Abstract: Disclosed are various embodiments for an authentication manager. The authentication manager performs a certificate validation for a network site. If the certificate validation is successful, the authentication manager automatically provides a security credential to the network site.

Abstract: A user password is obfuscated using a first obfuscation algorithm and stored. A security module receives a password from a user a first time and, in response thereto, obfuscates the password using a second obfuscation algorithm and stores the obfuscated password. The security module subsequently receives the password from the user a second time. In response thereto, the security module obfuscates the password using the second algorithm a second time and compares the results of the obfuscation with the stored password obfuscated using the second algorithm. If the results of the obfuscation and the stored password obfuscated using the second algorithm match, the security module replaces the stored password obfuscated using the first algorithm with the password obfuscated using the second algorithm. The operations are performed transparently to the user associated with the password.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information when transmitting data to services. A content server stores data in association with entity identifiers, each entity identifier represents an entity of the content server. The content server may send anonymized responses to requests for data from multiple services. The anonymized responses comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers. Each anonymous identifier represents an entity associated with the data requested. The requesting services may each receive a different anonymous identifier representing a single entity.

Abstract: Disclosed are various embodiments for an authentication manager. A security credential is generated based at least in part on a security credential specification associated with a network site. The security credential and a domain name associated with the network site are stored. The security credential is provided to the network site when a domain name associated with a trusted certificate provided by the network site matches the stored domain name.

Abstract: Cross Site Request Forgery (CSRF) and other types of fraudulent submission in an electronic environment can be mitigated using state information that typically is already maintained for various users. Each submission requiring authentication includes a state identifier (ID). The state ID is compared to corresponding a state ID submitted in a relatively secure format, such as in a secure token or cookie. If the state ID matches a state ID in the secure token received from the user, and the state ID is valid, the submission is processed. Otherwise an interstitial page, including the state ID and a secure token, is generated to prompt the user to confirm the submission. A subsequent confirmation submission will contain the proper state ID and the new cookie, and can be processed. If no confirmation is received from the user with a valid state ID, the submission is not processed.

Abstract: Disclosed are various embodiments that perform confidence-based authentication of a user. A request from a user is obtained, where the request pertains to an operation on a network site. An authentication duration for the user is determined, based on a risk to the user of performing the operation. A determination is made whether a current session associated with the user has expired, based on the authentication duration. The operation requested by the user is performed in response to the determination that the current session associated with the user has expired.

Abstract: Disclosed are various embodiments that perform confidence-based authentication of a user. An identification of a user account is obtained from a user, and a minimum confidence threshold is determined. Multiple authentication questions are presented to the user, where the authentication questions are determined based at least in part on stored transaction information associated with the user account. Answers are obtained from the user to a subset of the questions, with each answer having a corresponding authentication point value. A confidence score is generated for the user, where the confidence score is increased by the respective authentication point values of the correct answers. Access by the user to a resource associated with the user account is authorized in response to determining that the confidence score meets the minimum confidence threshold.

Abstract: A secure key distribution server (SKDS) determines identity of a requesting server without use of a shared secret by resolving the fully qualified domain name (FQDN) to a network address and comparing it with the network address of a key request. A credential string may also be used as part of the identification. Once identity is established, keys may be securely distributed. The SKDS may also be implemented in a peer-to-peer configuration.

Abstract: Financial transactions, such as buying and selling, may be facilitated by merchant-based shadow account numbers. A master account may contain several associated shadow accounts. Each shadow account may in turn be associated with a specific merchant or group of merchants. Merchants and users may store and use the shadow account numbers rather than the master account numbers. Stolen or otherwise compromised shadow account numbers are useless with other non-associated merchants. Furthermore, the shadow numbers may be easily invalidated while leaving the master account untouched.

Abstract: Cross Site Request Forgery (CSRF) and other types of fraudulent submission in an electronic environment can be mitigated using state information that typically is already maintained for various users. Each submission requiring authentication includes a state identifier (ID). The state ID is compared to corresponding a state ID submitted in a relatively secure format, such as in a secure token or cookie. If the state ID matches a state ID in the secure token received from the user, and the state ID is valid, the submission is processed. Otherwise an interstitial page, including the state ID and a secure token, is generated to prompt the user to confirm the submission. A subsequent confirmation submission will contain the proper state ID and the new cookie, and can be processed. If no confirmation is received from the user with a valid state ID, the submission is not processed.

Abstract: A system and method that utilizes clean groups for reducing security management complexity. The system reduces the complexity of managing security technologies by automatically assigning objects such as computers or persons to clean groups which are defined by existing management infrastructure. In an embodiment where members are computers, ongoing automatic efforts ensure that clean groups include only computers that satisfy specified security principles, which allows administrators to treat all computers that are in compliance as a group. Separately, the members of the clean group are required to implement self-governance, which is an ability to detect being compromised and to take steps to remove themselves from the clean group when they are compromised. In addition to attempting to remove itself from the clean group, a compromised computer may take additional steps aimed at minimizing further damage, such as erasing or hiding computer domain credentials, hiding/protecting/disabling cryptographic (e.g.

Abstract: Systems and methods for password protection are described. In one aspect, an asymmetric key pair is deterministically formed by combining a password and other data. The public key of the asymmetric key pair is exported to an external device. The private key of the asymmetric key pair is used to effect subsequent authentications to the external device.

Abstract: A client quarantine agent requests bill of health from a quarantine server, and receives a manifest of checks that the client computer must perform. The quarantine agent then sends a status report on the checks back to the quarantine server. If the client computer is in a valid security state, the bill of health is issued to the client. If the client computer is in an invalid state, the client is directed to install the appropriate software/patches to achieve a valid state. When a client requests the use of network resources from a network administrator, the network administrator requests the client's bill of health. If the bill of health is valid, the client is admitted to the network. If the bill of health is invalid, the client is placed in quarantine.