Abstract: A certificate issued by an authentication server 200 in response to a request from a client terminal 100 is stored in an issued certificate storage unit 113, and the stored certificate is transmitted to the authentication server 200 together with device information to execute first authentication and then a user ID/password is transmitted to the authentication server 200 to execute second authentication, so that it is possible to perform the first authentication using a certificate and perform the second authentication using a user ID/password without setting up the service usage environment in which the certificate of the client terminal 100 and the user ID/password are stored in advance in the authentication server 200 so as to be associated with each other and the certificate is stored in advance in each client terminal 100.

Abstract: An authentication server may not support all types of user credentials. For example, an on-premise authentication server may support credentials based on user secrets (i.e. username and password) and certificate-based credentials, but not hardware-key based credentials. A client device may use an un-supported type of credential to access resources managed by the on-premise authentication server by authenticating with a web-based authentication server. The web-based authentication server may support any type of credential, and the supported types of credentials may change over time. The web-based authentication server returns an authenticated user token indicating the user has been authenticated, but without authorizing access to any resources. The client device uses the on-premise authentication server to exchange the authenticated user token for an authorized user token. The client device then uses the authorized user token to access resources on the on-premise network.

Abstract: Disclosed are various embodiments for provisioning client devices. A configuration file previously installed on the computing device can be read. The configuration file can contain a provisioning address. Then, a user account is automatically created using a predefined username and credential stored in the configuration file. Next, an enrollment request can be sent to the provisioning address to enroll the computing device with a provisioning service using the user account. In response, an enrollment response can be received from the provisioning service. The computing device can then be configured based upon the enrollment response.

Abstract: A determination method executed by a computer that serves as an authentication apparatus for a program that operates on a device, the determination method includes counting a number of times of execution of a first process related to the device and determining, in a case where an authentication request for the program that includes a number of times of execution of a second process in the device is received, whether or not it is required to verify the device based on a result of comparison between the number of times of execution of the first process and the number of times of execution of the second process.

Abstract: A key management method includes: sending, by a security chip of a computer device, a request for obtaining a service key to a key management service; receiving, by the security chip, a service key ciphertext from the key management service, wherein the service key ciphertext is obtained by encrypting the service key by the key management service based on a migration key of the security chip; decrypting, by the security chip, the service key ciphertext based on the migration key to obtain the service key; storing, by the security chip, the service key in the security chip; and providing, by the security chip, the service key to an application program of the computer device when the application program needs to encrypt data based on the service key.

Abstract: Systems, processes and articles of manufacture provide for a player identity verification system that allows a gaming establishment (e.g., a casino) to determine or verify a player's identity upon certain qualifying activities being determined (e.g., when a player is initiating a wagering session at a table game or placing a wager). In accordance with one embodiment, a live image of a player participating in a qualifying activity (e.g., placement of a wager) is compared to a stored image of a player that is associated with one or more casino chips being used as the wager; a verification of the identity of the player placing the wager is performed by matching the live image to the stored image.

Abstract: The present disclosure provides a system and method for delegating authority to cloud IoT devices, with such delegated authority enabling the cloud IoT devices to access second cloud services outside of a core network. The IoT device uses its IoT identity to obtain a token for accessing the second service within a predefined time window. The token may be used to access the second service without further authentication by the second service. Accordingly, the IoT device can take particular actions, such as downloading files, etc., during the predefined time window. After the predefined time window, the IoT device may no longer access the second service without obtaining another token.

Abstract: Disclosed are various embodiments for determining authentication assurance from a combination of historical and runtime-provided inputs. An authentication request associated with an account is received. A composite measure of authentication assurance is determined from a combination of a historical measure of authentication assurance and a runtime measure of authentication assurance. A response to the authentication request is generated based at least in part on the composite measure of authentication assurance.

Abstract: A client sends a request for access to a webpage and receives a cookie and code to obtain data about the client in response to the request. The cookie may be cryptographically secured and contain first data about the client. The client subsequently sends a second request with the cookie to access the same webpage. Any additional information about the client, received in the second request, is then compared with the first data about the client obtained from the cookie to determine whether anomalous activity exists in connection with the client. That is, data about the client is compared to previous client activity history to determine whether there were any anomalous activity and the result of the comparison indicates whether the client is trustworthy.

