Abstract: Techniques are disclosed relating to authenticating a client computer system to a server computer system. In some embodiments, a client computer system sends, to a server computer system, authentication information for an initial access request for one or more resources. This information may include authentication credentials and attributes that collectively identify the client computer system. In some embodiments, the client computer system receives, from the server computer system, an authentication response that indicates an initial authentication of the client computer system. In some embodiments, the authentication response includes a cryptographic key. While the initial authentication is valid, in some embodiments, the client computer system repeatedly re-authenticates for subsequent access requests. Each of the subsequent access request may include a single-use password generated using a cryptographic key and the attributes of the client computer system.

Abstract: An embodiment of a system is disclosed in which a computer system may receive a sequence of failed login attempts to access a user account, and assess a risk level associated with the sequence of failed login attempts. The risk level may be assessed based on a plurality of characteristics of the sequence of failed login attempts. Based on the assessed risk level, the computer system may select a lockout policy that includes a lockout period. The computer system may determine that a lockout threshold, corresponding to a number of failed login attempts, has been reached. In response to determining that the lockout threshold has been reached, the computer system may prevent further login attempts during the lockout period. In addition, the computer system may permit subsequent login attempts after the lockout period has ended.

Abstract: Techniques are disclosed relating to authenticating a client computer system to a server computer system. In some embodiments, a client computer system sends, to a server computer system, authentication information for an initial access request for one or more resources. This information may include authentication credentials and attributes that collectively identify the client computer system. In some embodiments, the client computer system receives, from the server computer system, an authentication response that indicates an initial authentication of the client computer system. In some embodiments, the authentication response includes a cryptographic key. While the initial authentication is valid, in some embodiments, the client computer system repeatedly re-authenticates for subsequent access requests. Each of the subsequent access request may include a single-use password generated using a cryptographic key and the attributes of the client computer system.

Abstract: Techniques are disclosed relating to generating cryptographic keys using supplemental authentication data for use in user authentication. In one embodiment, an authentication application executing on a computing device may access an initial cryptographic key that is shared with an authentication server configured to authenticate a user of the computing device to a service provided by a server system. The authentication application may execute a routine to obtain a supplemental authentication data value that is not stored by the computing device prior to executing the routine. Further, the authentication application may generate an updated cryptographic key based on the initial cryptographic key and the supplemental authentication data value. In some embodiments, the authentication application may use the updated cryptographic key to generate a one-time passcode that, when communicated to an authentication server, is usable to authenticate the user to the service.