unit via a data communication connection. The identification adapter has a receiving unit for wirelessly receiving identification data (ID). Also, the identification adapter has a data transmission unit designed to transmit the received identification data (ID) to the control unit on the same data communication connection as the reading unit.

Abstract: Systems and methods for controlling an edge computing device. The method includes, receiving a user input requesting access to a resource of the edge computing device, determining whether the user has privileges to access the resource by: formulating a claims request which requests claims based on the determined identity of the user, sending the claims request to a local claims provider agent executed by a processor of the edge computing device, determining, based on claim request handling factors, whether the local claims provider agent can generate a token including the requested claims, and if so, generating the token with the requested claims; if not, a request may be sent to a cloud service-side claims provider to receive the token. The method includes authorizing access to the resource based on a predetermined policy that specifies the presence of a predefined resource parameter in the requested claims is sufficient.

Abstract: A system for authenticating a user at a relying party application using an authentication application and automatically redirecting to a target application includes a processor. The processor is configured to 1) make an API call that comprises (i) an authentication challenge that corresponds to an authentication request and (ii) a call back URL that is specified by a relying party application; 2) retrieve at least one of a target application link or a null value from a table; 3) authenticating the user based on an authentication challenge response to the at least one authentication challenge; and 4) invoking the target application link from the table to automatically redirect from the authentication application to the target application specified in the target application link.

Abstract: A method for a user to access resources within a secure network without inputting a username or password is presented and claimed where the method comprises inputting, by the user, login credentials into an authentication service and obtaining from the authentication service at least one secret code; inputting the at least one secret code into an OTCP to initialize the OTCP; generating within the OTCP a one-time code (OTC) utilizing the at least one secret code but not including the user's login credentials or username; supplying, by the user, the OTC to a secure web portal wherein the secure web portal confirms authenticity of the OTC with the authentication service; and the secure web portal supplying access to the user of the secure web portal resources upon receipt of authentication of the user.

Abstract: A client application requesting to access a resource may be issued an access token and a refresh token. Instead of revoking the client application access to a resource by revoking the refresh token, allowing the access token to expire, and forcing a user associated with the client application to re-login, authentication for the client application to access the resource may be obtained from the user. The authentication may be obtained from the user while the client application, without notification of the concurrent authentication, may continue attempts to access the resource, for example, via an invalid access token. Once authentication is obtained, the client application may be provided access to the resource, for example, via a valid access token.

Abstract: An information processing apparatus includes: an acquisition unit that acquires first group information concerning a user from authentication result information including an authentication result transmitted from an external apparatus in a case where the user is authenticated by the external apparatus; and a permission unit that permits the user to use a service provided by the information processing apparatus within a range of authority set for second group information concerning the user in a case where the acquired first group information is associated with the second group information.

Abstract: Techniques for authentication via a mobile device are provided. A mobile device is pre-registered for website authentication services. A user encounters a website displaying an embedded code as an image alongside a normal login process for that website. The image is identified by the mobile device, encrypted and signed by the mobile device and sent to a proxy. The proxy authenticates the code and associates it with the website. Credentials for the user are provided to the website to automatically authenticate the user for access to the website bypassing the normal login process associated with the website.

Abstract: An example operation may include one or more of registering a first service node and a second service node for accessing a common data store, providing to the second client node, by the first client node, a data access request token key and a data access receipt key corresponding to a data access request, responsive to a receipt of the access request token key and the data access receipt key by the second service, retrieving a result from the common data store; and providing the result to the second client node.

Abstract: A controller for a fulfilment service operation is described in which the controller, before initiating fulfilment of the job, operates to determine if an authorised user is present at a fulfilment service device and to determine if the user intends to remain attendant at the fulfilment service device for the duration of fulfilment of the job. If the user moves away from the fulfilment service device, the controller operates to pause the job. If the user remains away from the fulfilment service device for a period of time, the controller operates to cancel the job.

Abstract: Implementations disclose methods and systems for facilitating an automated user login into a first application hosted by a first-screen device. A method includes detecting, by a second-screen device, a message transmitted by the first-screen device over a network; determining, based on the message, that the first application hosted by the first-screen device is requesting user authentication for the automated user login; presenting, via a second application hosted by the second-screen device, a prompt for user input indicating user acceptance of the automated user login; receiving the user input indicating the user acceptance of the automated user login; and responsive to the user input, transmitting an authentication code from the message to the server device to perform the user authentication for the automated user login into the first application.

