Abstract: The present disclosure describes techniques that improve upon the use of authentication tokens as a means of verifying a user identify. A server is described that receives a service request to access a secure service provided by another service provider. The server may determine whether an additional secure service is required from a third-party server, and if so, generate a recursive authentication token for delivery to the third-party server. The recursive authentication token is intended to authenticate an identity of the server to the third-party server.

Abstract: A method of interpreting an authorization token is described herein. The service can receive an authorization token from a client device, and validate a signature of the authorization token. The service can identify an allowed function value associated at least part of an entitlement representation contained in a body of the authorization token. The service can convert the allowed function value to an allowed function bitmask that includes bits at a plurality of bit positions that are set to values indicating whether the subscriber element has attributes associated with each of the plurality of bit positions on a predefined attribute list. The service can determine whether the allowed function bitmask indicates that the subscriber element has one or more qualifying attributes that entitle a user of the client device to access the service.

Abstract: This disclosure describes techniques that permit a user of a client device to authenticate their identity to a service provider using location-based telemetry data associated with the client device that is captured unobtrusively by a service provider over a predetermined time interval. More specifically, a Location-based identity authentication (LIA) system is described that is configured to develop authentication challenges that are based on the location-based telemetry data, such as location data, transaction data, calendar data, and event data. In one example, a client device may transmit an authentication request that relates to a set of service features available to a user identity. The LIA system may transmit a subset of the authentication challenges to the client device to authenticate the user identity. The LIA system may further receive to the subset of authentication challenges, and further, verify the user identity based at least in part on the number of correct responses.

Abstract: A server application may request an authentication token from an authentication token provider on behalf of a client application instance. An application instance public key of a client application instance may be received at the server application, in which the application instance public key belongs to an application instance public-private key pair of the client application instance. An authentication token request is generated at the server application, in which the request includes the application instance public key of the client application instance and is signed with a server application private key of a server application public-private key pair that belongs to the server application. The authentication token request is sent by the server application to an authentication token provider to request an authentication token for use by the client application instance.

Abstract: An adaptive greylist may be used to reject authentication requests that originate from a source network address that has been taken over by a malicious actor. A percentage of successful authentications for a predetermined number of authentication requests that last originated from a source network address may be calculated. Accordingly, the source network address may be added to a greylist of suspended network addresses when the percentage of successful authentications is less than a predetermined percentage threshold. On the other hand, the source network address is kept off the greylist of suspended network addresses when the percentage of successful authentications is equal to or greater than the predetermined percentage threshold.

Abstract: The present disclosure describes techniques that improve upon the use of authentication tokens as a means of verifying a user identify. A server is described that receives a service request to access a secure service provided by another service provider. The server may determine whether an additional secure service is required from a third-party server, and if so, generate a recursive authentication token for delivery to the third-party server. The recursive authentication token is intended to authenticate an identity of the server to the third-party server.

Abstract: This disclosure describes techniques that permit a user of a client device to authenticate their identity to a service provider using location-based telemetry data associated with the client device that is captured unobtrusively by a service provider over a predetermined time interval. More specifically, a Location-based identity authentication (LIA) system is described that is configured to develop authentication challenges that are based on the location-based telemetry data, such as location data, transaction data, calendar data, and event data. In one example, a client device may transmit an authentication request that relates to a set of service features available to a user identity. The LIA system may transmit a subset of the authentication challenges to the client device to authenticate the user identity. The LIA system may further receive to the subset of authentication challenges, and further, verify the user identity based at least in part on the number of correct responses.

Abstract: The present disclosure describes techniques that improve upon the use of authentication tokens as a means of verifying a user identity. Rather than facilitating the issuance of authentication tokens as bearer tokens, whereby any user may present an authentication token to a secure service provider for access to secure service, this disclosure describes techniques for generating recursive authentication tokens that are digitally signed by an Identity Service Provider (IDP) and the entity that purports to present the authentication token to the service provider. Additionally, a recursive token application is described that is configured to nest preceding authentication tokens that trace back to an initial secure service request. For example, a recursive authentication token received by a second service provider may include, nested therein, the first service provider recursive authentication token and a preceding client recursive authentication token that is associated with the initial secure service request.

Abstract: An adaptive greylist may be used to reject authentication requests that originate from a source network address that has been taken over by a malicious actor. A percentage of successful authentications for a predetermined number of authentication requests that last originated from a source network address may be calculated. Accordingly, the source network address may be added to a greylist of suspended network addresses when the percentage of successful authentications is less than a predetermined percentage threshold. On the other hand, the source network address is kept off the greylist of suspended network addresses when the percentage of successful authentications is equal to or greater than the predetermined percentage threshold.

