Abstract: The disclosed embodiments relate to systems and methods for secure and efficient resource access using distributed directory caching techniques. Techniques include obtaining, from a directory service, client directory data associated with a client; providing the client directory data to a computing device associated with the client for caching on the computing device; identifying a request from the client; receiving, from the computing device, the client directory data that was cached on the computing device; and evaluating the request based on the received client directory data.

Abstract: Disclosed embodiments relate to systems and methods for securely and privately auditing web sessions. Techniques include receiving encrypted browser session data; storing the encrypted browser session data at a server; receiving an audit request associated with the stored encrypted browser session data; retrieving the stored encrypted browser session data based on the audit request; and transmitting the encrypted browser session data to an auditor endpoint device to enable access to the browser session data by the auditor endpoint device.

Abstract: Disclosed embodiments relate to systems and methods for securely establishing secretless and remote native access sessions. Techniques include identifying a client configured to participate in remote native access sessions, wherein the client has a remote access protocol file that has been modified to include an identifier associated with the client; sending a prompt to the client to establish a secure tunnel connection with a connection agent using the identifier associated with the client; and authentication the client. The techniques may further include accessing target identity information associated with one or more target resources; receiving from the client a token that identifies a target resource from among the one or more target resources; obtaining, based on the token, a credential required for secure access to the target resource; and initiating, using the credential, a remote native access session between the client and the target resource.

Abstract: Disclosed embodiments relate to systems and methods for security protection against threats to network identity providers. Techniques include identifying a first request from a client for access to a secure network resource; redirecting the client to an identity provider. The identity provider may be configured to authenticate the client and provide the client with data signed using a first identity provider key. Further techniques include identifying a second request from the client, the second request including a doubly-signed version of the data, verifying the doubly-signed version of the data using a second identity provider key corresponding to the first identity provider key and a second client key corresponding to the first client key; and allowing, conditional on a result of the verifying, the client to access the secure network resource.

Abstract: Disclosed embodiments relate to systems and methods for securely establishing secretless and remote native access sessions. Techniques include identifying a client configured to participate in remote native access sessions, wherein the client has a remote access protocol file that has been modified to include an identifier associated with the client; sending a prompt to the client to establish a secure tunnel connection with a connection agent using the identifier associated with the client; and authentication the client. The techniques may further include accessing target identity information associated with one or more target resources; receiving from the client a token that identifies a target resource from among the one or more target resources; obtaining, based on the token, a credential required for secure access to the target resource; and initiating, using the credential, a remote native access session between the client and the target resource.

Abstract: Disclosed embodiments relate to systems and methods for detecting and addressing security risks in remote native access sessions. Techniques include identifying a remote native access session between a client and a target resource. The techniques may further include identifying connection data associated with the remote native access session obtained by a connection agent, wherein the connection data originates from the client and from a mobile device associated with a user, and comprises data indicative of at least one of: hardware of the client or mobile device, configuration settings of the client or mobile device, and network connection attributes of the client or mobile device. Techniques may further include comparing a first portion of the connection data associated with the client with a second portion of the connection data associated with the mobile device; and determining, based on the comparing, a security risk associated with the remote native access session.

Abstract: Disclosed embodiments relate to systems and methods for securely establishing secretless and remote native access sessions. Techniques include identifying a client configured to participate in remote native access sessions, wherein the client has a remote access protocol file that has been modified to include an identifier associated with the client; sending a prompt to the client to establish a secure tunnel connection with a connection agent using the identifier associated with the client; and authentication the client. The techniques may further include accessing target identity information associated with one or more target resources; receiving from the client a token that identifies a target resource from among the one or more target resources; obtaining, based on the token, a credential required for secure access to the target resource; and initiating, using the credential, a remote native access session between the client and the target resource.

Abstract: Disclosed embodiments relate to systems and methods for securely and seamlessly provisioning credentials for use by personal computing devices. Techniques include obtaining a session identifier; making available an encoded representation to a personal computing device, the encoded representation encoding the session identifier; wherein the personal computing device is configured to: decode the encoded representation, access an identity credential stored on the personal computing device, encrypt the identity credential using a first cryptographic key, and send, to a mediator resource, the session identifier and the encrypted identity credential; receiving, from the mediator resource, the session identifier and the encrypted identity credential; and storing the encrypted identity credential.

Abstract: Disclosed embodiments relate to uniquely identifying and validating identities based on electronic file fingerprints. Techniques include identifying an identity associated with a computing device; accessing fingerprinting data associated with an electronic file stored on or transmitted from the computing device; generating, based on a diversity of different properties of the fingerprinting data, a profile for the electronic file; accessing a repository storing profiles corresponding to a plurality of identities; comparing the generated profile with one or more of the stored profiles; determining whether the generated profile matches a stored profile, from the repository of stored profiles, associated with the identity; and validating, conditional on the matching, the identity.

Abstract: The disclosed embodiments relate to systems and methods for secure and efficient resource access using distributed directory caching techniques. Techniques include obtaining, from a directory service, client directory data associated with a client; providing the client directory data to a computing device associated with the client for caching on the computing device; identifying a request from the client; receiving, from the computing device, the client directory data that was cached on the computing device; and evaluating the request based on the received client directory data.

