Secure password lock and recovery is provided. A user password is received to access a secure resource protected by a data processing system. It is determined whether a match exists between a retrieved user password verification string corresponding to a valid user password from a storage of a software token and a generated user password verification string corresponding to the user password. In response to determining that a match does not exist between the retrieved user password verification string and the generated user password verification string, it is determined whether a defined number of user password authentication attempts has been exceeded. In response to determining that the defined number of user password authentication attempts has been exceeded, the retrieved user password verification string is set to a preestablished sequence of values locking the valid user password on the storage of the software token. Access to the secure resource is denied.

A method, computer program product, and computing system for coupling password-resetting content to an IT computing device. The password-resetting content is validated on the IT computing device. The password-resetting content is processed to reset one or more passwords associated with the IT computing device.

Systems and methods are disclosed for managing the resetting of online identities or accounts of users of Internet web pages. One method includes: receiving, through an electronic device, a request to reset login information to access a web page associated with the user's online account; determining that an IP address associated with the request is not identified as being suspicious; receiving user data intrinsic to the user's request; automatically verifying two or more values of the data intrinsic to the user's request as being indicative of a level of trust of the identity of the user; and transmitting, to the user over the Internet, a subset of options to reset the login information, the subset being selected based on the level of trust.

A system and method are provided for enabling a password reset mechanism for a secured device that verifies a digital signature on a password reset message. The password reset message has been generated by a password reset service for an authorized administrator associated with the secured device. The password reset mechanism allows the authorized administrator to make a request to the password reset service for a password reset, and receive the password reset message such that a password reset can be performed at the secured device. In this way, the secured device's password can be reset absent a connection to a command and control center or other service.

A method for recovering data. Identity factors are collected at a device, wherein hashes of the identity factors are configured to be stored at a server. A dynamic password is generated at the device based on the identity factors and a Salt generated by the server and configured to be delivered to the device. A selfie is captured of a user. The device generates a symmetric key used to encrypt the selfie. The symmetric key is encrypted using the dynamic password. The encrypted symmetric key and the encrypted selfie are stored on the server. One or more data items are stored on the server. The dynamic password is recoverable by presenting the plurality of identity factors that are hashed to the server. The symmetric key is recoverable using the recovered dynamic password. The data items are recoverable by presenting the symmetric key and a second selfie of the user.

A system and method may be used to recover access to an account. A recovery challenge may be received from a submitter, including an escrow deposit, and the recovery challenge may be broadcast to other users. During a monitoring period, the system may monitor for a recovery response proving ownership of the account. If a recovery response is received then the submitter of the recovery response may maintain ownership of the account and receive a portion of the escrow deposit. If no valid recovery response is received during the monitoring period, then ownership of the account may be transferred to the submitter of the recovery challenge.

In a storage system that includes a plurality of storage devices, data protection may include, for each of the plurality of storage devices: encrypting data of the storage device using the device key for the storage device; and encrypting the device key for the storage device using a master secret; generating a plurality of shares from the master secret; and storing the encrypted data, the encrypted device key, and a separate share of the plurality of shares in each storage device.

A method for managing account data and handling account recovery requests are disclosed. The method comprises a multi-level identity verification process, including a first level where a specific computing device requesting recovery of an electronic account is requested to identify a trusted contact for the electronic account and a second level where the specific computing device is requested to provide a dynamically generated security code that has been communicated to a trusted contact identified by the specific computing device.

A system and method for provides unverified users an ability to act upon private records known to them while protecting user privacy by not reflecting private information back to the unverified user. As an unverified user inputs information related to their identity into an interface, the system searches an indexed database which may include both registered users and/or unregistered customers indexed from a single data source or from disparate data sources.

Systems, methods, and software technology for managing keys used to encrypt data at-rest and decrypt the data when serving requests for the data. In an implementation, a data service receives a request for data that has been encrypted at rest using a data key, wherein the data key has been encrypted using a policy key, and wherein the policy key has been encrypted using a root key. When the root key is unavailable, the data service requests a key service to decrypt the policy key using an alternative root key. When the data service receives the policy key in an unencrypted state from the key service, it decrypts the data key using the policy key and decrypts the data using the data key.