Abstract: A limited purpose account can be provided to a legitimate user to avoid some types of anti-abuse mechanisms from being triggered when the user connects to an identity verifier using a username known to belong to a limited purpose account. A limited purpose account is an account in which certain privileges of ordinary use are disabled or curtailed. A limited purpose account may be an account that can only be used with a limited number of applications or for a limited amount of time, thus reducing the ability of the limited purpose user to gain unauthorized access to resources. The operating system can reset itself to a previous state when the account is disconnected or when the device is turned off.

Abstract: The techniques disclosed herein enable systems to utilize the network effect of end-user viral adoption of collaborative services and applications hosted by multi-tenant computing systems. A system can achieve this by automatically clustering users who independently send requests to generate new tenants. A number of factors can enable a system to cluster users into a single tenant including characteristics of requests to generate new tenants and/or member identities received in association with requests to generate new tenants. Examples of request characteristics can include network addresses indicating a source of each request, a domain name or entity names received in association with a request, a rate in which requests are received, and/or heuristic techniques that utilize various combinations of these and other factors. The automatic selection of users for specific tenants allows a system to allow viral user adoption without a centralized IT manager.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for training a neural network using consistency measures. One of the methods includes processing a particular training example from a mediator training data set using a first neural network to generate a first output for a first machine learning task; processing the particular training example in the mediator training data set using each of one or more second neural networks, wherein each second neural network is configured to generate a second output for a respective second machine learning task; determining, for each second machine learning task, a consistency target output for the first machine learning task; determining, for each second machine learning task, an error between the first output and the consistency target output corresponding to the second machine learning task; and generating a parameter update for the first neural network from the determined errors.

Abstract: Techniques for managing access to content are provided that include receiving a first signal requesting an indication whether a user has an access privilege to access to a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource, determining that a first user account associated with the user does not have an access privilege to access the resource; performing a nested access privilege check to determine whether the user is associated with a second user account that has the access privilege to access the resource; and granting via the communication network access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account and the second user account is associated with the access privilege to access the resource.

Abstract: A MapReduce-based training framework exploits both data parallelism and model parallelism to scale training of complex models. Particular model architectures facilitate and benefit from use of such training framework. As one example, a machine-learned model can include a shared feature extraction portion configured to receive and process a data input to produce an intermediate feature representation and a plurality of prediction heads that are configured to receive and process the intermediate feature representation to respectively produce a plurality of predictions. For example, the data input can be a video and the plurality of predictions can be a plurality of classifications for content of the video (e.g., relative to a plurality of classes).

Abstract: Methods for authentication session transfer using application download links are performed by systems and devices. A user or administrator at a first device enables the user to use an application at the user's mobile device. The user or administrator provides a request for the mobile application from the first device to an identity service. The identity service generates a uniform resource locator (URL) that encodes an authentication object generated by the identity service that is specific to the user's identity, and provides the URL to the mobile device. The identity service receives the authentication object back from a browser session of the URL at the user device, and establishes an authenticated browser session of the URL using the authentication object. The identity services authenticates the user's identity for the mobile application responsive to the mobile application invoking the authenticated browser session at the user device.

Abstract: Performing late binding of a social network identification (ID) to a guest ID for use in an identity platform. A guest ID is created for a second user that gives access to a shared application of an identity platform that is associated with a first user. Subsequent to creating the guest ID, permission is requested from the second user to bind social network IDs of social networks of which the second user is a member to the guest ID. In response to receiving permission, binding the social network IDs to the guest ID is performed. The binding gives the identity platform access to profile attributes of the second user from the social networks, and allows it to write information such as a merit badge back on the second user's social network profile. A federation binding may also be created that allows the second user to sign into the shared application using their social network ID.

Abstract: Methods, systems and computer program products are provided for signing into multiple accounts with a single gesture. Multiple sessions may be generated for multiple user identities based on a single authentication gesture, such as providing a phone number or email and a texted or emailed one-time code or providing a fast online identity (FIDO) key and an unlock gesture. Resources, such as applications, need not, but may be multi-identity aware to support signing into multiple accounts with a single gesture. Users may utilize their multiple identities without any additional sign-ins. Resources or session managers may receive multiple session artifacts concurrently or separately without additional sign-ins. Resources may indicate a capability to receive multiple session artifacts, for example, in registration or call parameters. Multiple identities may be revealed only after verification, for example, to prevent divulging identities to third parties aware of usernames such as phone numbers and email addresses.

Abstract: Authenticating an E-tournament identity using personal identity credentials. A method includes determining that a gaming device is configured for use in an E-tournament. The method further includes receiving from the device, user personal identity credentials. As a result, the method further includes, signing in to an E-tournament identity using the personal identity credentials.