Abstract: Methods, apparatus, and processor-readable storage media for automatically determining configuration-based issue resolutions across multiple devices using machine learning models are provided herein. An example computer-implemented method includes training, using historical data related to device information and device configuration information from a set of devices, multiple machine learning models; determining, in connection with input data associated with a given device from the set of devices, a device issue and a corresponding device issue resolution, by processing the input data using at least a first of the machine learning models; identifying additional devices within the set of devices that are similar to the given device by processing the input data using at least a second of the machine learning models; and performing, based on the determined device issue resolution, automated actions in connection with the given device and at least a portion of the identified additional devices.

Abstract: An information processing apparatus includes a processor programmed to execute a process. The process includes obtaining, from apparatus management information associating identifiers of other information processing apparatuses with resources of services being used by the other information processing apparatuses, one or more of the identifiers of the other information processing apparatuses associated with resources of a service available to a user, displaying the obtained one or more of the identifiers of the other information processing apparatuses on a display device as remote connection destinations in association with the resources of the service available to the user such that the resources of the service available to the user are selectable, and performing remote sharing with one or more of the other information processing apparatuses whose identifiers are associated with a resource selected on the display device from the resources of the service available to the user.

Abstract: The present invention relates to the automatic configuration of a measuring and test device in a multi-user test system. Individual users are initially authenticated. An individual user profile can be generated for authenticated users. The individual user profile can be stored in a user database. After authentication of a user, the user profile can be read-out from the profile database and then a measuring and test device can then be automatically adjusted corresponding to the user profile.

Abstract: A terminal includes a relay unit, a memory, and an access unit. The relay unit relays communication between a different terminal and a server that requires two-step authentication at a time of providing a service. The memory stores first identification information for identifying the different terminal. The access unit accesses the server. In a case where data to be transmitted to the server includes second identification information for identifying the terminal, the access unit transmits the first identification information, in place of the second identification information included in the data, to the server.

Abstract: Application-manager software authenticates a user of a client device over a channel. The authentication operation is performed using a directory service. The application-manager software presents a plurality of applications in a GUI displayed by the client device. The plurality of applications depends on the authentication, the client device, and the channel. And the plurality of applications includes a thin application and a software-as-a-service (SaaS) application. The application-manager software receives a selection as to an application from the user. If the selection is for the SaaS application, the application-manager software provisions the SaaS application. The provision includes automatically logging the user onto an account with a provider of the SaaS application using a single sign-on and connecting the user to the account so that the user can interact with the SaaS application. If the selection is for the thin application, the application manager software launches the thin application.

Abstract: Systems and methods for generating and implementing a real-time multi-factor authentication policy across multiple channels, are configured to: during a pre-authentication stage: receive, via a user interface, information defining one or more scenarios; receive, via the user interface, information defining one or more authentication flows; for each of the one or more scenarios, map one of the one or more authentication flows to a given scenario; and generate a multi-factor authentication policy associated with each of the one or more scenarios; and during a real-time authentication stage: upon receiving an interaction, identify, by a decision engine, a relevant scenario of the one or more scenarios; implement, by the decision engine, the multi-factor authentication policy associated with the relevant scenario; and determine, by the decision engine, an authentication result.

Abstract: Embodiments of the invention are directed to systems and methods for validating transactions using a cryptogram. One embodiment of the invention is directed to a method of processing a remote transaction initiated by a communication device provisioned with a token. The method comprises receiving, by a service provider computer, from an application on the communication device, a request for a token authentication cryptogram, wherein the token authentication cryptogram includes encrypted user exclusive data. The service provider computer may generate the token authentication cryptogram to include the user exclusive data. The service provider computer may send the token authentication cryptogram to the application, where the token authentication cryptogram can be used to validate the transaction, and the user exclusive data is extracted from the token authentication cryptogram during validation.

Abstract: A business-to-consumer (B2C) cloud service hosts web applications of various businesses as an instance of a cloud service. The B2C cloud service provides an identity management engine that manages the sign-in of consumers of the businesses to a respective cloud service. The identity management engine dynamically creates a security token for the sign-in request that includes claims customized for the hosted cloud service. The claims are based on directives provided by the business and obtained from the consumer via a user interface dynamically created by the identity management engine at a sign-in request.

