Abstract: Authentication devices can be intelligently redirected in a VDI environment to thereby ensure that the redirected authentication devices remain available for authentication even after a remote session has been locked. This intelligent redirection of authentication devices can be accomplished in a way that only requires server-side modifications and that is agnostic to the remoting protocol used to establish the remote session.

Abstract: A method performed in a location server device of a location system is disclosed. The method is performed for securely validating localization of a wireless communication device. The method comprises obtaining first sensor data sensed by the wireless communication device. The method comprises obtaining primary location information of the wireless communication device, and validating the primary location information based on the first sensor data.

Abstract: Embodiments of the present application relate to a method, apparatus, and system for providing a security check. The method includes receiving a security verification request sent from a terminal, obtaining first verification element information based at least in part on the security verification request, generating a digital object unique identifier based at least in part on the first verification element information, sending the digital object unique identifier to the terminal, receiving second verification element information from the terminal, and in the event that the first verification element information and the second verification element information are consistent, sending security check pass information to the terminal.

Abstract: Systems and methods for displaying a user interface are disclosed herein. The method includes starting a trusted application in a trusted execution environment, the trusted application having a trusted user interface, and displaying the trusted user interface upon detecting an input operation for a hardware device, where the hardware device is integrated into the trusted execution environment and configured to acquire external identification information. The hardware device is configured to acquire the external identification information that is preconfigured on a smart terminal device, for example, including a fingerprint sensor or a photographic device. The hardware device is used to verify that the user interface is true and trustworthy. Embodiments of the present invention are implemented without increasing the hardware costs thereof and without increasing the implementation complexity of the software.

Abstract: Some embodiments of the present invention include a method for detecting and preventing phishing and include generating an authentication cookie based on encrypting an authentication token and a time when the authentication token is generated, the authentication cookie to be installed in a user computing system. The method further includes receiving a login request from the user computing system, the login request including login information, the authentication cookie, and a first detection token, decrypting the authentication cookie in the login request to generate a second detection token, and comparing the first detection token with the second detection token to determine whether the login information is compromised.

Abstract: Broadly speaking, embodiments of the present invention provide systems and methods to provide a solution to the SIM swap attack problem for users that possess smartphones. In particular, the systems and methods require an online banking customer to authenticate a transaction using a combined one-time password (OTP) formed of a remotely generated OTP (generated remote to the smartphone) and a locally generated OTP (generated on the smartphone).

Abstract: A computer system comprising a resource server running on the computer system. The resource server receives a client request from a client in which the client request includes an access token. The resource server sends an introspection request to an introspection gateway, wherein the introspection request is for introspection of the access token based on the client request, and wherein the introspection gateway uses a third-party authorization server from a plurality of third-party authorization servers to handle the introspection request. The resource server receives a response from the introspection gateway, wherein the response identifies a set of scopes for the access token. The resource server determines whether the access token has sufficient scope from a resource server response. The client is granted access to the resource server in response to the access token having the sufficient scope.

Abstract: A method for third-party authorization is presented. A client request is received by a resource server in a computer system from a client, wherein the client request includes an access token. An introspection request for the access token based on the client request. The introspection gateway uses a third-party authorization server from a plurality of third-party authorization servers to handle the introspection request. A resource server response is received from the introspection gateway, wherein the resource server response identifies a set of scopes for the access token. A determination is made as to whether the access token has sufficient scope from the resource server response. In response to the access token having the sufficient scope, the client is granted access to the resource server.

Abstract: The aspects disclosed herein are directed to systems and methods for employing multi-factor authentication for the transfer of goods or information. By employing the aspects disclosed herein, the authentication may become more secure and less vulnerable to attacks by unauthorized parties. The aspects disclosed herein may be implemented as a thin-client implementation, or a thick-client implementation.

Abstract: Methods and systems for providing a service are provided. A request is received to provide the service to a device. A location of the device, or a network interface through which the device is coupled, is determined. Finally, the delivery of the service is authorized based on the determined location of the device, or the determined network interface.

Abstract: Methods of short-distance network electronic authentication are described.

Abstract: Aspects of the disclosure relate to a system and method for cryptographically transmitting and storing identity tokens and/or activity data among spatially distributed computing devices. Identity data associated with a user may be used to generate an identity token for the user. Based on a verification of the identity token, the identity token may be stored in an identity chain. A request to perform an activity may also be received. The computing device may generate, based on identity data associated with the user, an identity token for the user. The identity token may be compared to the identity token stored in the identity chain, and the user may be authenticated based on the comparison. An activity token for the activity may be generated, and the activity token may be stored in the activity chain.

