Systems and methods are provided for performing operations including: receiving, via a messaging application of a user device, a request to recover access to an account of a user of the messaging application; accessing a first object corresponding to a first key; receiving, from a first friend of the user on the messaging application, a second object corresponding to a first portion of a second key; receiving, from a second friend of the user on the messaging application, a third object corresponding to a second portion of the second key; deriving the second key based on the second and third objects; and recovering access to the account of the user based on the first key and the second key.

Physical security methods and equipment are applied to mobile devices that use multi-factor authentication mobile apps. Herein, a password management mobile app physically escrows each encrypted password that must be stored into two parts. These are then distributed between two separate, independent physical devices. Only one of those parts is kept only in a separate user gadget like a keyfob. Any reconstitution of each password after decryption requires that the user have on-hand both the mobile device and the separate user gadget. Such reconstitution is one password at a time, and only as needed, and released for use in remote authentication with a master user password entry.

Disclosed are various embodiments for providing access to a recovery key of a managed device and rotating the recovery key after it has been accessed. In one example, among others, a system includes a computing device and program instructions. The program instructions can cause the computing device to authenticate a user on the computing device in order to unlock an operating system based on a first recovery key. A key rotation command can be received from the management service. The key rotation command can include an instruction to rotate the first recovery key. The computing device can generate a second recovery key and transmit the second recovery key to the management service.

A computer-implemented method is disclosed. The method includes: receiving, via a computing device in a locked state, input of a first PIN; determining that the first PIN is associated with a first cryptographic key that is stored in a memory; responsive to determining that the first PIN is associated with the first cryptographic key, retrieving, from the memory, an encrypted form of a first credential that is associated with the first cryptographic key; recovering the first credential from the encrypted form using the first cryptographic key; and causing the computing device to be unlocked using the recovered first credential.

Identifying users is disclosed including, in response to receiving an account operating request of an account sent by a user device, obtaining a personal question from a personal questions database and sending the personal question to the user device, receiving, from the user device, a verification response to the personal question, and determining whether a current user is a user associated with the account based at least in part on the verification response and a corresponding standard response in the personal questions database, where the personal question obtained from the personal questions database and the corresponding standard response were generated based at least in part on account operating information of the user associated with the account.

A login request initiated by a user at a current page is received. Whether there exists an account record matched with a login account name and login password combination in the login request is searched from an account table of the current page. If a result is positive, the user is allowed to log in. If a result is not positive, a preconfigured account name collection corresponding to the login account name is acquired. The account name collection includes login account names of the user's registered accounts in a plurality of member systems. A login account name in a member system to which the current page belongs is searched from the account name collection, and the found login account name is provided to the user. The techniques of the present disclosure prompts a correct login account name to the user, especially when there are many user login account names, thereby reducing memory burden of the user and assisting the user in implementing a quick login under multi-account management.

A mechanism is provided for sending a password to a terminal. A password send request is received. The status of each of a plurality of terminals coupled to the information processing device via a network is acquired. On the basis of the acquired statuses, at least one item is selected from a group comprising the terminal serving as a destination for the password, the communication method with the terminal, or the method for inputting the password in the terminal. The password is then sent to the selected terminal via a network.

A modem/gateway device having a password retrieval function is provided that includes a user interface, a hardware processor, and a non-transitory memory configured to store one or more programs. The hardware processor executes the one or more programs to receive a request for a password retrieval in response to an input from the user interface, generate a message for retrieving a password for a wireless network, and transmit the message to a server. The password corresponds to an email address to which an email is to be sent by the server. The transmitted message instructs a password retrieval operation by the server to transmit the password to the email address.

A digital processing system receives, in a pre-boot duration, an indication from a user to retrieve a credential required for booting the digital processing system. The digital processing system connects, in the pre-boot duration, to a user device and retrieves, in the pre-boot duration, the credential from an external server using the user device. Booting is thereafter continued. In an embodiment, a BIOS (basic input/output system) software performs the receiving, the connecting, the retrieving, and completes the booting upon initialization of the digital processing system.

A system of peer identity verification that reduces the risk of identity theft in case of a data breach. The system does not require a vendor to maintain a database of sensitive customer-related data. Cryptographic keys are used. The system creates a one-time encryption keypair. The public and private keys of each user are saved securely on each user's device. While the public key for each user is stored remote from each user's device (such as in a cloud), the private key for a given user is not stored anywhere other than securely on that user's device. Thereafter, a user (i.e., the main user) requests another user to act as their “trusted peer” to be added to their “trust cluster.” If that other user accepts the request, the main user's private key is encrypted with that other user's public key and this encrypted data gets stored remotely, such as in a cloud. Thereafter, a trusted peer is authorized and able to verify the identity of a main user by being able to decrypt and read a message encrypted with the main user's public key. The system effectively puts the recovery and protection of a main user's private key in the hands of the main user's “trusted peers” in their own designed “trust cluster.”