Abstract: Disclosed embodiments relate to systems and methods for security protection against threats to network identity providers. Techniques include identifying a first request from a client for access to a secure network resource; redirecting the client to an identity provider. The identity provider may be configured to authenticate the client and provide the client with data signed using a first identity provider key. Further techniques include identifying a second request from the client, the second request including a doubly-signed version of the data, verifying the doubly-signed version of the data using a second identity provider key corresponding to the first identity provider key and a second client key corresponding to the first client key; and allowing, conditional on a result of the verifying, the client to access the secure network resource.

Abstract: The disclosed embodiments relate to systems and methods for secure and efficient resource access using distributed directory caching techniques. Techniques include obtaining, from a directory service, client directory data associated with a client; providing the client directory data to a computing device associated with the client for caching on the computing device; identifying a request from the client; receiving, from the computing device, the client directory data that was cached on the computing device; and evaluating the request based on the received client directory data.

Abstract: Disclosed embodiments relate to systems and methods for authentication through generating and communicating encoded representations containing unique application fingerprints, e.g., metadata. Techniques include receiving an access request, receiving application metadata, identifying a unique verification token, generating an encoded visual representation including the metadata and verification token, making available to the encoded visual representation for scanning by a user for verification of the metadata. Further techniques include requesting access to a secure resource, transmitting metadata, scanning an encoded visual representation including the metadata and a verification token, and sending the verification token to a security server to complete an authentication process.

Abstract: Disclosed embodiments relate to systems and methods for securely generating verifiable machine-readable visual codes. Techniques include identifying a data element to be made available to a computing device, generating a machine-readable visual code including the data element, making available the generated machine-readable visual code to a display medium, such that the generated machine-readable visual code can be decoded from the display medium to yield the data element and can be validated. The computing device's ability to interact with the data element may be conditioned on the validation of the data element being successful.

Abstract: Disclosed embodiments relate to systems and methods for security protection against threats to network identity providers. Techniques include identifying a first request from a client for access to a secure network resource; redirecting the client to an identity provider. The identity provider may be configured to authenticate the client and provide the client with data signed using a first identity provider key. Further techniques include identifying a second request from the client, the second request including a doubly-signed version of the data, verifying the doubly-signed version of the data using a second identity provider key corresponding to the first identity provider key and a second client key corresponding to the first client key; and allowing, conditional on a result of the verifying, the client to access the secure network resource.

Abstract: Disclosed embodiments relate to uniquely identifying and validating identities based on electronic file fingerprints. Techniques include identifying an identity associated with a computing device; accessing fingerprinting data associated with an electronic file stored on or transmitted from the computing device; generating, based on a diversity of different properties of the fingerprinting data, a profile for the electronic file; accessing a repository storing profiles corresponding to a plurality of identities; comparing the generated profile with one or more of the stored profiles; determining whether the generated profile matches a stored profile, from the repository of stored profiles, associated with the identity; and validating, conditional on the matching, the identity.

Abstract: Disclosed embodiments relate to systems and methods for securely and seamlessly provisioning credentials for use by personal computing devices. Techniques include obtaining a session identifier; making available an encoded representation to a personal computing device, the encoded representation encoding the session identifier; wherein the personal computing device is configured to: decode the encoded representation, access an identity credential stored on the personal computing device, encrypt the identity credential using a first cryptographic key, and send, to a mediator resource, the session identifier and the encrypted identity credential; receiving, from the mediator resource, the session identifier and the encrypted identity credential; and storing the encrypted identity credential.

Abstract: Disclosed embodiments relate to systems and methods for securely generating verifiable machine-readable visual codes. Techniques include identifying a data element to be made available to a computing device, generating a machine-readable visual code including the data element, making available the generated machine-readable visual code to a display medium, such that the generated machine-readable visual code can be decoded from the display medium to yield the data element and can be validated. The computing device's ability to interact with the data element may be conditioned on the validation of the data element being successful.

Abstract: Disclosed embodiments relate to systems and methods for securely communicating data via encoded scannable codes. Techniques include identifying data to be communicated, identifying fictive data, accessing a manipulation factor, generating a scannable code comprising codes corresponding to the data and fictive data manipulated according to the manipulation factor, and making the code available for decoding by a scanning device. Further techniques include scanning a scannable code via a scanning device, separating the scannable code into multiple codes according to a manipulation factor, decoding the code(s) corresponding to the data to obtain the data, and refraining from decoding the code(s) corresponding to the fictive data.

Abstract: Disclosed embodiments relate to adaptively and dynamically monitoring and managing a proximity status between securely communicating devices. Techniques include identifying a secure connection session established between an endpoint computing resource and an auxiliary computing device associated with a user; receiving real-time proximity data associated with at least one of the user or the auxiliary computing device; receiving proximity data associated with the endpoint computing resource; determining, based on the real-time proximity data associated with at least one of the user or the auxiliary computing device and the proximity data associated with the endpoint computing resource, whether at least one of the auxiliary computing device or the user has left the proximity to the endpoint computing resource; and implementing, based on the determining, an automatic session control action for the secure connection session.