Abstract: Policy-based techniques are provided for dynamic access control for resources. One method comprises, upon a user attempt to access a given resource, identifying a policy defined for access to the given resource, wherein the policy comprises a rule and an allowed issuer of a verifiable claim; determining if the rule and the allowed issuer are satisfied based on an evaluation of the verifiable claim; and allowing the user to access the given resource if the rule and the allowed issuer are satisfied. A given rule can specify a threshold for a data item obtained from an allowed issuer. The policy can be stored by one or more policy hubs. A plurality of policy hubs can be organized in a hierarchical structure, such that one given policy is applied to the given resource in a predictable manner.

Abstract: Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Abstract: Techniques are provided for question delegation and security enforcement. One exemplary method comprises providing a third party with a question obtained from a user and a corresponding user security policy; providing a security policy response from the third party to the user indicating an acceptance of the corresponding user security policy or any proposed modifications to the corresponding user security policy for the question; performing the following steps once there is an agreement between the user and the third party regarding an accepted security policy for the question: monitoring responses to the question; enforcing directives within the accepted security policy for the question, wherein the directives comprise one or more triggers mapped to a security control and/or a compliance control for the question, and wherein each trigger has a corresponding predefined enforcement action; and performing the corresponding predefined enforcement action when a given trigger is detected.

Abstract: Techniques are provided for access controls for question delegation environments. One method comprises obtaining a security policy for a question obtained from a user; monitoring responses to the question; and enforcing, by a third-party portal processing system, access controls within the security policy for data associated with the question and/or the responses to the question, wherein the access controls comprise one or more restrictions with respect to a time duration to access the data and/or a number of people that may access the data. The third-party portal processing system evaluates whether the time duration to access the data has expired before providing access to the data and/or whether the number of people that may access the data has been exceeded before providing access to the data. A client-side encryption of the data is optionally performed by a provider of the data.

Abstract: Techniques are provided for client-driven shared secret updates for client authentication. One method comprises, in response to a first authentication of a client by a server using a given shared secret, updating, by the client, the given shared secret to generate an updated shared secret and storing the updated shared secret with the server; and submitting the updated shared secret to the server as part of a second authentication of the client. The updating is optionally performed by one or more of a password vault and a browser extension. The client may randomly select the updated shared secret or compute the updated shared secret in a predefined manner. The server may evaluate whether the client stores the updated shared secret with the server in connection with the first authentication and implement one or more predefined steps when the updated shared secret is not stored with the server.

Abstract: Techniques are provided for user authentication using a location assurance based on a location indicator modified by a shared secret. One method comprises obtaining a shared secret; initiating a challenge in connection with an authentication request by a client from a given location to access a protected resource, wherein the challenge comprises a location indicator selected for the given location; processing a response submitted by the client in response to the challenge, wherein the response comprises the location indicator for the given location modified by the client with the shared secret, and wherein the processing comprises evaluating the response submitted by the client relative to the location indicator selected by the authentication server; and resolving the authentication request based on the evaluating. The client modification of the selected location indicator with the shared secret comprises, for example, decrypting, filtering and/or altering the location indicator based on the shared secret.

Abstract: Techniques are provided for identity assurance using a posture profile. One method comprises obtaining a posture profile of a user indicating a behavior of the user while sitting in a seat and/or standing on a mat; performing the following steps, in response to a request of the user to obtain access to a protected resource: receiving identity assurance information comprising: (i) configuration information about a configuration of the seat and/or the mat at a time of the request of the user; and/or (ii) user information about the user one or more of: sitting in the seat and standing on the mat at the time of the request of the user; determining if the identity assurance information satisfies a predefined identity assurance criteria; and providing an identity assurance result.

Abstract: Techniques are provided for automatically assigning tasks of a collaborative project, such as questions within a risk assessment, to users. One method comprises obtaining a description of multiple tasks of a collaborative project; obtaining a first vector representation of a context of at least one of the tasks; obtaining a second vector representation of a context of at least one user; determining a similarity between one or more first vector representations and one or more second vector representations using one or more similarity criteria. The first and second vector representations may be obtained using natural language processing techniques, word embeddings that translate words into at least one vector, term frequency-inverse document frequency vectorization techniques, and/or a bag-of-words model.

Abstract: Techniques are provided for policy-based completion of risk assessments. One method comprises obtaining, from a risk assessment creator, a risk assessment comprising a question and a corresponding risk assessment completion policy for the question, wherein the question is processed by a risk assessment completion processing system in accordance with the corresponding risk assessment completion policy and the corresponding risk assessment completion policy comprises a trigger and one or more corresponding actions to perform when the trigger is satisfied; monitoring, by the risk assessment completion processing system, one or more responses from a risk assessment responder to the at least one question; and performing the one or more corresponding actions when the is detected. For multiple questions, the corresponding risk assessment completion policy may prioritize the multiple questions. For multiple triggers, the corresponding actions may be performed when any one of the multiple triggers is satisfied.

Abstract: Techniques are provided for authenticating a user using molecular snapshots of the user. One method comprises obtaining enrollment information of a user, wherein the enrollment information comprises a reference molecular snapshot of the user obtained following an ingestion by the user of nanoparticles; initiating a challenge to the user in connection with an authentication request by the user to access a protected resource; processing a responsive molecular snapshot obtained in response to the challenge, wherein the processing comprises evaluating the responsive molecular snapshot obtained in response to the challenge relative to the reference molecular snapshot; and resolving the authentication request based on the evaluating. The ingested nanoparticles optionally target one or more predefined cell types, and wherein the resolving further comprises the step of evaluating a ratio of cell types in the responsive molecular snapshot.

