Abstract: Methods, systems, and devices for phishing-resistant authenticator enrollment are described. An authentication service may encrypt a token that is usable for an initial enrollment of a user in an authenticator application. The authentication service may transmit a first payload to the user. The first payload includes at least the encrypted token. An authenticator application may receive, from the user, a request to initiate the initial enrollment of the user on a device. The request may include the encrypted token. The authentication service may enroll the user in the authenticator application on the device based on decryption of the encrypted token using an encryption key on a near-field communication (NFC) device.

Abstract: A client device that is not originally compliant with a particular security standard (e.g., FIPS) is brought into compliance through the addition of a standard-compliant software-based cryptographic library. In order to adapt the cryptographic library to integrate with the hardware-backed keystore, a non-hardware-backed software keystore is used to store keys used by the cryptographic library. Additionally, in order to provide appropriate security for the software keystore, the software keystore (and/or the keypairs within the software keystore) is protected by a password, and the password is in turn protected by the hardware-backed keystore. Thus, to obtain the password needed to obtain a keypair from the software keystore that is in turn needed to use the cryptographic library, a user must authenticate with the operating system, e.g., by providing biometric credentials.

Abstract: An authentication system supports multi-factor authentication (MFA) when authenticating the identity of a user. A challenge-response portion of the authentication process is delegated to an MFA device-a secondary device within control of the user, but separate from the primary login device that the user is using when initiating the authentication. Communications between the MFA device and the login device are conducted using a short-range wireless communication protocol (e.g., Bluetooth™ or NFC), so that the two devices must be in close physical proximity to each other.

Abstract: An authentication system supports multi-factor authentication (MFA) when authenticating the identity of a user. A challenge-response portion of the authentication process is delegated to an MFA device—a secondary device within control of the user, but separate from the primary login device that the user is using when initiating the authentication. Communications between the MFA device and the login device are conducted using a short-range wireless communication protocol (e.g., Bluetooth™ or NFC), so that the two devices must be in close physical proximity to each other.

Abstract: A client device that is not originally compliant with a particular security standard (e.g., FIPS) is brought into compliance through the addition of a standard-compliant software-based cryptographic library. In order to adapt the cryptographic library to integrate with the hardware-backed keystore, a non-hardware-backed software keystore is used to store keys used by the cryptographic library. Additionally, in order to provide appropriate security for the software keystore, the software keystore (and/or the keypairs within the software keystore) is protected by a password, and the password is in turn protected by the hardware-backed keystore. Thus, to obtain the password needed to obtain a keypair from the software keystore that is in turn needed to use the cryptographic library, a user must authenticate with the operating system, e.g., by providing biometric credentials.

Abstract: An authentication system supports multi-factor authentication (MFA) when authenticating the identity of a user. A challenge-response portion of the authentication process is delegated to an MFA device—a secondary device within control of the user, but separate from the primary login device that the user is using when initiating the authentication. Communications between the MFA device and the login device are conducted using a short-range wireless communication protocol (e.g., Bluetooth™ or NFC), so that the two devices must be in close physical proximity to each other.

Abstract: Assessing ransomware impact includes receiving an indication of a first plurality of files stored on a user device and a classification for each of the first plurality of files, determining a second plurality of files stored in a remote storage, wherein the second plurality of files corresponds to an indication of files stored on the user device at a first prior time, wherein each of the second plurality of files are associated with a second classification, determining a third plurality of files comprising files included in the first plurality of files and not included in the second plurality of files, and calculating a risk assessment based on classifications for each of the third plurality of files.

Abstract: Assessing ransomware impact includes receiving an indication of a first plurality of files stored on a user device and a classification for each of the first plurality of files, determining a second plurality of files stored in a remote storage, wherein the second plurality of files corresponds to an indication of files stored on the user device at a first prior time, wherein each of the second plurality of files are associated with a second classification, determining a third plurality of files comprising files included in the first plurality of files and not included in the second plurality of files, and calculating a risk assessment based on classifications for each of the third plurality of files.