Abstract: Systems and methods are provided for managing tokens from different token providers and facilitating network transactions involving tokens from the different token providers. One exemplary method includes receiving a request to provision a token for a payment account to a party, where the payment account is associated with a payment network. The method also includes generating the requested token apart from the payment network, whereby the requested token is an external token, and transmitting the external token to the party. The method further includes transmitting, to the payment network, the external token and a PAN for the payment account associated with the external token, thereby permitting the payment network to map the token to the PAN and to provide PAN-dependent services for a transaction based on an authorization request message including the token but not the PAN.

Abstract: Disclosed are various embodiments for determining authentication assurance using algorithmic decay. In an embodiment, an authentication request associated with an account is received. At least one historical authentication event associated with the account is determined. A measure of authentication assurance is determined based at least in part on applying an exponential time decay to at least one authentication assurance value individually corresponding to the historical authentication event(s). A response to the authentication request is generated based at least in part on the measure of authentication assurance.

Abstract: Method, system or Universal Integrated Circuit Card (UICC) for provisioning a UICC with a new key. The UICC contains an initial subscriber key shared between the UICC and an authentication center. A new key is exchanged between the UICC and the authentication center using a communication between the UICC and the authentication center authenticated using the initial subscriber key. The new key is used in place of the initial subscriber key for further communications with the UICC.

Abstract: Systems and methods for passing account authentication information via parameters. A server can provide, to a client device, an account parameter derived from an account credential used to authenticate a first application to insert into a link. The link can include an address referencing a second application. The account parameter can be passed from the first application to the second application responsive to an interaction on the link. The server can receive from the second application of the client device, subsequent to passing the account parameter from the first application to the second application, a request to authenticate the second application including the account parameter. The server can authenticate the client device for the second application using the account parameter. The server can transmit, responsive to authenticating the client device for the second application, an authentication indication to the second application of the client device.

Abstract: A method of privatizing mobile communications using a dynamic International Mobile Subscriber Identity (IMSI) and Mobile Station International Subscriber Director Number (MSISDN). A first privacy token having an associated IMSI and MSISDN is provided to a User Equipment (UE). The first privacy token has a predefined validity period. The IMSI and MSISDN assigned to the privacy token are shared with a plurality of Mobile Network Operators (MNOs), while the International Mobile Equipment Identity (IMEI) of the UE remains concealed. A communications session for the UE can be established based on the first privacy token during the validity period thereof. Upon expiration of the validity period, the first privacy token and the associated IMSI and MSISDN are released to the token database, and their association with one another is deleted. The UE is then provided with a second privacy token having a different associated IMSI and MSISDN.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising a memory configured to store an identifier of the apparatus, at least one processing core configured to obtain, from sensor information, a service identifier and a session identifier, compile a message addressed to a service provider associated with the service identifier, the message comprising the identifier of the apparatus and the session identifier, and cause transmission of the message toward the service provider.

Abstract: A method and a system for user identification of a user based on a current user environment of a user device thereof are provided. The method comprises: causing the user device to receive an analytical module for installation thereof in a web application, the analytical module being configured to execute: causing installation of an iframe container in a given page of the web application launched on the user device; retrieving at least one cookie file including user data indicative of the current user environment of the user device; transmitting the at least one cookie file to an identification server for modification thereof to generate an in-use cookie file; and receiving the in-use cookie file; analyzing the in-use cookie file for identifying, based on the user data, the user device, and in response to identifying the user device as being compromised, transmitting a predetermined notification to the application content server.

Abstract: Disclosed herein are related to a system and a method of authenticating a device. In one aspect, a first challenge is identified from first challenges, where each of the first challenges has a consistent response with a stability above a first threshold across a variation of the device. In one aspect, a first response to the first challenge is received from the device. In one aspect, whether the first response matches the consistent response of the first challenge is determined. In one aspect, a second challenge from second challenges is identified, where each of the second challenges has an inconsistent response with a stability under a second threshold across the variation. In one aspect, a second response to the second challenge is received from the device. In one aspect, the device is authenticated responsive to determining that the first response matches the consistent response of the first challenge.

