Preference data is received. The received preference data is compared to stored preference data associated with a user with which the received preference data is associated. A determination is made whether to authorize an action based at least on the comparison. The preference data is received as a selection.

A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

A hosted secrets management transport system and method for managing secrets at one or more offsite locations that facilitates secret flow, secret retrieval, and secret replication. The method includes defining boundaries for two or more sovereignties, each sovereignty having an independent master record and each sovereignty including two or more regions; defining a primary region within the two or more regions; accessing, within the primary region, a master record hardware security module that is a primary source of secrets; defining a second region; accessing, within the second region, a backup record hardware security module that is where data backups of the secrets from the master record hardware security module are created; and executing live replication from the master record hardware security module to the backup record hardware security module in which the live replication that supports multi-tenancy secret management of multiple distinct companies at the same time.

Methods, apparatus, and systems are provided to secure access to an account of a user. The account may have a system administrator. The user may have a credential for accessing the secure data on the account. The methods, apparatus, and systems involve setting a universal reset credential associated with the account, denying the system administrator of the account permission to change the first credential of the access feature, and permitting the system administrator to reset the access feature from the first credential to the universal reset credential.

A system and a method are disclosed for verifying a suspicious electronic communication. To this end, a secure communications service may detect an electronic communication comprising an identifier of a purported originator of the electronic communication and an identifier of an intended recipient, and determine that an attribute of the electronic communication corresponds to a suspicious attribute. Responsively, the service may intercept the electronic communication and storing the electronic communication in purgatory memory, so as to prevent the electronic communication from being populated in a private repository of the intended recipient, transmit a verification message, and receive a reply to the verification message that verifies the authenticity of the electronic communication. In response to receiving the reply, the service may release the electronic communication from the purgatory memory, so as to cause the electronic communication to be populated in the private repository of the intended recipient.

Creating and managing linked decentralized identifiers for an entity. A parent decentralized identifier of an entity has an associated parent private key. A determination is made that a child decentralized identifier is to be created for the parent decentralized identifier. In response to the determination, the parent private key is used to generate a child private key, and a child decentralized identifier is created by at least assigning the generated child private key as the private key for the child decentralized identifier. Each of the decentralized identifiers may be associated with a permission to another entity. The permission associated with the child decentralized identifier may not be broader than the permission granted to the parent decentralized identifier.

Disclosed are various embodiments for providing access to a recovery key of a managed device and rotating the recovery key after it has been accessed. In one example, among others, a system includes a computing device and program instructions. The program instructions can cause the computing device to store a first recovery key for a first managed computing device. The first recovery key is configured to access an encrypted data store of the first managed computing device. A request is received for the first recovery key from a second managed computing device. The first recovery key is transmitted for display on the second managed computing device. A key rotation command is generated for a command queue of the first managed computing device to rotate the first recovery key after transmitting the first recovery key. The second recovery key is received from the second computing device.

Some embodiments of the invention provide a program for recovering access to a service associated with an account. The program provides a login credential to log into the account to receive the associated service. Next, the program receives an access continuation parameter (ACP) after logging into the account. The program then accesses the service and receives a rejection of a subsequent access to the service. The program then provides the ACP in lieu of the login credential to continue to receive the service.

Techniques and apparatus for providing peer-based management of user accounts are described. In one embodiment, for example, an apparatus may include at least one memory and logic coupled to the at least one memory. The logic may be configured to receive a request from at least one first user account to unlock a second user account locked responsive to a fraud event, determine a safe authentication value for the fraud event, and unlock the second user account responsive to the at least one first user account being a safe authentication account and the safe authentication value being over a safe authentication threshold value. Other embodiments are described.

The present disclosure may provide a method for confirming identity of a subject. The method may include: obtaining first recognition information of the subject; determining a first recognition result based on the first recognition information; obtaining second recognition information of the subject; determining a second recognition result based on the second recognition information; and determining a detection result of the subject based on the first recognition result and the second recognition result.