Abstract: A method of interpreting an authorization token is described herein. The service can receive an authorization token from a client device, and validate a signature of the authorization token. The service can identify an allowed function value associated at least part of an entitlement representation contained in a body of the authorization token. The service can convert the allowed function value to an allowed function bitmask that includes bits at a plurality of bit positions that are set to values indicating whether the subscriber element has attributes associated with each of the plurality of bit positions on a predefined attribute list. The service can determine whether the allowed function bitmask indicates that the subscriber element has one or more qualifying attributes that entitle a user of the client device to access the service.

Abstract: A secure device access token allows a server to verify that a device presenting the token for access to the server is an authorized device and that an application presenting the token is an authorized application as it purports to be. The secure device access token is unique to the device and to the application attempting to access the server. The secure device access token differs from a bearer token in that it is unique to the device and to the application.

Abstract: A method of interpreting an authorization token is described herein. The service can receive an authorization token from a client device, and validate a signature of the authorization token. The service can identify an allowed function value associated at least part of an entitlement representation contained in a body of the authorization token. The service can convert the allowed function value to an allowed function bitmask that includes bits at a plurality of bit positions that are set to values indicating whether the subscriber element has attributes associated with each of the plurality of bit positions on a predefined attribute list. The service can determine whether the allowed function bitmask indicates that the subscriber element has one or more qualifying attributes that entitle a user of the client device to access the service.

Abstract: Techniques are described for using two tokens to request access to a secure server. The tokens allow the server to verify, without an external call, that the requesting device is one identified in the request and that the requesting device is authorized by a trusted identity provider. A first token is an authentication token issued by the trusted identity provider and including a client device public key. The second token is a proof-of-possession token that is signed by a client device using a client device private key corresponding to the client device public key. The server obtains the client device public key from the authentication token, and then uses the client device public key to validate the proof-of-possession token. The authentication token can be re-used by a server creating its own proof-of-possession token for presentation to a second server to access a secure service on the second server.

Abstract: A server application may request an authentication token from an authentication token provider on behalf of a client application instance. An application instance public key of a client application instance may be received at the server application, in which the application instance public key belongs to an application instance public-private key pair of the client application instance. An authentication token request is generated at the server application, in which the request includes the application instance public key of the client application instance and is signed with a server application private key of a server application public-private key pair that belongs to the server application. The authentication token request is sent by the server application to an authentication token provider to request an authentication token for use by the client application instance.

Abstract: The present disclosure describes techniques that improve upon the use of authentication tokens as a means of verifying a user identity. Rather than facilitating the issuance of authentication tokens as bearer tokens, whereby any user may present an authentication token to a secure service provider for access to secure service, this disclosure describes techniques for generating recursive authentication tokens that are digitally signed by an Identity Service Provider (IDP) and the entity that purports to present the authentication token to the service provider. Additionally, a recursive token application is described that is configured to nest preceding authentication tokens that trace back to an initial secure service request. For example, a recursive authentication token received by a second service provider may include, nested therein, the first service provider recursive authentication token and a preceding client recursive authentication token that is associated with the initial secure service request.

Abstract: A method of interpreting an authorization token is described herein. The service can receive an authorization token from a client device, and validate a signature of the authorization token. The service can identify an allowed function value associated at least part of an entitlement representation contained in a body of the authorization token. The service can convert the allowed function value to an allowed function bitmask that includes bits at a plurality of bit positions that are set to values indicating whether the subscriber element has attributes associated with each of the plurality of bit positions on a predefined attribute list. The service can determine whether the allowed function bitmask indicates that the subscriber element has one or more qualifying attributes that entitle a user of the client device to access the service.

Abstract: Techniques are described for using two tokens to request access to a secure server. The tokens allow the server to verify, without an external call, that the requesting device is one identified in the request and that the requesting device is authorized by a trusted identity provider. A first token is an authentication token issued by the trusted identity provider and including a client device public key. The second token is a proof-of-possession token that is signed by a client device using a client device private key corresponding to the client device public key. The server obtains the client device public key from the authentication token, and then uses the client device public key to validate the proof-of-possession token. The authentication token can be re-used by a server creating its own proof-of-possession token for presentation to a second server to access a secure service on the second server.

Abstract: A secure device access token allows a server to verify that a device presenting the token for access to the server is an authorized device and that an application presenting the token is an authorized application as it purports to be. The secure device access token is unique to the device and to the application attempting to access the server. The secure device access token differs from a bearer token in that it is unique to the device and to the application.

Abstract: Disclosed are methods and systems to authenticate and provision new, unknown users into a computer network. A computer program utilizes a card reader to extract user information from a smart card and collect additional user information inputted by the user into a computer terminal. The computer program analyzes the secure electronic certificate extracted from the smart card to authenticate the user's credentials, and transmits the user information securely to a user provisioning application. Moreover, methods and systems consistent with the present invention, utilize secure communication protocols to enable the computer program to pass the user information from an unsecured area outside of a computer network perimeter through a network firewall to a secure provisioning application inside the computer network.