140 results about "Strong authentication" patented technology

The invention defines a strong authentication token that remedies a vulnerability to a certain type of social engineering attacks, by authenticating the server or messages purporting to come from the server prior to generating a one-time password or transaction signature; and, in the case of the generation of a transaction signature, signing not only transaction values but also transaction context information and, prior to generating said transaction signature, presenting said transaction values and transaction context information to the user for the user to review and approve using trustworthy output and input means. It furthermore offers this authentication and review functionality without sacrificing user convenience or cost efficiency, by judiciously coding the transaction data to be signed, thus reducing the transmission size of information that has to be exchanged over the token's trustworthy interfaces

Systems, methods and apparatus for accessing at least one resource hosted by at least one server of a cloud service provider. In some embodiments, a client computer sends authentication information associated with a user of the client computer and a statement of health regarding the client computer to an access control gateway deployed in an enterprise's managed network. The access control gateway authenticates the user and determines whether the user is authorized to access the at least one resource hosted in the cloud. If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer. The client computer sends the security token to the access component in the cloud to access the at least one resource from the at least one server.

Disclosed is a system and method that uses digital signature technology to authenticate the contents of one or more manifests located on a storage device. Each manifest contains a list of file records, where each record contains the name of a file stored on the storage device, and a signature value derived from the contents of the file. At boot time, the gaming machine first authenticates the contents of the manifest and then authenticates the contents of the files using the signature value stored in the manifest. Files are verified using the signature, as they are needed, during the boot up of the operating system and throughout normal operation. This method reduces the boot time of the gaming machine and eliminates the need to check digital signatures for each individual file or over the entire contents of a non-secure media. Similarly, a method of adding authentication ability to legacy software components without necessarily altering the legacy software components is disclosed. Introduction of a stronger authentication algorithm, or when a private key has been compromised would normally require the software component to be re-built to support the new algorithm or private/public key pair; however, a method is disclosed where algorithms and key pairs may be changed and applied to legacy software without having to re-built, re-test, re-sign, or re-submit the component to regulatory agencies for approval. Also disclosed is a system and method of establishing a trusted environment containing a gaming operating system and associated authentication module, file system drivers, and/or network drivers that may be used to in the process of authenticating contents of one or more manifests located on a storage device.

A method of and system for adding strong authentication to an existing network based application. A proxy based monitoring process screens data sent to and from a client application and intercepts login requests. These intercepted requests are redirected to an authentication process which first checks to see if the user logging in has enrolled in strong authentication. If not enrolled, the user is allowed to continue with a normal login. If enrolled, the user is authenticated by requesting digital identification data, such as a digital certificate, from the user's computer. If authentication succeeds, the user is allowed to proceed on to the normal login process. If authentication fails, the login attempt is blocked. User enrollment is automated, requiring no user interaction beyond the initial request. Verification for purposes of issuing a digital certificate, or other identifying data, is by means of confirming that the user being enrolled is currently logged in to the client application.

An autonomous and portable smartcard reader device incorporates a high level of embedded security countermeasures. Data transfers are encrypted with two specific input devices, namely a light sensor and PIN or other keyboard entry, and at the output through the use of a dual-tone encoder-decoder. The unit may be used alone or as a plug-in to another device such as a PDA, cell phone, or remote control. The reader may further be coupled to various biometric or plug-in devices to achieve at least five levels of authentication, namely, (1) the smartcard itself; (2) the smartcard reader; (2) the PIN; (3) private-key cryptography (PKI); and (5) the (optional) biometric device. These five levels account for an extremely strong authentication applicable to public networking on public/private computers, and even on TV (satellite, cable, DVD, CD AUDIO, software applications. Transactions including payments may be carried out without any risk of communication tampering, authentication misconduct or identity theft. The invention finds utility in a wide range of applications, including commercial transactions and security, including the generation of prepaid credit/debit card numbers, vehicle rental, and other uses.

The present invention provides a system and method for maintaining secure information on mobile devices and that balances security and convenience in the provision of mobile data access. Security is maintained by extending the use of industry-accepted two-factor authentication methods, and convenience is enhanced by utilizing a user's existing mobile device accessories as an authentication factor. As a result, the present invention provides a strong authentication system and method without the cost or burden of requiring the user to acquire additional hardware for security purposes.

Systems and methods are provided for a device to engage in a zero-knowledge proof with an entity requiring authentication either of secret material or of the device itself. The device may provide protection of the secret material or its private key for device authentication using a hardware security module (HSM) of the device, which may include, for example, a read-only memory (ROM) accessible or programmable only by the device manufacturer. In the case of authenticating the device itself a zero-knowledge proof of knowledge may be used. The zero-knowledge proof or zero-knowledge proof of knowledge may be conducted via a communication channel on which an end-to-end (e.g., the device at one end and entity requiring authentication at the other end) unbroken chain of trust is established, unbroken chain of trust referring to a communication channel for which endpoints of each link in the communication channel mutually authenticate each other prior to conducting the zero-knowledge proof of knowledge and for which each link of the communication channel is protected by at least one of hardware protection and encryption.

The present invention defines a strong authentication token for generating different dynamic credentials for different application providers comprising an input interface providing an output representing an application provider indicator; a secret key storage for storing one or more secret keys; a variability source for providing a dynamic variable value; a key providing agent for providing an application provider specific key as a function of said application provider indicator using one or more keys stored in said secret key storage; a cryptographic agent for cryptographically combining said application provider specific key with said dynamic variable value using symmetric cryptography; a transformation agent coupled to said cryptographic agent for transforming an output of said cryptographic agent to produce a dynamic credential; and an output interface to output said dynamic credential.

