Abstract: Techniques are described herein for performing authentication, and also “eager” or “lazy” fetch of data, for restricted webpages based on the restricted webpages being associated with an authentication tier in an AASD registry. Inclusion of a restricted webpage in the AASD registry enables AASD-based authentication for the webpage. According to embodiments, information for a restricted webpage included in the AASD registry includes one or more of the following for the webpage: an identifier, an authentication level, allowed fields, eager fetch fields, one or more sources for one or more fields, etc. When information for a webpage is included in the AASD registry, that information is used to perform eager fetch for one or more fields of the webpage that are not associated with authentication requirements indicated in the AASD registry information, or whose authentication requirements are already fulfilled by the requesting client.

Abstract: Techniques are described for reducing the number of transactions required to perform operations for services that support many-to-many relationships between entities. A one-to-many operation that involves an entity of a first type and multiple entities of a second type may be performed in two asynchronous phases: a one-to-intermediary phase and an intermediary-to-many phase. During the one-to-intermediary phase, a single transaction is performed between the entity of the first type and an intermediary. During the intermediary-to-many phase, a distinct transaction is performed between the intermediary and each of the entities of the second type that are involved in the one-to-many operation. The transaction performed for a particular entity of the second type during the intermediary-to-many phase may aggregate all changes that affect the particular entity, thereby significantly reducing the number of transactions performed by the system.

Abstract: Techniques are described herein for using special session identifiers to defer additional authentication steps (AAS) for at least some restricted application actions. A client session is associated with a special session identifier that is mapped to an authentication tier (AT) achieved for the session based on the satisfied authentication steps. Web servers that are enabled for AAS deferral include context information, which identifies a requested action, with session verification requests to an authentication service. The authentication service determines that AAS is required to perform an action when (a) the AT associated with the action is a higher-security tier than the AT associated with the session, or (b) the session is associated with an AT that is lower than the highest-security AT and there is no context information accompanying the request for session validation, in which case the authentication service assumes that the highest-security AT is required to perform the request.

Abstract: Techniques for automatically attaching optical character recognition data to images are provided. The techniques include receiving an image file containing an image and performing optical character recognition on the image to generate text output. The techniques then continue by identifying a particular text item from within the generated text output and determining that the particular text item is a value for particular corresponding key. Then metadata that indicates that the particular text item is a value for the particular key is stored in the image file.

Abstract: Techniques are provided for tracking a number of transactions-of-interest in a transaction-recording blockchain using a control blockchain. A transaction-of-interest is a transactions that is in a particular state. A request to perform an action is received. Upon receiving the request and determining that the action corresponds to a new transaction-of-interest, a control blockchain is checked to determine the current number of transactions-of-interest in the transaction-recording blockchain and maximum allowed number of transaction-of-interest for the transaction-recording blockchain. In response to determining that the current number of transaction-of-interest in the transaction-recording blockchain are less than the maximum allowed: allowing the action to occur, adding a new block to the transaction-recording blockchain, and updating the control blockchain to indicate the new number of transaction-of-interest.

Abstract: Techniques are disclosed for determining the authenticity of a digital-origin document based, at least in part, on the code of the document. By determining authenticity based on the code of the document, authentication may take into account several features that are not detectable on the rendered image of a digital-origin document. The document class of a target document is initially determined. Anomalies are then detected in the code using various detectors, including but not limited to metadata-based detectors and content-based detectors. The output of the detectors may be combined to generate a document anomaly score that indicates likelihood that the document is not authentic.

Abstract: Techniques are described herein for performing key rotation and key replacement. In an embodiment, a request is received that specifies key names. A first set of messages is generated, where each message identifies a table that is associated with the encrypted-data locations, and stored in a queue for processing by a first plurality of worker processes. Each worker process retrieves a message from the queue and generates a second message that identifies a subset of encrypted data records from the table. Each second message is stored in a distinct queue which is assigned to a worker process of a second plurality of worker processes. Each worker process retrieves the message from the assigned queue, decrypts the subset of encrypted data records, re-encrypts the decrypted data records using a new encryption key that corresponds to a new key name, and stores the re-encrypted data records in a database.

Abstract: Techniques are described herein for selecting an optimal financial account for a financial transaction. In an embodiment, a multi-account payment card is used to initiate a financial transaction. Transaction information of the financial transaction including a multi-account payment card ID is transmitted to a server for processing. The server determines that the multi-account payment card ID is associated with a plurality of financial accounts, wherein each of the plurality of financial accounts is associated with any one of a credit card, a debit card, an automatic teller machine (ATM) card, a gift card, or a credit line. A financial account of the plurality of financial accounts is selected by the server based on financial account information, such as reward information, associated with the plurality of financial accounts and the transaction information of the financial transaction. The financial transaction is then charged to the selected financial account.