Abstract: The invention provides a method that allows an issuer system, e.g. of a bank, to have generated a plurality of anonymous accounts and cards for working up a stock and to only personalize them individually if required. In the personalization step at the card issuer, e.g. in the bank branch, a printing of the back side does not have to be performed, instead all the necessary printing of the back side is already effected at the card manufacturer during the manufacturing of the anonymous card. As a result, a simple, low-cost printer without a back-side printing option can be utilized for the personalization of the anonymous card.

Abstract: A server device includes a processor configured to i) acquire vehicle information when a delivery request is made; ii) acquire predetermined authentication information for unlocking and locking a door of a vehicle, based on the acquired vehicle information; iii) transmit the acquired predetermined authentication information to a delivery terminal; and iv) to acquire predetermined proof information for proving that a user of the vehicle is a rightful recipient of a delivery article, by communicating with a user terminal. The processor is configured to transmit the acquired predetermined authentication information to the delivery terminal, on a condition that the predetermined proof information is acquired.

Abstract: Systems, methods, and articles of manufacture comprising processor-readable storage media are provided for implementing security mechanisms for network environments. For example, a method includes collecting power consumption data of a plurality of devices operating within a network and determining trust scores for the plurality of devices based, at least in part, on the collected power consumption data. The trust score for a device provides a measure of trustworthiness of the device exhibiting normal operating behavior within the network. Each device is assigned to one of a plurality of trust tiers based on the determined trust scores, wherein each trust tier specifies an authentication level for devices assigned to the trust tier. One or more authentication procedures are applied to authenticate a given device operating within the network based on the authentication level specified by the trust tier to which the given device is assigned.

Abstract: A system including a server and a first publisher node device is provided. The first publisher node device transmits a request including an authentication credential associated with the first publisher node device to the server and receives a response including authentication of the first publisher node device as a ticket processing client for a first transportation service. The first publisher node device captures, as the ticket processing client, an event associated with the first transportation service based on the received response and transmits, based on the captured event, a transaction request to a broker node device. The transaction request includes a transaction message and an authorization request to route the transaction message to a first subscriber node device of the MaaS network. The server receives the authorization request from the broker node device and authorizes the broker node device to route the transaction message based on the received authorization request.

Abstract: Methods of short-distance network electronic authentication are described.

Abstract: A method includes: after installation of software on a first mobile device, receiving new data from a second mobile device; analyzing, using a data repository, the new data to provide a security assessment; determining, based on the security assessment, a new security threat associated with the software; and in response to determining the new security threat, causing the first mobile device to implement a quarantine of the software.

Abstract: Embodiments described herein disclose methods and systems for authorizing a payment card transaction using dynamic codes. The system can receive a request for authorization of a transaction using the payment card. The request can identify a verification code associated with the payment card and an identifier of the payment card, and the payment card can have an associated dynamic code accessible to a user via a channel. The verification code can be compared with a value of the dynamic code at the time of the transaction. The system can determine whether the user of the payment card accessed the channel within a time period prior to receiving the request for authorization. In response to the verification code matching the dynamic code at the time of the transaction and determining that the user accessed the channel within the time period prior to receiving the request, the system can authorize the transaction.

Abstract: A system and method are disclosed capable of parsing a spoken utterance into a natural language request and a speech audio segment, where the natural language request directs the system to use the speech audio segment as a new wakeword. In response to this wakeword assignment directive, the system and method are further capable of immediately building a new wakeword spotter to activate the device upon matching the new wakeword in the input audio. Different approaches to promptly building a new wakeword spotter are described. Variations of wakeword assignment directives can make the new wakeword public or private. They can also add the new wakeword to earlier wakewords, or replace earlier wakewords.

Abstract: An information processing apparatus includes: an instruction unit configured to instruct an image processing apparatus to request a management server to issue identification information; an identification information obtaining unit configured to obtain, from the image processing apparatus, the identification information issued to the image processing apparatus by the management server; an identification information transmission unit configured to transmit the obtained identification information to a service provision server; a request reception unit configured to receive a request to transmit user information necessary for using a predetermined service from the service provision server as a response to the transmission of the identification information; and a user information transmission unit configured to transmit the user information to the service provision server in response to the received transmission request.

Abstract: A method of managing tokens is provided. The method includes receiving, by a token management system from a user device, a request from a user to register a token with the token management system. The token is associated with the user and is stored by an entity computing system associated with a first entity of a plurality of entities. Each of the plurality of entities is associated with an entity computing system that stores at least one token of a plurality of tokens that are each registered with the token management system and each associated with the user. The method further includes modifying, by the token management system, the token stored by the entity computing system associated with the first entity based on a token command from the user. The modification includes associating the token with a different entity of the plurality of entities relative to the first entity.