The present invention defines furthermore a method to manage the secret keys of strong authentication tokens that can generate dynamic credentials for more than one supported application provider or application provider group using different secret keys for each supported application provider or application provider group comprising generating for each of a batch of strong authentication tokens a token specific master key; personalising each token of said batch with the token specific master key associated with said token; generating for each of a plurality of supported application providers or application provider groups a set of application provider specific token keys, one application provider specific token key for each token of said batch, whereby each application provider specific token key of each of said sets is derived from that token's token specific master key and a unique identifier or indicator of that application provider or application provider group; providing to each application provider or an entity that is responsible for the verification on behalf of said application provider of the dynamic credentials that are generated for said application provider, the corresponding set of application provider specific token keys.

A system for authenticating a user to a relying party. A user sends an access request to a relying party web application. In response, the application sends a page with JavaScript that detects a plug-in at the user and detects the relying party domain. The plug-in uses its device certificate or other pre-established credentials to sign a challenge along with other site and user information including the site domain, the authentication service URL and user identifier, and send it, along with the data including the domain and the user identifier, to an authentication service. The service authenticates the information and sends back to the plug-in a short ticket that can be passed on to the relying party, which can validate it using the Radius protocol and an authentication service call, thereby authenticating the user.

The invention relates to a method for implementing a user access authentication in a local area network, especially to a method for implementing a casual user access authentication in a public local area network. Firstly an internal user applies a casual user name and a key for the casual user through the authentication of a authentication server, the authentication server dynamically generates the casual user name and the key, then the casual user name and the key are stored in a user list of the authentication server, simultaneously the casual user name and the key are transmitted to a mobile phone of the internal user, the casual user uses the casual user name and the key for access authentication, and visits the authorized network resource after the authentication of the authentication server. The method of the invention adopts a double-factor and strong authentication system, the internal user is authenticated once, and the casual user is authenticated twice. The method can greatly improves the system safety, the casual user name and the key are all dynamically generated which are not easy to steal with high safety, and the management process for the casual user is simple and standard.

A method and apparatus for accessing Web services and URL resources for both primary and shared users over a reverse tunnel mechanism are provided. Current limitations on accessing Web services and URL resources located behind firewalls or otherwise made secure and largely inaccessible are overcome through a novel use of a “reverse tunneling” mechanism. The mechanism uses an Agent to obfuscate physical address endpoints of Web services and other resources, as well as to package SOAP service requests in such a way that they can be passed through firewalls unimpeded. All of this data transfer is made secure through encryption, strong authentication, and by making use of the security environment on both a user's individual device and the LAN proper. In addition, a primary user may share data access rights within the secure LAN environment to a secondary user and, using the present invention, provide only those access rights to the shared user over the open Internet.

Controlling a registered-user session of a registered user on a device using first and second authentication processes and a handoff from the first process to the second process. In one embodiment, the first authentication process is a stronger process performed at the outset of a session, and the second authentication process is a weaker process iteratively performed during the session. The stronger authentication process may require cooperation from the user, while the weaker authentication process is preferably one that requires little or no user cooperation. In other embodiments, a strong authentication process may be iteratively performed during the session.

User login information submitted as part of an attempt to log into a computer system is evaluated for unauthorized or illegitimate use based on indicators of suspicious behavior. Example indicators of suspicious behavior include whether the login information is known to have been compromised, whether the login attempt originates from a network source or a physical source that has previously originated an attempt to log in using login information known to have been compromised, and whether multiple login attempts using the login information from multiple users has originated from the source. A suspicion index can be calculated based on the presence of the indicators of suspicious behavior. The system can require enhanced authentication based on the measurement of suspicious behavior.

A system and method for augmented user and site authentication from mobile devices is disclosed herein. The system and method provides for the performing of strong authentication of users, whether human or otherwise, as well as of site authentication, which is optimized for use when such users access a system from a mobile device using a web browser or mini-web browser. In doing so the claimed invention utilizes multiple different heuristic algorithms and/or scoring values for device identification based on the type of mobile device, and may further identify the specific type of device attempting such access.

Strong authentication tokens for generating dynamic security values having an acoustical input interface for acoustically receiving input data are disclosed. The tokens may also include an optical interface for receiving input data and may have a selection mechanism to select either the acoustical or the optical input interface to receive data. A communication interface may be provided to communicate with a removable security device such as a smart card and the token may be adapted to generate dynamic security values in cooperation with the removable security device. The acoustic signal received by the token may be modulated using a frequency shift keying modulation scheme using a plurality of coding frequencies to code the acoustical signal where each coding frequency may be an integer multiple of a common base frequency.

Methods and apparatus for encoding and decoding data transmitted acoustically and/or optically to strong authentication tokens to generate dynamic security values are disclosed. The tokens may also include a selection mechanism to select either an acoustical or an optical input interface to receive data. A communication interface may be provided to communicate with a removable security device such as a smart card and the token may be adapted to generate dynamic security values in cooperation with the removable security device.

A method, apparatus and system enable secure remote authentication. According to embodiments of the present invention, a remote administrator may be authenticated by accessing an approved secure location, transmitting location information with an access request and providing proof of physical presence in the access request. Additionally, in one embodiment, the location information and/or proof of presence may be signed by a security key to further tamper-proof the remote administrator's identity.