A system and method for data access control using narrative authentication questions can include a server containing a database storing login credentials for an account associated with a user, and the login credentials can include a narrative authentication question and an authentication response associated with the narrative authentication question. A system and method for data access control using narrative authentication questions can include a user device in data communication with the server, and the user device can receive and transmit user input from the user. Upon receipt of a request to access the account from the user, the server can transmit the narrative authentication question to the user device, receive a user input by the user transmitted from the user device in response to the narrative authentication question, compare the user input to the authentication response stored in the database, calculate a similarity score based on the comparison, and approve the user's request to access the account if the similarity score exceeds a threshold.

A system and method may be used to recover access to an account. A recovery challenge may be received from a submitter, including an escrow deposit, and the recovery challenge may be broadcast to other users. During a monitoring period, the system may monitor for a recovery response proving ownership of the account. If a recovery response is received then the submitter of the recovery response may maintain ownership of the account and receive a portion of the escrow deposit. If no valid recovery response is received during the monitoring period, then ownership of the account may be transferred to the submitter of the recovery challenge.

This application discloses a password verification method and a password setting method. The password verification method includes: in response to a detected operation of requesting for password verification, collecting at least one first image by using a camera of a mobile terminal; obtaining matching information when a result of matching between the at least one first image collected by the mobile terminal and at least one first preset image satisfies a first preset matching condition, where the matching information includes at least one of the following: location information of the mobile terminal, motion information of the mobile terminal, at least one second image collected by the camera of the mobile terminal, and network connection information of the mobile terminal; and performing matching between the obtained matching information and a second preset matching condition, where the password verification succeeds when the matching is successful.

Systems, devices, and methods for automating network account transfers based on predicted inactivity are disclosed. In one embodiment, the system comprises a mail server providing access to an email account of a user; a social graph monitor configured to: periodically query, over a network, a social graph associated with the user to retrieve at least one social network feed associated with the user, calculate a sentiment score for the social network feed based on parsing the social network feed using a natural language parser, and determining that a transfer condition has occurred if the sentiment score exceeds a pre-defined sentiment score threshold; and a condition processor configured to: transmit, via the mail server, a password reset request to a network application associated with the transfer condition, intercept an email from the network application, via the mail server, transmitted in response to the password reset request, forward, via the mail server, the email to a recipient associated with the transfer condition, determine that the recipient has reset a password associated with the network application, and forward, to the recipient via the mail server, subsequent emails from the network application.

The generation and management of decentralized identifiers of an entity. A decentralized identifier of a particular entity is recorded. Then, upon determining that the particular entity is granting a permission to another entity, the permission is signed based on the recorded decentralized identifier. As one example, the permission may be signed by a private key of the decentralized identifier. The permission may be verified upon request by authenticating the signed permission being associated with the recorded decentralized identifier; and authorizing the other entity to act upon the data depending on the authentication. As an example only, the authentication may occur using a public key associated with the recorded decentralized identifier.

Some embodiments provide an account-access recovery method that receives a request to recover access to an account. The method also assesses recent usage of a device that is associated with the account. The method also, based on the assessment, selects a recovery process from a group of different recovery processes for regaining access to the account. The method also provides the selected recovery process to a party that is requesting the access recovery.

Identifying users is disclosed including, in response to receiving an account operating request of an account sent by a user device, obtaining a personal question from a personal questions database and sending the personal question to the user device, receiving, from the user device, a verification response to the personal question, and determining whether a current user is a user associated with the account based at least in part on the verification response and a corresponding standard response in the personal questions database, where the personal question obtained from the personal questions database and the corresponding standard response were generated based at least in part on account operating information of the user associated with the account.

According to some embodiments, a primary landscape domain database may store secure information (e.g., passwords, secure credentials, etc.) encrypted with a primary landscape key. A secure landscape transfer computer platform, coupled to the primary landscape domain database, may retrieve the secure information and decrypt the secure information at the primary landscape using the primary landscape key. The secure landscape transfer computer platform may also encrypt the secure information using a transport key. A transfer (e.g., by transport or replication) of the secure information encrypted with the transport key may then be arranged by the secure landscape transfer computer platform to a secondary landscape. The transferred secure information may be decrypted at the secondary landscape using the transport key and encrypted at the secondary landscape with a secondary landscape key. The encrypted secure information may then be stored into a domain database at the secondary landscape.

Account recovery control systems and methods are provided to support a self-service account recovery process for registered users of an information system. Account recovery protocols implement a secret sharing scheme between trusted referees and registered users of the information system to enable a registered user to regain access to the user's registered account when one or more authentication factors of the registered user are lost (e.g., forgotten, misplaced, damaged, stolen, etc.).

A hosted secrets management transport system and method for managing secrets at one or more offsite locations that facilitates secret flow, secret retrieval, and secret replication. The method includes defining boundaries for two or more sovereignties, each sovereignty having an independent master record and each sovereignty including two or more regions; defining a primary region within the two or more regions; accessing, within the primary region, a master record hardware security module that is a primary source of secrets; defining a second region; accessing, within the second region, a backup record hardware security module that is where data backups of the secrets from the master record hardware security module are created; and executing live replication from the master record hardware security module to the backup record hardware security module in which the live replication that supports multi-tenancy secret management of multiple distinct companies at the same time.