The present invention relates to authorising access to data (132) associated with a user. Aspects of the invention provide a computer-implemented method, computer software, a system and a computing device. The method comprises receiving, at an application server (120) from a first device (110), a request to access the data (132) associated with the user. The data (132) is hosted at a data server (130) external to the application server (120). The application server (120) provides an authorisation request (510) to an authorisation server (140); and the authorisation request is transmitted from the authorisation server (140) to an authorisation application (310) executed on a second device (150) associated with the user. The authorisation application (310) executed on the second device (150) sends, in response to receiving the authorisation request, a redirect authorisation request (520) to a second application (320) executed on the second device (150), the second application (320) being associated with the data server (130). The request is authorised at the second device (150) by the second application (320), in dependence on an authorisation input from the user at the second device (150). In response to the authorisation of the request the second application (320) provides an access token to the application server (120) via the authorisation server (140), the access token being configured to enable access by the application server (120) to the data associated with the user.

A system and process for onboarding client devices to a key management server. In operation, a device generates an asymmetric key pair including a public key and a private key. The device obtains an access token from an identity management server after successfully authenticating with the identity management server. The device transmits a request including the access token and the public key to the key management server to onboard the client device. The device receives a response including encrypted bootstrap information from the key management server. The bootstrap information included in the response is encrypted using the public key of the asymmetric key pair. The device decrypts the encrypted bootstrap information using the private key of the asymmetric key pair to obtain the bootstrap information and then uses the bootstrap information for encrypting communications transmitted to the key management server or for decrypting communications received from the key management server.

Systems and methods for providing trusted local orchestration of workspaces are described. In some embodiments, an Information Handling System (IHS) may include a processor and a system memory coupled to the processor, the system memory having program instructions stored thereon that, upon execution, cause the IHS to: receive an orchestration code from a workspace orchestration service; record, using a trusted controller coupled to the processor, a log comprising: the orchestration code, and an indication of a sequence of operations performed during an instantiation of a workspace by the local management agent; provide a copy of the log to the workspace orchestration service; and establish a connection between the workspace and the workspace orchestration service in response to the workspace orchestration service's successful: (i) authentication of the orchestration code, and (ii) verification of the sequence of operations.

A method for authenticating a user performed by an identity server computer is disclosed. The method comprises receiving, by a server, a user device identifier from an access device. The server transmits a challenge to a mobile device operated by a user, and the mobile device signs the challenge. The server receives and verifies the signed challenge and then provides the signed challenge or a portion thereof to an access device, which processes the transaction with the signed challenge.

The systems, methods and apparatuses described herein provide a computing device that is configured to attest itself to a communication partner. In one aspect, the computing device may comprise a communication port configured to receive an attestation request from the communication partner, and an application-specific integrated circuit (ASIC). The ASIC may be configured to receive the attestation request from the communication port. The attestation request may include a nonce generated at the communication partner. The ASIC may be further generate a verification value and send the verification value to the communication port to be transmitted back to the communication partner. The verification value may be a computation result of a predefined function taking the nonce as an initial value. In another aspect, the communication partner is configured to attest the computing device using speed of computation attestation.

Embodiments are disclosed for a method for identifying large database transactions. The method includes generating a token marker sequence of a database transaction. The token marker sequence includes multiple token markers. The token markers include a token of the database transaction and a position corresponding to the token. The method further includes sorting the token markers based on a probability that the token occurs in a stream of database transactions. Additionally, the method includes reducing a size of the token marker sequence based on a predetermined threshold.

Methods and systems for implementing DevID enrollment for hardware redundant Trust Platform Modules (TPMs), are described. A system can include hardware redundancy for management modules, and for TPMs that correspond to each management module. Accordingly, a product can have a dual-TPM configuration, where both modules are associated with the same product. Further, a process that particularly considers the presence of dual-TPMs for creating, issuing, and enrolling DevID certificates is described. The process issues and maintains DevID certificates for each TPM by synchronizing dual sessions that correspond to each TPM. Also, the process accounts for duplicate identification data, for example allowing the certificate authority (CA) to sign certificates for dual-TPMs linked to the same chassis number. The process can include performing validation checks, rendezvous points, and locks to ensure that DevID certificates are successfully issued for each of the dual-TPMs, respectively.

Provided is a method including obtaining a first set of queries from an application of a first device for a set of values of a record, determining a numeric boundary based on the set of value, and providing a UI to the first device, where the UI including a UI element displaying the numeric boundary. The method includes obtaining an interface-selected value, obtaining devices using a second set of queries, and obtaining a first location of the first device and a plurality of locations associated with the devices. The process includes selecting a second device of the devices based on distances between the first location and the plurality of locations. The method includes determining whether an authentication value is received from the second device and updating a field of the record based on the interface-selected value in response to receiving the authentication value from the second device.

A system and method enabling an entity to prove its identity and provide authentic documents/data/information therein at any time required based upon data retrieved from an independent cryptographically verifiable source (ICVS) through a secured channel is disclosed. The system enables a virtual and secure browser on a user computing device allowing a user to login and retrieve authentic information pertaining to the user from the ICVS in a verifiable and untamperable manner. The retrieved information is bounded with origination information of the ICVS and the bounded information is provided to relying entities as authentic information for verification. Also, cryptographic value of the authentic information can be stored in an immutable storage such as blockchain, so that the cryptographic value is used by the relying-party to validate integrity of the authentic information.

A system and method are disclosed that leverage multi-factor authentication features of a service provider and intelligent call routing to increase security and efficiency at a customer call center. Pre-authentication of customer support requests reduces the potential for misappropriation of sensitive customer data during call handling. A contactless card uniquely associated with a client may provide a second factor of authentication via a backchannel to reduce the potential for malicious third-party impersonation of the client prior to transfer of the call to the customer call center. Pre-authorized customer support calls may be intelligently and efficiently routed directly to call center agents, without incurring further delay. During call handling, call center agents may initiate further client authentication processes, including contactless card authentication requests, over one or more different communication channels for authorizing access to sensitive information or to allay suspicion.