Abstract: User authentication techniques are provided for multiple authentication sources and for non-binary authentication decisions. An authentication request is received from an application server to authenticate a user for access to a protected resource. Pre-flow rules and the authentication request are evaluated to dynamically determine a plurality of authentication servers to invoke for the authentication request and an order for the invocation. A first authentication server is contacted to obtain a first authentication result for the user. In-flow rules and the first authentication result are evaluated to determine if additional authentication of the user should be performed. A second authentication server is contacted based on the determined invocation order and/or a result of the in-flow rules to obtain a second authentication result for the user. Decision rules and the first and second authentication results are evaluated to determine an authentication decision.

Abstract: Techniques of detecting malicious events involve generating a relational graph of event data describing events that occur within a specified, limited time window. Along these lines, a malicious event detection computer receives event data describing interactions between entities such as users, devices, and network domains from various servers that occur within a specified time window. In response, the malicious event detection computer generates a relational graph that has graph structures (e.g., nodes and edges) representing these interactions. Analysis of patterns within the resulting relational graph indicates whether there is a malicious event occurring.

Abstract: Methods and apparatus are provided for multi-factor authentication of a user using beacon images. Access is provided to a protected resource by receiving a browser request for a beacon image, wherein the beacon image is embedded in an access request page (e.g., a login page) for the protected resource; collecting data in response to the browser request from a device associated with the browser; and providing the data for a risk assessment of the request. The beacon image comprises, for example, a substantially invisible image and can be loaded when the access request page is loaded in the browser or when a user submits credentials in the access request page.

Abstract: A technique authenticates a user. The technique involves receiving, by processing circuitry, a handwritten code. The technique further involves performing, by the processing circuitry, a set of assessment operations which includes (i) a handwriting evaluation to analyze a set of biometric handwriting aspects of the handwritten code and (ii) a code evaluation to analyze code accuracy of the handwritten code. The technique further involves providing, by the processing circuitry, an authentication result based on the set of assessment operations. Such a technique strengthens security by including a “who you are” factor (i.e., handwriting biometrics uniquely identify the genuine user).

Abstract: A method performed by a computing device is described. The method includes (a) receiving an authentication request from an application server seeking to authenticate a user for access to a service provided by the application server, (b) communicating with a first authentication server to obtain a first authentication of the user, (c) communicating with a second authentication server to obtain a second authentication of the user, the second authentication server being distinct from the first authentication server and the second authentication being of a type distinct from the first authentication, (d) rejecting the authentication request if and only if one or both of the first authentication and the second authentication is negative, and (e) upon rejecting the authentication request, sending a rejection message to the application server without informing the application server whether the first authentication or the second authentication was negative.

Abstract: A method includes (a) receiving, from an application server, a login message for a user, the login message including a user credential for a credential-based authentication (CBA), (b) forwarding the user credential to a CBA server for the CBA, (c) in response, receiving, an authentication decision message from the CBA server, (d) sending decision information from the authentication decision message received from the CBA server to a risk-based authentication (RBA) server, the RBA server being distinct from the CBA server, the decision information to be used by the RBA server in performing RBA authentication decisions, (e) if the authentication decision message is positive, then sending a challenge message to the application server to initiate RBA to be performed by the RBA server supplementary to the CBA, and (f) if the authentication decision message is negative, then sending a rejection message to the application server.

Abstract: Techniques for using a network analyzer device connected to a network include (a) sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, (b) analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and (c) sending the extracted event information to an authentication server for risk-based authentication of the user.