Abstract: Techniques are described herein for performing authentication, and also “eager” or “lazy” fetch of data, for restricted webpages based on the restricted webpages being associated with an authentication tier in an AASD registry. Inclusion of a restricted webpage in the AASD registry enables AASD-based authentication for the webpage. According to embodiments, information for a restricted webpage included in the AASD registry includes one or more of the following for the webpage: an identifier, an authentication level, allowed fields, eager fetch fields, one or more sources for one or more fields, etc. When information for a webpage is included in the AASD registry, that information is used to perform eager fetch for one or more fields of the webpage that are not associated with authentication requirements indicated in the AASD registry information, or whose authentication requirements are already fulfilled by the requesting client.

Abstract: Techniques are described herein for using special session identifiers to defer additional authentication steps (AAS) for at least some restricted application actions. A client session is associated with a special session identifier that is mapped to an authentication tier (AT) achieved for the session based on the satisfied authentication steps. Web servers that are enabled for AAS deferral include context information, which identifies a requested action, with session verification requests to an authentication service. The authentication service determines that AAS is required to perform an action when (a) the AT associated with the action is a higher-security tier than the AT associated with the session, or (b) the session is associated with an AT that is lower than the highest-security AT and there is no context information accompanying the request for session validation, in which case the authentication service assumes that the highest-security AT is required to perform the request.

Abstract: Techniques are described herein for dynamically-tiered authentication, which allows the authentication tier (AT) associated with a session to be automatically downgraded based on the session satisfying one or more downgrade criteria. Automatically downgrading a session eliminates some authentication-based privileges for the session without eliminating all privileges for the session. A session satisfies downgrade criteria based on: an explicit request for session downgrading; client interaction with the application; and/or activity on the device on which the client runs. For example, if a client authenticates to a third AT, but only performs actions in the application that are associated with the first AT during a pre-defined amount of time, the AT associated with the session is automatically downgraded. The session is either downgraded from the third AT to the first AT, or downgraded in intervals until the current or more recently accessed tiers are consistent with the current AT of the session.

Abstract: Techniques are provided for using tokenization in conjunction with “behind-the-wall” JWT authentication. “Behind-the-wall” JWT authentication refers to JWT authentication techniques in which the JWT stays exclusively within the private network that is controlled by the web application provider. Because the JWT stays within the private network, the security risk posed by posting the JWT in a client cookie is avoided. However, because JWT is used behind-the-wall to authenticate a user with the services requested by the user, the authentication-related overhead is significantly reduced.

Abstract: Techniques are described for extracting key values from a document without having to rely on finding corresponding labels for the target keys within the extracted text of the document. Further the techniques do not rely on knowledge of the correlation between (a) the location of labels within a document, and (b) the location of the key values that correspond to the labels. Key values are extracted from a document by, identifying candidate values within the document, establishing “joint-candidate” sets from those candidate values, and using a trained machine learning mechanism to score each joint-candidate set of values. The highest scoring joint-candidate set is deemed to reflect the correct mapping of candidate values to target keys for the document.

Abstract: Techniques are described herein to handle situations in which multiple systems can change different copies of the same data item. Optimistic locking and time stamps are used to ensure consistency between the systems without incurring the performance penalties associated with two-phase commit. Specifically, when propagating a change to a data item from a first system to a second system, the second system compares the first system's “pre-update” value of the data item with its current value of the data item. If the pre-update value from the first system does not match the current value in the second system, then a conflict has occurred. Upon detecting a conflict, both systems use timestamps associated with the respective conflicting changes to determine which conflicting change “wins”. The winning change is applied by all systems whose changes did not win.

Abstract: Techniques are provided for recording, in an audit log data store, log records that satisfy one or more audit log rules. Audit log rules may be associated with one or more context attributes. Specifically, based on the context attribute of a given rule, embodiments store, in the audit log data store, additional log records that are associated with the context attribute value from log records that satisfied the rule. Because a context attribute may span multiple systems that implement a multi-system operation, the information in the audit log data store may include cross-system contextual information for changes that are of interest to administrators. The audit log data store may be efficiently queried to provide information regarding multi-system operations because of the targeted nature of the audit log data gathering techniques. Automatically-generated indexes on audit log data provide additional efficiency gains for executing queries over the audit log data.

Abstract: Proof-of-Dynamic-Quorum is a consensus mechanism for blockchain networks that selects a dynamic quorum of nodes to validate a proposed block based on digital data included in the proposed block. In an embodiment, a request to add a proposed block to a blockchain is received by a node of a blockchain network. A composite key value is generated based on one or more values within the proposed block. Based on a composite-key-value-to-quorum-participants mapping that is indicated in one or more blocks that are already present in the blockchain, a validating quorum is determined to determine whether the proposed block is to be added to the blockchain. When each node of the validating quorum indicates that the proposed block is accepted, the receiving node writes the proposed block to the blockchain. Proof-of-Dynamic-Quorum enables real-world authority data to be considered when performing a consensus algorithm in a blockchain network.