Abstract: Disclosed herein are system, apparatus, article of manufacture, method, and/or computer program product embodiments for real-time asynchronous multitenant gateway security with respect to one or more client devices. An embodiment operates by receiving an event and determining that event content information includes at least a portion of service transaction information and the at least portion of the service transaction information is registered. The embodiment may further operate by determining that the event is a security event based on event type information. The embodiment may then determine whether at least a portion of an external content response has been transmitted to the client device and that a validated connection associated with the service transaction information has not yet been disconnected. Based on those determinations, the embodiment may then interrupt the reverse proxy component to invalidate the external content response and disconnect the validated connection.

Abstract: A secure client-server connection method compatible with RESTful (REpresentational State Transfer) APIs (Application Programming Interface) that is resistant to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The server generates a token for the client and a random value which it pairs with the token. The random value is hashed. The hash value is transmitted to the client contained in the token and the random value is transmitted to the client contained in an HTTPOnly cookie. Even if an attacker steals the token and/or the hash, security is maintained, since the server verifies communications from the client by validating the token on the basis of its hash value. Validation is performed by the server hashing the random value contained in the HTTPOnly cookie paired with the token to obtain a further hash value, and checking that this further hash value matches the token's hash value.

Abstract: Techniques for authentication via a mobile device are provided. A mobile device is pre-registered for website authentication services. A user encounters a website displaying an embedded code as an image alongside a normal login process for that website. The image is identified by the mobile device, encrypted and signed by the mobile device and sent to a proxy. The proxy authenticates the code and associates it with the website. Credentials for the user are provided to the website to automatically authenticate the user for access to the website bypassing the normal login process associated with the website.

Abstract: A system provides cloud-based identity and access management. The system receives a request from a client for a resource, authenticates the request, and accesses a microservice based on the request. The system determines, by the microservice, whether the resource is cached in a near cache or in a remote cache, retrieves the resource from the near cache or from the remote cache when the resource is cached, and calls an administration microservice to obtain the resource when the resource is not cached. The system then provides the resource to the client.

Abstract: A method comprising: launching, by a pre-boot environment, a pre-boot launch enclave (LE); creating, by the pre-boot LE, a launch token for a pre-boot quoting enclave (QE); authenticating, by the pre-boot LE, the launch token; launching, by the pre-boot environment with the launch token in response to the authentication, the pre-boot QE; generating, by the pre-boot QE, a public provisioning key, a private provisioning key, and an attestation key; verifying, by the pre-boot QE with a public key, authenticity of a device; securing, by the pre-boot QE with the public provisioning key, private provisioning key, and the public key, a communication channel with the device; encrypting, by the pre-boot QE with a system specific seal key, the public provisioning key, the private provisioning key, and the attestation key; and storing, by the pre-boot QE, the encrypted public provisioning key, the encrypted private provisioning key, and the encrypted attestation key in the device.

Abstract: A variable-step authentication system and a method for operating for performing variable-step authentication for communications in a controlled environment is disclosed. The variable-step authentication system may include a communication device and a server. The variable-step method includes steps for determining an authentication process that involves a number of authentication steps. The number of authentication steps is variable and dependent on a trust level associated with each participant in the communication.

Abstract: Embodiments for a method for issuing a software credential token with reliance on a hardware credential token are disclosed. A data server that allows access thereto via a set of hardware credential tokens is provided. The method includes receiving a request for a software credential token from a personal computing device. The request includes an indication of a hardware credential token upon which the request relies. An email address and a public key corresponding to the hardware credential token are obtained. The method also includes sending an email to the email address. The email includes a one-time password encrypted with the public key. Access to the email is restricted to an individual to which the hardware credential token was issued. The method also includes receiving an inputted password from the personal computing device. If the inputted password matches the one-time password, a software credential token is issued to a user.

Abstract: In one embodiment, a method includes a device receiving a request to create a group messaging thread to include at least three users. The device may determine that at least the first user, who is a minor, and the second user are not directly connected within a social graph. The device may instruct the messaging applications of the users to place the group messaging thread in a pending state. One or more approval requests may be sent to one or more recipients, respectively, for connecting the first user and the second user. When the requests are approved, the device may establish a connection between the first and second users in the social graph. Then, the device may determine that the first user is directly connected to both the second and third users, and instruct the messaging applications of the users to place the group messaging thread in an enabled state.