Abstract: A node device configuring a peer-to-peer network includes: a network interface; and a blockchain management part configured to receive, through the network interface, an information registration request transaction that includes embedded Subscriber Identity Module, SIM, information including SIM identification information, an electronic signature put on the embedded SIM information by using a private key of an information registrant, and a public key paired with the private key, and accumulate the received information registration request transaction into a blockchain based on a consensus building algorithm executed in cooperation with another node device configuring the peer-to-peer network.

Abstract: A computer device for enhancing security of a secured area that comprises a video input device and a processor configured to receive a request to access the secured area at an access point associated with the secured area, obtain an image data of a secure boundary area associated with the access point, determine the number of users in the secure boundary area based on the image data, determine whether to grant an access in response to the request based on one or more rules, grant the access in response to the request in accordance with the rules when the number of users in the secure boundary area is less than or equal to a threshold, and deny the access in response to the request in accordance with the rules and when the number of users in the secure boundary area is greater than the threshold.

Abstract: An example memory subsystem includes a memory component and a processing device, operatively coupled to the memory component. The processing device is configured to receive a plurality of logical-to-physical (L2P) records, wherein an L2P record of the plurality of L2P records maps a logical block address to a physical address of a memory block on the memory component; determine a sequential assist value specifying a number of logical block addresses that are mapped to consecutive physical addresses sequentially following the physical address specified by the L2P record; generate a security token encoding the sequential assist value; and associate the security token with the L2P record.

Abstract: There is provided an information processing device including a processing unit that authenticates a communication target device on a basis of predetermined information transmitted from the communication target device by broadcast in communication in a first communication scheme, the predetermined information being used in a process to be performed in communication in a second communication scheme that is different from the first communication scheme, and establishes the communication with the communication target device in the first communication scheme in a case in which authentication is completed.

Abstract: Techniques are disclosed relating to user authentication. In some embodiments, a computing system maintains an exception handler of a software development platform. The exception handler is executable to process a particular type of exception that causes an authentication of users of applications running on the software development platform. The computing system may receive, at the exception handler, an indication of the particular type of exception thrown by a particular application. In response to receiving the indication of the particular type of exception, the exception handler issues to a web browser interacting with the application, a request that the web browser redirect to an authentication server configured to perform an authentication of a user of the particular application. The computing system receives, from the authentication server, a result of the performed authentication and returns the result to the particular application.

Abstract: Systems and methods for facilitating editing of a confidential document by a non-privileged person by stripping away content and meaning from the document without human intervention such that only structural and/or grammatical information of the document are conveyed to the non-privileged person are disclosed. Exemplary implementations may: receive an electronic document including text conveying one or more confidential concepts; provide a content-stripped version of the electronic document to a human editor; receive an edited content-stripped version of the electronic document; and provide an edited electronic document based on the edited content-stripped version such that human-editor-provided changes were effectuated without the human editor ever being exposed to the content and meaning contained in the electronic document.

Abstract: An authenticating system and process for authenticating user devices to a access a service where access to certain portions of the service may be limited according to a access point or other device used by a user device to facilitate interfacing a user with the service. The authentication may be achieved without directly assessing a trustworthiness of the user devices, and optionally, without requiring a user thereof to complete a sign-on operation.

Abstract: A secure communication management (SCM) computer device for providing secure data connections in an aviation environment which, includes safety of flight information, is provided. The SCM computer device includes a processor in communication with a memory. The processor is programmed to receive, from a first user computer device, a first data message for a first aircraft. The first data message is in a standardized data format. The processor is also programmed to analyze the first data message for potential cybersecurity threats. If the determination is that the first data message does not contain a cybersecurity threat, the processor is further programmed to convert the first data message into a first data format associated with the first aircraft and transmit the converted first data message to the first aircraft using a first communication protocol associated with the first aircraft.

