A system which performs both identification and authentication of a user ID at the same time with only one step of inputting a one-time password without the need of step of inputting a user ID is provided. A one-time password deriving rule for generating a one-time password by being applied to pattern elements at specific positions in a case where a plurality of pattern elements arranged in a predetermined pattern are presented to a user who is to be authenticated as a presentation pattern is set as a password of the user, and the user is authenticated on the basis of a character string for authentication in which a user ID is embedded at a predetermined embedding position within the one-time password. In this event, a correct character string for authentication for the presented presentation pattern is generated as a verification code for all user IDs, and in a case where a verification code which matches a character string for authentication input from the user exists, user authentication of the user ID corresponding to the verification code is made successful.

A method for creating single-use authentication messages includes creating, at a consumer network function of a core network of a telecommunications network, a message hash of at least a subset of a request message. The method includes adding, at the consumer network function, the message hash to a client credentials assertion (CCA) token for the consumer network function. The method includes sending, from the consumer network function, the request message with the CCA token to a producer network function.

A computing system may receive a request of the user for a first action of the user with an entity. In connection with granting the request of the user, the computing system may configure a token for use by the user and the entity such that (i) the entity is added as an approved entity, and (ii) the token is configured with a resource amount of the first action as a usage threshold of the token. The computing system may receive a request of the entity to use the token. The computing system may determine whether granting the request of the entity would cumulatively exceed the usage threshold of the token. Based on a determination that granting the request of the entity would not cumulatively exceed the resource usage of the token, the computing system may grant the request of the entity to use the token.

Subsequent to registration of a client device with a server device such that credentials by which the client device is authenticated are securely stored at the client device, the client device provides a user device and a server device a recovery identifier and a recovery secret key associated with the client device. Upon the credentials no longer being stored at the client device such that the client device has to be reregistered with the server device to store new credentials by which the client device is authenticated, the user device generates and provides a recovery code to the client device, which provides the recovery code to the server device. Upon validating the recovery code based on the recovery identifier and the recovery secret key, the server device reregisters the client device with the server device such that the new credentials are securely stored at the client device.

Methods, systems, and devices for wireless communications are described. Aspects include a device generating data to be sent to a receiving device and determining to provide provenance for the data. The device may generate a data identifier based on an identifier generation key and encrypt the data using an encryption key generated from a key associated with an owner of the device. The device may sign they encrypted data transmission using a signing key where the signing key is based on the encrypted data and the data identifier. In some cases, the device may send the data to a receiving device via one or more proxy devices. In some cases, multiple device may send signed data transmissions to a proxy device and the proxy device may process the multiple data transmission and send the processed data to the receiving device. The receiving device may verify provenance of the data.

A request is received from a trusted application to authorize a client application that requests a service offered by the trusted application. Whether the client application is authorized to access the trusted application is determined in view of the request. An authentication of a user of the client application is caused in response to determining the client application is authorized to access the trusted application. An authorization result is returned to the trusted application in view of the determining and the authentication.

Embodiments for a computer readable medium including a software module are provided. The software module causes one or more processing devices to obtain a biometric identifier from a user. Access to a resource is requested by providing a software credential token and the biometric identifier. The software credential token corresponds to a hardware credential token, and the hardware credential token is one of a set of hardware credential tokens that are used to access the resource. An indication that access to the resource has been granted is received and after receiving the indication an indication that the access to the resource has been revoked is received. After receiving the indication that access to the resource has been revoked, a biometric identifier is re-obtained from a user and access to the resource is re-requested by providing a software credential token and the re-obtained biometric identifier.

An approach to multi-device collaboration authentication may be provided. The approach may include generating a password in response to a user requesting access to a service or application on a primary device. The approach may include dynamically determining whether secondary devices are located physically near a primary device. The generated password may be segmented into two or more parts, based on the number of secondary devices the physically located near the primary device. A password segment can be sent to the primary device and another segment of the password can be sent to the secondary device determined to be physically near the primary device. The approach can include receiving the password segments in prescribed manner to provide authentication and grant access to the requested application or service.

One embodiment of the present invention includes a server machine configured to establish a secure communication channel with a client machine via renewable tokens. The server machine receives a plurality of messages from a client machine over a secure communication channel, where the plurality of messages includes a first message that includes at least two of user authentication data, entity authentication data, first key exchange data, and encrypted message data. The server machine transmits, to the client machine, a second message that includes a master token comprising second key exchange data associated with the first key exchange data and at least one of a renewal time and an expiration time.

A method of authenticating devices for secure data exchange. A system receives a scheduling request and generates a ledger of participants authorized to be admitted to a communication session during a time window. For each participant, the ledger includes a participant identifier, a participant key, and a meeting identifier corresponding to the communication session. The participant key and meeting identifier are encoded into a short-code which is redeemed, by the participants, for an access token authorizing a peer-to-peer connection between devices within a meeting room during the communication session. The participants include a host who has special privileges during the communication session, and one or more clients.