Abstract: Methods, systems, apparatuses, and computer program products are provided for automatically determining a home realm. An authentication request receiver interface may receive a request to access a resource and a device identifier from a client device. An authenticator may be enacted in response to receiving the request to access the resource that includes a home realm discoverer and an authentication user interface (UI) provider. The home realm discoverer may determine, based at least on the device identifier, the home realm from a plurality of realms. The authentication UI provider may provide, to the client device, an authentication UI via which a flat-name username can be submitted. Based at least on a flat-name user name and the determined home realm, access to the resource may be granted. In this manner, a user may input a flat-name username during sign-in, rather than inputting a realm or an entire e-mail address.

Abstract: A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege.

Abstract: An identity provider IP service provides an optimized sign out experience for a user accessing a single account service. The IP service designates a first account of a service as signed in based on first credentials provided by a user. The IP service provides a first security token for the first account to the service. Upon receiving a first sign out notification, the IP service determines whether the user wants to switch to a second account of the service. Upon determining that the user wants to switch to the second account, the IP service designates the second account as signed in based on second credentials provided by the user, provides a second security token for the second account to the service, and designates the first account as soft signed out so that the user can switch to the first account without re-providing the first credentials.

Abstract: Performing late binding of a social network identification (ID) to a guest ID for use in an identity platform. A guest ID is created for a second user that gives access to a shared application of an identity platform that is associated with a first user. Subsequent to creating the guest ID, permission is requested from the second user to bind social network IDs of social networks of which the second user is a member to the guest ID. In response to receiving permission, binding the social network IDs to the guest ID is performed. The binding gives the identity platform access to profile attributes of the second user from the social networks, and allows it to write information such as a merit badge back on the second user's social network profile. A federation binding may also be created that allows the second user to sign into the shared application using their social network ID.

Abstract: Described technologies enhance cybersecurity and facilitate computing system account usage by configuring a primary account and a supplementary account together in a security configuration lifecycle. The primary account user may be a parent or other adult, while the supplementary account user may be a child or other person with less capacity than the primary user. Over time, the accounts may transition together through security configurations to give more capabilities to the supplementary user, e.g., login separate from the primary user, and to reduce the control of the primary user over the supplementary account. Security configuration lifecycle stages are implemented, e.g., using capability-security pair data structures and account security configuration code. Despite the security configuration linkage of the accounts, each account may have its own personalized content and its own recommendation history.

Abstract: The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Abstract: Authenticating an E-tournament identity using personal identity credentials. A method includes determining that a gaming device is configured for use in an E-tournament. The method further includes receiving from the device, user personal identity credentials. As a result, the method further includes, signing in to an E-tournament identity using the personal identity credentials.

Abstract: A limited purpose account can be provided to a legitimate user to avoid some types of anti-abuse mechanisms from being triggered when the user connects to an identity verifier using a username known to belong to a limited purpose account. A limited purpose account is an account in which certain privileges of ordinary use are disabled or curtailed. A limited purpose account may be an account that can only be used with a limited number of applications or for a limited amount of time, thus reducing the ability of the limited purpose user to gain unauthorized access to resources. The operating system can reset itself to a previous state when the account is disconnected or when the device is turned off.

Abstract: A sign-in system can be protected against enumeration attacks while providing an improved sign-in experience for legitimate users by disclosing whether or not an account exists. An account within a specified domain can be identified by an account identifier such as a username. Before a threshold throttling value is reached, account existence/non-existence information can be provided in response to an access request. In response to reaching or exceeding a specified threshold throttling value, account existence/non-existence information can cease to be provided. Entering a valid account identifier/authenticating credential credentials pair provides access to the computer system regardless of whether or not the threshold was reached or exceeded or not reached.

Abstract: Heuristics can be used to determine if an alternate behavior is desired on a particular mobile device to enable one-touch sign-out. The alternate behavior can be the appearance of a sign-out experience and mechanism. For example, instead of a “sign out” link appearing, an “end of shift” link can be displayed. Heuristics can be used to determine if a particular mobile device is a shared device. If the device is a shared device, this information can be made discoverable to mobile applications (e.g. by including a “shared device” flag in authentication tokens). When a mobile application finds the shared device flag indicates the device is shared, the “Sign-out” link for the mobile application can be replaced with an “End my shift” link. In response to a user clicking on the link, a global sign out can delete session artifacts on the device and/or on the server. Refresh tokens can be revoked to ensure that a user is signed out of third party mobile applications.

Abstract: Provisioning a user account. A method includes, at a local entity contacting an identity system to begin user account provisioning. The method further includes receiving from the identity system a correlating factor related to a verification code sent to the user from the identity system. The method further includes receiving from the user, profile information entered into the local entity, where the profile information is to be stored in the user account. The method further includes receiving from the user the verification code corresponding to the correlating factor. The method further includes sending the correlating factor, user entered verification code and the user entered profile information to the identity system, where the identity system determines that the verification code properly correlates to the correlating factor, and as a result provisions the user account and stores the profile information in the user account.