Abstract: A system and method for evaluating and improving the security of a local area network including an application residing on an external server configured to conduct a penetration test of the local area network by interrogating each of the devices on the local area network to identify vulnerabilities and risks associated with those devices, receiving a report listing all such identified vulnerabilities and risks, calculating an IoT readiness score for the local area network, and undertaking and/or recommending specific actions for improving the security of the local area network.

Abstract: Techniques are disclosed to provide VPN and identity based authentication to cloud-based services. In various embodiments, a request to authenticate a user to a service is received. A user identity associated with one or both of the user and the request is determined based at least in part on data comprising the request. An identity assertion is generated based at least in part on the user identity. The identity assertion is provided to a requesting node with which the request to authenticate is associated.

Abstract: A network traffic hub extracts encryption metadata from messages establishing an encrypted connection between a smart appliance and a remote server and determines whether malicious behavior is present in the messages. For example, the network traffic hub can extract an encryption cipher suite, identified encryption algorithms, or a public certificate. The network traffic hub detects malicious behavior or security threats based on the encryption metadata. These security threats may include a man-in-the-middle attacker or a Padding Oracle On Downgraded Legacy Encryption attack. Upon detecting malicious behavior or security threats, the network traffic hub blocks the encrypted traffic or notifies a user.

Abstract: Mechanisms for providing point to point encryption and tokenization enabling decryption, tokenization and storage of sensitive encrypted data on one system are discussed.

Abstract: Provided is a process that affords out-of-band authentication for confirmation of physical access or when a device utilized for out-of-band authentication lacks connectivity to a network. An asymmetric cryptographic key-pair is established, a first device obtaining a key operable to decrypt data. A remote server obtaining a key operable to encrypt data and associating that key with an identifier of an identity or account associated with a user. An access attempt from the second device is received in association with the identifier of the identity associated with the user. A notification including data encrypted by the encryption key is generated by the remote server and transmitted to the second device. The first device obtains the notification data from the second device and decrypts the data to determine a notification response which is returned to the remote server for verification to permit or deny the access attempt of the second device.

Abstract: A system comprising a processor and a computer readable memory coupled to the processor, the computer readable memory configured with a page processable by page processing code. The page can be configured to generate a set of random connection data usable by a local server program instance to verify that a connection request is from the page, launch the local server program instance, provide the set of random connection data to the local server program instance, create a client socket instance, send a connection request to the local server program instance to establish a connection between the client socket instance and a server socket instance of the server program instance and based on an acceptance of the connection request by the server program instance, complete the connection. The connection may be usable for bi-directional communication between the page and local server program instance.

Abstract: This Application sets forth techniques for provisioning and activating electronic subscriber identity modules (eSIMs) for mobile wireless devices. An eSIM is reserved during a sales order process and later activated during device activation after receipt by a user. An option for eSIM installation in place of (or in addition to) physical SIM installation is provided when purchasing the mobile wireless device. The reserved eSIM can replace a previous SIM/eSIM or be a new eSIM. During device activation, installation and activation of the eSIM occurs. Activation of the eSIM can occur before or after deactivation of a transferred SIM/eSIM. The mobile wireless device accounts for propagation delay of eSIM activation through MNO servers by disabling and re-enabling the eSIM until initial attachment to an MNO cellular wireless network succeeds or a maximum number of retry attempts is reached.

Abstract: A method for access management of the vehicle providing a vehicle and authenticating a user in relation to the vehicle by a proof of identity of the user. The method includes providing a cryptographically secured authorization file for the vehicle containing information relating to usage rights of the authenticated user to the vehicle to increase security in the entity-related enabling of vehicle functions.

Abstract: A trunk-sharing system that uses an interior space of a vehicle as a place in which a delivery object is delivered and received, the trunk-sharing system comprising a server configured to: i) acquire a vehicle information including information for identifying the vehicle when a predetermined service request has been issued; ii) acquire a predetermined authentication information for locking and unlocking a door of the vehicle based on the vehicle information; and iii) transmit at least the predetermined authentication information to a terminal which is used by a service provider.