Abstract: A token management apparatus includes a reception unit that receives, from a first user who has an access token for accessing a service providing server that provides a service, a permission condition for permitting a second user for a conditional use of an access token of the first user, the second user being differential from the first user and not having the access token; and an issuance unit that issues a conditional access token that permits the conditional use of the service within a range of the permission condition, to the second user in a case where the second user requests the conditional use of the access token of the first user, and the request for the conditional use satisfies the permission condition.

Abstract: An action recognition system is illustrated. The action recognition system has an annular body, at least one light emitting unit, at least one light sensing unit and an action recognition module. The annular body is worn on a movable part of a user. One end of the light emitting unit is exposed on an inner side of the annular body, wherein the light emitting unit emits a first light beam illuminating at least a portion of the movable part. One end of the light sensing unit is exposed on the inner side of the annular body. The light sensing unit operatively senses a second light beam reflected by the at least portion of the movable part and generates a light sensing signal. The action recognition module is configured to operatively determine an action of the user according to the light sensing signal.

Abstract: A system includes a first computer system (FCS) configured to receive an authentication request of a user with respect to the first authentication system (FAS), and communicate an unsuccessful authentication attempt. In response, a bridge computer system (BCS), is configured to request a user ID and receive at least the user ID; identify an address of a second computer system (SCS) based on the user ID; and initiate the second authentication system (SAS) using the address. The SCS, if the user has been successfully authenticated with respect to the SAS, is configured to communicate successful authentication to the BCS; and in response, the BCS is configured to send the FAS a confirmation message, and the FCS is configured to treat the user as authenticated.

Abstract: A terminal device may execute a communication of authentication information with a communication device, the authentication information being prepared by the terminal device or the communication device without being inputted in the terminal device or the communication device by a user; send the authentication information to a first sever; and send specific information to the first server. The communication device may execute the communication of the authentication information with the terminal device; and send the authentication information to the first server. The first server may register the service information in the memory of the first server in a case where the authentication information is received from both of the terminal device and the communication device, and the specific information is received from the terminal device.

Abstract: In one example, a method performed by a processing system of a server includes sending an instruction to a controller installed on an integrated circuit chip of a remote computing device, wherein the instruction requests that the controller issue a challenge to the integrated circuit, receiving a first signature of the integrated circuit chip from the controller, wherein the first signature is derived by the controller from a response of the integrated circuit chip to the challenge, comparing the first signature to a second signature that is stored on the server, wherein the second signature was derived through testing of the integrated circuit chip prior to the integrated circuit chip being deployed in the remote computing device, and generating an alert when the first signature fails to match the second signature, wherein the alert indicates that the integrated circuit chip may have been tampered with.

Abstract: A trusted server receives a request for an activation code, which includes an identifier associated with the trusted server and a one-time password, for a client device. The trusted server obtains the identifier from a public server, generates the one-time password, and combines the one-time password with the identifier to create the activation code. The trusted server provides the activation code to a provisioning client, which presents the activation code to the client device. The trusted server and client device secure a communication session using the one-time password as a shared secret. The trusted server downloads trusted cryptographic information to the client device over the secure communication session.

Abstract: A method of authenticating a user of a multifunction device to a server, the method comprising associating a user-supplied image with user login credentials, using a server; receiving, at the server, an image uploaded from the multifunction device; and comparing the uploaded image to the user-supplied image, using the server, and, only if the uploaded image is identical to the user-supplied image, allowing the user of the multifunction device to authenticate to the server by providing additional login credentials to the server using the multifunction device.

Abstract: A device determines information concerning the device and sends the information concerning the device to a first device. The device receives, from the first device, information concerning a user device, and receives, from a second device, a request concerning the user device accessing the device. The request includes information identifying the device and information identifying the user device. The device generates a request response by validating the user device for access to the device based on the request and sends, to the second device, the request response to facilitate a communication session to be established between the user device and the device. The device communicates with the user device via the communication session.

Abstract: A method for an automated configuration of an industrial controller unit comprises sending, from a server system, an instruction message and a verification token to a client device via a first communication network. The instruction message comprises information pertaining to a modification of an industrial controller unit, and the verification token pertains to a completed modification of the industrial controller unit. The method further comprises receiving, at the server system, a verification message pertaining to the verification token, and providing, from the server system, an industrial program and/or a parameter for an industrial program to the industrial controller unit via a second communication network, in response to receiving the verification message.