Abstract: A gaming system compatible with patron-controlled portable electronic devices, such as smart phones or tablet computers, is described. When a transaction is initiated on an EGM that requires the input of Sensitive Information data, such data can be input directly from the Player/Patrons Portable Electronic Device. Hence, such input of their Sensitive Information data is more discrete, and generally out of plain view from the other Player/Patrons.

Abstract: Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. The PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.

Abstract: Techniques are disclosed to provide VPN and identity based authentication to cloud-based services. In various embodiments, a request to authenticate a user to a service is received. A user identity associated with one or both of the user and the request is determined based at least in part on data comprising the request. An identity assertion is generated based at least in part on the user identity. The identity assertion is provided to a requesting node with which the request to authenticate is associated.

Abstract: A Hardware-Embedded Delay PUF (HELP) leverages entropy by monitoring path stability and measuring path delays from core logic macros. HELP incorporates techniques to deal with bias. A unique feature of HELP is that it may compare data measured from different test structures. HELP may be implemented in existing FPGA platforms. HELP may leverage both path stability and within-die variations as sources of entropy.

Abstract: An account login method includes receiving a login request command sent by a second terminal, the login request command carrying an account and a second terminal identifier. The method further includes detecting whether a device lock flag corresponding to the account is unlocked and that a state corresponding to the second terminal identifier is that a device lock is locked. If yes, the method further includes acquiring a first terminal identifier corresponding to the account, a state corresponding to the first terminal identifier being that the device lock is unlocked and implementing a login of the account on the second terminal by using a first terminal corresponding to the first terminal identifier.

Abstract: In an example, an active authentication session may b transferred from a first device to a second device. An authentication server may store a new authentication session token for the second device in session storage. The new authentication session token may be derived from an active authentication session token that was received from the first device. The authentication server may also receive an identification value from the first device, which was obtained from the second device, in response to verifying a query by the second device regarding an existence of a locator key based on the identification value in the session storage, the new authentication session token may be transmitted to the second device.

Abstract: A fraud detection system may obtain a number of known fraudulent end-user profiles. Using statistical analysis techniques that include clustering the end-user profiles by attributes, attribute values, or both, the fraud detection system identifies on a continuous, periodic, or aperiodic basis those attribute values and/or attribute value combinations that appear in fraudulent end-user profiles. Using this data, the fraud detection system generates one or more queries to identify those end-user profiles having attribute values or combinations of attribute values that likely indicate a fraudulent or otherwise undesirable end-user profile. The fraud detection system can run these queries against incoming registrations to identify and screen fraudulent end-user profiles from entering the system and can also run these queries against stored end-user profile databases to identify and remove fraudulent or otherwise undesirable end-user profiles from the end-user database.

Abstract: In a decentralized system based on a blockchain, a system and method automates the process for migrating data for decentralized applications stored off-chain between backend storage providers, such as cloud-based storage providers, such that a frontend client can perform migration processes without exposing encrypted data, using client-controlled keys, and without long running server-side processes.

Abstract: In a mediation server, a processor registers association information and the authentication information for receiving a service from a service provider server to be correlated with each other. The association information is concerned with first and second communication apparatuses. When a first request including the association information is received from the first communication apparatus, the processor performs first communication with the first communication apparatus and the service provider server by using the first authentication information. The first communication is for the first communication apparatus to receive the service from the service provider server. When a second request including the association information is received from the second communication apparatus, the processor performs second communication with the second communication apparatus and the service provider server by using the first authentication information.

Abstract: Systems and methods for facilitating editing of a confidential document by a non-privileged person by stripping away content and meaning from the document without human intervention such that only structural and/or grammatical information of the document are conveyed to the non-privileged person are disclosed. Exemplary implementations may: receive an electronic document including text conveying one or more confidential concepts; provide a content-stripped version of the electronic document to a human editor; receive an edited content-stripped version of the electronic document; and provide an edited electronic document based on the edited content-stripped version such that human-editor-provided changes were effectuated without the human editor ever being exposed to the content and meaning contained in the electronic document.

Abstract: A computer system that comprises a processor, a non-transitory memory, and a system application stored in the non-transitory memory. When executed by the processor, the application receives a request to create a software container, creates the container, generates a signature of the container, creates a container security token that comprises the signature and embeds the container security token in the container, and returns the container with the embedded container security token.

Abstract: Various arrangements are presented for using an electronic device for content playback. A television receiver may provide to the device access to a shared encryption key. The shared encryption key may be used to decrypt content from an over-the-top (OTT) content host system. The device may request content from the OTT content host system using the set of credentials. The device may then receive encrypted content from the OTT content host system, wherein the encrypted content corresponds to the requested content. The encrypted content received from the OTT content host system may be decrypted by the device using the shared encryption key. The device may then output for presentation the decrypted content.