Abstract: The present disclosure is related to systems and methods of monitoring data of a network application. An embedded browser of a client application on a client device may initiate a request to access a network application hosted on a server. The client application may, responsive to the request, establish a secure session to communicate data of the network application to the client application for rendering in a display region of the embedded browser. The client application may decrypt the data communicated via the established secure session to monitor the network application.

Abstract: An electronic meeting tool for communicating arbitrary media content from users at a meeting includes a node configuration operating a display node of a communications network that is coupled to a display. The node configuration receives user selected arbitrary media content and controls display of the user selected arbitrary media content on the display. At least one peripheral device communicates the user selected arbitrary media content via the communications network. The peripheral device is a connection unit including a connector that couples to a port of a processing device having a second display, a memory and an operating system; and a transmitter communicating with the communications network. A program is provided to run on the operating system of the processing device and obtains user selected arbitrary media content, while leaving a zero footprint on termination.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of credentialing an application in a cloud environment. The application is determined to be a trusted application type. The application is provided with a certificate service process dedicated to request and receive a certificate from a source outside the cloud environment. An integration component retrieves the secret and provides it to the application that is inside the cloud environment. The secret is verified within the cloud environment and the application is deployed as a trusted application instance inside the cloud environment.

Abstract: A method and apparatus for providing a communication service by installing an eSIM profile even in a terminal to which an iSSP is applied. The method comprises: detecting whether information is input information for eSIM profile download input information from a terminal to which an iSSP is applied, and determining whether the terminal supports the same. Collecting eSIM bundle information of the iSSP by the terminal; selecting an eSIM bundle to be used by referring to a condition designated by the terminal from among the collected eSIM bundles; if there is no bundle to be used or when it is determined that no eSIM bundle is used among existing eSIM bundles, generating an eSIM bundle by the terminal itself or providing an eSIM bundle via communication with the terminal and a server; and on the basis of eSIM bundle information, downloading and installing an eSIM profile package.

Abstract: An IoT device has a public device identifier and a private device identifier, where the public device identifier is publicly available and the private device identifier is secret but kept in a secure device database as a correspondence. A registration request is sent from the IoT device to an association server in communication with the device database having an association between IoT public identifier and a corresponding IoT private identifier. The association server which receives the registration request responds with a registration acknowledgement containing, in encrypted form, the private device identifier of the original request and, optionally, the public device identifier associated with the registration request. The requesting IoT device receives the association acknowledgement, decrypts the private device identifier, compares it to its own device identifier, and if they match, sends one or more association requests.

Abstract: A system for verifying information associated with a user can include at least three devices. The first device is configured to transmit, to the second device, user-associated information, a unique identifier associated with the user-associated information and an identity digital signature generated using an identity private key associated with the user and a message comprising a previously determined hash of a portion of the user-associated information combined with the unique identifier. The second device is configured to generate the hash of the portion of the user-associated information combined with the unique identifier and transmit the generated hash and the identity digital signature to the third device. The third device is configured to lookup the generated hash in a database, verify the identity digital signature using the identity public key related to the generated hash in the database, and upon successful verification, transmit a success response to the second device.

Abstract: A method (10) performed in an initiating runtime (2a) is disclosed for migrating an actor instance (5a1) of an actor (4a) to a target runtime (2b). The method (10) comprises obtaining (11), from a blockchain entity (3), an ownership token associated with the actor instance (5a1) of the actor (4a), the ownership token being verifiable by a blockchain (7) of the blockchain entity (3), and using (12) the ownership token for migrating the actor instance (5a1). A method in a blockchain entity (3), a method in a target runtime (2b), entities, computer programs and computer program products are also disclosed.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: A system and method enabling an entity to prove its identity and provide authentic documents/data/information therein at any time required based upon data retrieved from an independent cryptographically verifiable source (ICVS) through a secured channel is disclosed. The system enables a virtual and secure browser on a user computing device allowing a user to login and retrieve authentic information pertaining to the user from the ICVS in a verifiable and untamperable manner. The retrieved information is bounded with origination information of the ICVS and the bounded information is provided to relying entities as authentic information for verification. Also, cryptographic value of the authentic information can be stored in an immutable storage such as blockchain, so that the cryptographic value is used by the relying-party to validate integrity of the authentic information.