Abstract: Techniques are provided for authenticating a user using shared secret seed updates for one-time passcode (OTP) generation. One method comprises, in response to a first authentication of a client using a given OTP derived from a given shared secret seed, updating, by a server, the given shared secret seed using the given OTP and/or a timestamp from the first authentication to generate an updated given shared secret seed; and evaluating a second authentication using a new OTP derived from the updated given shared secret seed. An anomaly may be detected when the client attempts the second authentication using an OTP and the server determines that the OTP was generated by a previously used shared secret seed. The server may store a set of previously accepted OTPs, and evaluate the previously accepted OTPs to validate the new OTP.

Abstract: Techniques are provided for producing adaptive and verifiable bills of materials. One method comprises obtaining a verifiable claim associated with a device issued by a supplier of the device, wherein the verifiable claim comprises a decentralized identity for the device with corresponding public attributes; and verifying the verifiable claim for the device using the decentralized identity for the verifiable claim and the corresponding public attributes obtained from a distributed ledger. The verifying comprises, for example, reading a public key from the distributed ledger and verifying a digital signature of the verifiable claim using the public key. The verifiable claim for a given part may comprise a part status and when the part status of the given part indicates a recalled status, one or more predefined recall policies are applied for the given part and/or a device comprising the given part.

Abstract: Techniques are provided for access controls for question delegation environments. One method comprises obtaining a security policy for a question obtained from a user; monitoring responses to the question; and enforcing, by a third party portal processing system, access controls within the security policy for data associated with the question and/or the responses to the question, wherein the access controls comprise one or more restrictions with respect to a time duration to access the data and/or a number of people that may access the data. The third party portal processing system evaluates whether the time duration to access the data has expired before providing access to the data and/or whether the number of people that may access the data has been exceeded before providing access to the data. A client-side encryption of the data is optionally performed by a provider of the data.

Abstract: Policy-based techniques are provided for dynamic access control for resources. One method comprises, upon a user attempt to access a given resource, identifying a policy defined for access to the given resource, wherein the policy comprises a rule and an allowed issuer of a verifiable claim; determining if the rule and the allowed issuer are satisfied based on an evaluation of the verifiable claim; and allowing the user to access the given resource if the rule and the allowed issuer are satisfied. A given rule can specify a threshold for a data item obtained from an allowed issuer. The policy can be stored by one or more policy hubs. A plurality of policy hubs can be organized in a hierarchical structure, such that one given policy is applied to the given resource in a predictable manner.

Abstract: Techniques are provided for question delegation and security enforcement. One exemplary method comprises providing a third party with a question obtained from a user and a corresponding user security policy; providing a security policy response from the third party to the user indicating an acceptance of the corresponding user security policy or any proposed modifications to the corresponding user security policy for the question; performing the following steps once there is an agreement between the user and the third party regarding an accepted security policy for the question: monitoring responses to the question; enforcing directives within the accepted security policy for the question, wherein the directives comprise one or more triggers mapped to a security control and/or a compliance control for the question, and wherein each trigger has a corresponding predefined enforcement action; and performing the corresponding predefined enforcement action when a given trigger is detected.

Abstract: Techniques are provided for identity assurance using a posture profile. One method comprises obtaining a posture profile of a user indicating a behavior of the user while sitting in a seat and/or standing on a mat; performing the following steps, in response to a request of the user to obtain access to a protected resource: receiving identity assurance information comprising: (i) configuration information about a configuration of the seat and/or the mat at a time of the request of the user; and/or (ii) user information about the user one or more of: sitting in the seat and standing on the mat at the time of the request of the user; determining if the identity assurance information satisfies a predefined identity assurance criteria; and providing an identity assurance result.

Abstract: Techniques are provided for client-driven shared secret updates for client authentication. One method comprises, in response to a first authentication of a client by a server using a given shared secret, updating, by the client, the given shared secret to generate an updated shared secret and storing the updated shared secret with the server; and submitting the updated shared secret to the server as part of a second authentication of the client. The updating is optionally performed by one or more of a password vault and a browser extension. The client may randomly select the updated shared secret or compute the updated shared secret in a predefined manner. The server may evaluate whether the client stores the updated shared secret with the server in connection with the first authentication and implement one or more predefined steps when the updated shared secret is not stored with the server.

Abstract: Techniques are provided for authenticating a user using shared secret seed updates for one-time passcode (OTP) generation. One method comprises, in response to a first authentication of a client using a given OTP derived from a given shared secret seed, updating, by a server, the given shared secret seed using the given OTP and/or a timestamp from the first authentication to generate an updated given shared secret seed; and evaluating a second authentication using a new OTP derived from the updated given shared secret seed. An anomaly may be detected when the client attempts the second authentication using an OTP and the server determines that the OTP was generated by a previously used shared secret seed. The server may store a set of previously accepted OTPs, and evaluate the previously accepted OTPs to validate the new OTP.

Abstract: Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Abstract: Techniques are provided for user authentication using a location assurance based on a location indicator modified by a shared secret. One method comprises obtaining a shared secret; initiating a challenge in connection with an authentication request by a client from a given location to access a protected resource, wherein the challenge comprises a location indicator selected for the given location; processing a response submitted by the client in response to the challenge, wherein the response comprises the location indicator for the given location modified by the client with the shared secret, and wherein the processing comprises evaluating the response submitted by the client relative to the location indicator selected by the authentication server; and resolving the authentication request based on the evaluating. The client modification of the selected location indicator with the shared secret comprises, for example, decrypting, filtering and/or altering the location indicator based on the shared secret.