Abstract: A processor may receive plaintext data. The plaintext data may correspond to a query. The processor may identify a granularity of the plaintext data. The processor may compress the plaintext data using a binary search tree. The binary search tree may compress the plaintext data based on the granularity of the plaintext data. The processor may encrypt the plaintext data by randomizing the order in which the binary search tree stores the compression of the plaintext data. The stored order of the binary search tree may act as a private key. The processor may process the query over an encrypted cumulative compressed database.

Abstract: A method for maintaining a prepaid payment system comprises a user account that can be utilized to complete a purchase transaction with a merchant. A delayed processing window is introduced between a time when the merchant receives a payment approval notification from the payment system and a time when the payment system transmits a payment request to an issuer of a funding account associated with the user's payment system account. The payment system utilizes a user's stored value account maintained by the payment system to satisfy the requirements of a prepaid program, and therefore processes the payment request received from the merchant and transmits the payment approval notification without obtaining prior authorization from the issuer of the funding account. The payment system submits one or more payment requests for the funding transaction at a time after the completion of the purchase transaction between the user and the merchant.

Abstract: Device, system, and method of managing trustworthiness of electronic device. For example, an Internet of Things (IoT) device is able to transmit data to a recipient device. The recipient device operates as a querying device, and utilizes a query agent to query a trust-management server with regard to the trustworthiness of the IoT device. The trust-management server receives from the IoT device a set of values indicating various parameters of the IoT device. The trust-management server generates a trustworthiness report pertaining to the IoT device, and sends the report as a response to the trustworthiness query. Optionally, a caching agent caches copies of trustworthiness reports and provides to querying devices such previous reports, together with an indication of their freshness level.

Abstract: The present invention provides device verification methods and apparatuses, wherein the device verification methods are used for verifying a target device requesting performing a target service, one method including: receiving a device verification request sent by the to-be-verified target device, the device verification request including: a device certificate and first device attribute information of the target device, and the device certificate including a device fingerprint generated according to second device attribute information; and when it is confirmed according to the device fingerprint that the device certificate is valid, and the device fingerprint matches the first device attribute information, determining that the device certificate is a certificate of the target device, and allowing the target device to perform the target service. The present invention makes device verification more reliable.

Abstract: An electronic meeting tool for communicating arbitrary media content from users at a meeting includes a node configuration operating a display node of a communications network that is coupled to a display. The node configuration receives user selected arbitrary media content and controls display of the user selected arbitrary media content on the display. At least one peripheral device communicates the user selected arbitrary media content via the communications network. The peripheral device is a connection unit including a connector that couples to a port of a processing device having a second display, a memory and an operating system; and a transmitter communicating with the communications network. A program is provided to run on the operating system of the processing device and obtains user selected arbitrary media content, while leaving a zero footprint on termination.

Abstract: A service includes an associated service request throttling system. The throttling system constrains the rate at which service requests are fulfilled by the service, and also provides throttling information to the service. The throttling system controls service throughput by implementing a throttling bucket. The throttling bucket has an associated bucket level which indicates, to the service, an amount of service requests that can be satisfied before throughput limitations are imposed by the throttling system. The bucket level may be modified in response to service requests, service request characteristics, or environmental parameters. In some examples, operational parameters of the throttling system may be configured by users of the service to constrain data exfiltration. The bucket level itself may be used by the service to expand or constrain access privileges granted to particular users.

Abstract: A secure client-server connection method compatible with RESTful (REpresentational State Transfer) APIs (Application Programming Interface) that is resistant to cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The server generates a token for the client and a random value which it pairs with the token. The random value is hashed. The hash value is transmitted to the client contained in the token and the random value is transmitted to the client contained in an HTTPOnly cookie. Even if an attacker steals the token and/or the hash, security is maintained, since the server verifies communications from the client by validating the token on the basis of its hash value. Validation is performed by the server hashing the random value contained in the HTTPOnly cookie paired with the token to obtain a further hash value, and checking that this further hash value matches the token's hash value.

Abstract: A communication system includes: an image forming apparatus including a browser function and being configured to set permission/non-permission for access according to a website being a communication destination; and a setting change apparatus configured to communicate with the image forming apparatus and be capable of changing a setting of the image forming apparatus in accordance with an operation of an administrator, wherein the image forming apparatus includes a detection unit configured to detect that the image forming apparatus is not allowed to access a specific website, an acquisition unit configured to automatically acquire access destination information, identification information, and contact information, and a change request unit configured to transmit a request to change the setting to a setting that permits the image forming apparatus to access the specific website, to the administrator via a network, the identification information, and the contact information, which are acquired by the acquisiti

Abstract: An electronic device and a method for operating the electronic device are provided. The method includes obtaining first information in a first zone of the electronic device, extracting second information included in the first information in the first zone of the electronic device, and storing the second information in a second zone of the electronic device that has a higher level of security than a level of security of the first zone.