Abstract: A method and system for detecting fraudulent access to a web resource is disclosed. The web resource is hosted by a server and the method being executable by the server. The method comprises: receiving, by the server, a first request to access the web resource by a first electronic device, the first request including a first cookie; converting, by the server, the first cookie into a second cookie; transmitting, by the server, the second cookie to the first electronic device for storing; receiving, by the server, a second request to access the web resource by a second electronic device, the second request including a third cookie; and determining, by the server, the second request to be a fraudulent request, the determining based on an analysis of the third cookie and the first cookie.

Abstract: Methods for hardening security between web services using protected forwarded access tokens are implemented via systems and devices. User applications receive user tokens with user information from an identity provider and provide the user tokens to first services with data requests. Each first service extracts and transforms a portion of a user token to validate a user token signature, and determines a target service for the data request. The first services acquire actor tokens from the identity provider that uniquely identify the first services using public keys, and then generate authentication tokens, signed with corresponding private keys, that encapsulate the actor tokens and the transformed user tokens. The signed authentication tokens are provided to target services which validate the authentication tokens as well as the encapsulated tokens and their respective signatures. Upon validation, requested data is retrieved and provided back for the user applications from the target services.

Abstract: A method for analyzing data using a blockchain, a data provider and a data customer therefor are disclosed. The method analyzing data using a blockchain is provided wherein a plurality of data sets is stored and processed in a data storage in a distributed manner using a cluster of nodes. The method comprises steps of deploying a smart contract to the blockchain according to a request from a data customer, receiving a request for executing code for data sets selected by a data customer, estimating an amount of token required for executing the code for the selected data sets in the data storage, and controlling, in said distributed manner using the cluster of nodes, execution of the code for the selected data sets based on the balance amount of token while the balance amount of token is greater than the estimated amount of token. The request for executing code includes code to be executed and a balance amount of token which the data customer currently has.

Abstract: Provided is a method for the assignment of industrial field devices to a user account in a cloud environment, including logging in of a user; scanning of the public identifier; checking, of whether the field device is already linked to a user account; connecting of the field device to the Internet by the user, provided such a connection does not yet exist, in such a way that the cloud environment can be contacted by the field device; triggering a linking of the field device by the user by means of the mobile terminal of the user and the previously scanned public identifier of the field device; authenticating of the field device in the cloud environment by means of the private security key of the field device and assigning of the field device to the public identifier by means of the cloud environment.

Abstract: A digital security system and method for unlocking digital content, comprising: receiving, from a user device, an activity data associated with assessing of at least a portion of digital content by a user, wherein the activity data is provided as at least one user input by at least one application operating on at least one user device associated with the user and, wherein the digital content is linked to predetermined location-based locking or unlocking parameters; response to the received user input, storing, by the processor, information about the user activity data and the electronic data correlated with the predetermined location-based locking or unlocking parameters in a profile associated with an account of the user; identifying, by the processor, whether the user device is in compliance with the predetermined location-based locking or unlocking parameters; determining, by the processor, if the electronic content related to the activity data linked to the user account is currently locked; and responsive

Abstract: Techniques for consistent resource visibility during inter-cellular migrations using targeted pairwise scatter-gather techniques are described. For a paginated request to describe resources existing in cells of a provider network that match one or more criteria, a set of candidate cells having, or likely to have, resources of interest that match the one or more criteria are identified. Pairs of the candidate cells that are determined to be involved in a migration are jointly queried according to a scatter-gather type approach and aggregated via a union technique to remove duplicate resource entries. Other cells not involved in a resource migration are independently queried.

Abstract: A computer network (1) adapted to provide secured access to online applications hosted on application servers (10) to a requesting user (U). The network (1) comprises a login security server (20) configured for deciding access for the user based on data contained in a central generic access control file (32) and in the access request. The network (1) further comprises a centralized user identification component (40) configured for receiving identification data from user through a central login panel (42) and for sending an access grant or denial command to the application servers (10).