Abstract: Provided is a process including: encrypting each of a plurality of data encryption keys with a first public cryptographic key to form encrypted data encryption keys; obtaining a second public cryptographic key; generating a transformation key based on the first public-private cryptographic key pair and the second public cryptographic key; and transforming the encrypted data encryption keys with proxy re-encryption based on the transformation key; and obtaining the second private cryptographic key and the transformed encrypted data encryption keys.

Abstract: Embodiments of the present invention provide systems and methods for monitoring action records in virtual space. The systems and methods for monitoring action records in virtual space display recorded activity on an avatar within the virtual space by communicating in a virtual space with a user account. The recorded activity is analyzed and processed in order to compile information on the avatar and display an avatar (which is a reflection of the compiled information).

Abstract: To authenticate a service request, a first server receives a handshake request from a client application. The first server transmits a first nonce to the client application. The first server sends a second nonce and the handshake request to a second server. The second nonce may be a key for decrypting the first nonce, or it may be a separate nonce. The first server stores a result of an operation performed on the first and second nonces. The client application receives a push notification with the second nonce from the second server via a secure and authenticated communication channel. The client application also performs an operation on the nonces to generate a candidate result, which it sends to the first server. If the candidate result matches the stored result, the first server will send the client application a token that grants access to a service.

Abstract: Generally, this disclosure describes a method and system for authenticating to a network via a device-specific one-time password. A method in an embodiment may include generating a first one-time password (OTP) based at least in part on a plurality of client device attributes; and providing the first OTP to an authenticator associated with a private network during a first session, wherein the authenticator is configured to authenticate the client device to at least one of the private network and protected content included in the private network for a second session following the first session based on the provided first OTP.

Abstract: Security systems and methods are disclosed that associate several human entities each with a corresponding cryptographic utility token inventory and trustworthiness indication. The trustworthiness indications each shift each at a rate substantially correlating with its corresponding cryptographic utility token inventory so as to allow different entities to become trusted and untrusted over time. This triggers automatic privilege modifications that enhance security within a networked community invested in cryptographic utility tokens.

Abstract: Described herein is a computer implemented method comprising receiving a link to content served by a remote server, detecting activation of the link, and in response to detecting activation of the link, attempting to load, via a web browser application, a passive mixed content item from a local web server. If the passive mixed content item successfully loads, the method further comprises accessing the content referenced by the link from a remote application server using an installed dedicated desktop application, the dedicated desktop application configured to operate with the remote application server. If the passive mixed content item does not successfully load, the method further comprises accessing the content referenced by the link from a remote web server using the web browser application.

Abstract: A computer program product for secure data storage. The present invention may include completing a registration process by sending, by the client device, a connection request to the server. The present invention may include generating, by the server, an authentication session identification (ID). The present invention may include sending, by the server, a stored salt and the generated authentication session ID to the client device. The present invention may include sending, by the server, the generated authentication session ID, the server encryption key and user data to the third-party device. The present invention may include sending, by the client device, the generated authentication session ID and user data to the third-party device. The present invention may include generating, by the third-party device, a decryption key. The present invention may include determining the user data received by the client device and the decrypted user data received by the server is authenticated.

Abstract: Embodiments are provided for receiving media content based on the preferences of additional users. An example implementation includes a computing device transmitting, to a service provider, a first request for media items based on media preferences associated with first user profiles for a media playback system. After transmitting the first request, the computing device determines that media preferences associated with second user profiles are to be used for requesting media items. Thereafter, the computing device transmits, to the service provider, a second request for one or more media items based on media preferences associated with (i) the first user profiles and (ii) the second user profiles. After transmitting the second request, the computing device may receive data indicating at least one media item from the service provider and cause one or more playback devices in the media playback system to play the at least one media item.

Abstract: Embodiments related to a restricted-use authentication code are disclosed. One disclosed embodiment provides a method of generating a representation of a restricted-use authentication code for detection by another computing device to authenticate the other computing device to a remote service. The method includes receiving authentication information, the authentication information comprising a restricted-use authentication code and generating a representation of the authentication information. The method further includes presenting the representation of the authentication information to a sensor system of the other computing device for authentication.