Abstract: Disclosed are various embodiments for automated detection of multi-user computing devices such as kiosks, public terminals, and so on. Network resource requests are obtained from a client computing device. It is determined whether the client computing device is a multi-user system based at least in part on whether the network resource requests embody characteristics associated with multi-user systems. The resulting classification is stored and may be used to customize generation of requested network resources.

Abstract: Automated provisioning of hosts on a network with reasonable levels of security is described in this application. A certificate management service (CMS) on a host, one or more trusted agents, and a public key infrastructure are utilized in a secure framework to establish host identity. Once host identity is established, signed encryption certificates may be exchanged and secure communication may take place.

Abstract: Disclosed are various embodiments for an authentication manager. The authentication manager performs a certificate validation for a network site. If the certificate validation is successful, the authentication manager automatically provides a security credential to the network site.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information. A service may send anonymized responses to requests for data from multiple requestors, the data being associated with entity identifiers. The anonymized responses may comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers.

Abstract: Disclosed are various embodiments for identifying a table of non-decoy data matching a set of criteria. Decoy data is inserted into the table of non-decoy data. The decoy data is detected in a result comprising the decoy data, the result generated in response to an access of the data store. An alarm is generated based at least upon the result.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information when transmitting data to services. A content server may store entity identifiers that respectively represent entities associated with the content server. The content server may send anonymized responses to requests for data from multiple services, the data being associated with entity identifiers. The anonymized responses may comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers. The requesting services may each receive a different anonymous identifier representing a single entity.

Abstract: A password application system receives a credential for a first privilege of a plurality of privileges whereby the first privilege corresponds to a first set of credential requirements and the plurality of privileges have a second privilege that corresponds to a different set of credential requirements. The system determines whether the credential for the first privilege satisfies the first set of credential requirements. If the credential satisfies this set of credential requirements, the system enables the credential to be used for access in accordance with the first privilege.

Abstract: A secure key distribution server (SKDS) determines the identity of a requesting server without use of a shared secret by resolving the fully qualified domain name (FQDN) to a network address and comparing it with the network address of a key request. A credential string may also be used as part of the identification. Once identity is established, keys may be securely distributed. The SKDS may also be implemented in a peer-to-peer configuration.

Abstract: This disclosure is directed to, in part, determining an expiration of a password or other security data based on a measured complexity of the password or the security data. A user may enter a password to be associated with an account or a resource (e.g., a login for a user account, etc.). The password may be analyzed to determine an entropy value of the password, which is a measure of complexity of the password. A password manager may then determine an expiration of the password based on the entropy value of the password. Thus, a more complex password may be assigned an expiration date that is longer than an expiration date assigned to a less complex password. In some aspects, the expiration date may be dynamically updated as a user continues to enter inputs for a new password.

Abstract: Disclosed are various embodiments of techniques that may be used to improve the reliability of network authentication. A communication session is established between a server computing device and a client computing device. The communication session is established via a network using a credential for a network site. A verifier for the credential is generated, which may be used to confirm the authenticity of the credential. The verifier is provided to the client computing device via the network.

Abstract: Disclosed are various embodiments for a behavior-based identity system that recognizes and/or authenticates users based at least in part on determining stored behavioral events. For example, stored behavioral events may have been observed previously at a client or have been predefined by an authenticated user. Multiple behavioral events expressed by the client relative to a network site are recorded. The behavioral events may correspond to data that a user has elected to share, and the user may opt-in or opt-out of the behavior-based identity system. A comparison is performed between the multiple observed behavioral events and the stored behavioral events associated with a user identity. An inverse identity confidence score as to whether the user identity does not belong to a user at the client is generated based at least in part on the comparison.

Abstract: Disclosed are various embodiments for a behavior-based identity system that recognizes and/or authenticates users based at least in part on stored behavioral events which have been observed previously or have been preconfigured. Multiple behavioral events expressed by a client relative to multiple resources of a network site are observed. The behavioral events correspond to data that a user has elected to share, and the user may opt-in or opt-out of the behavior-based identity system. A comparison is performed between the observed behavioral events and multiple stored behavioral events associated with a user identity. An identity confidence level as to whether the user identity belongs to a user at the client is generated based at least in part on the comparison.

Abstract: Disclosed are various embodiments for assessing risk associated with a software application on a user computing device in an enterprise networked environment. An application rating is generated for the software application based at least in part on application characteristics. A risk analysis for the installation of the application is generated based at least in part on the application rating, the user computing device, and user information.

Abstract: Disclosed are various embodiments that perform confidence-based authentication of a user. A request from a user is obtained, where the request pertains to an operation on a network site. An authentication duration for the user is determined, based on a risk to the user of performing the operation. A determination is made whether a current session associated with the user has expired, based on the authentication duration. The operation requested by the user is performed in response to the determination that the current session associated with the user has expired.

Abstract: This disclosure is directed to, in part, providing information about a user to a requesting party where the information is provided by an identity provider that has a preexisting relationship with the user. The user may request the identity provider to provide the information to the relying party using an interactive voice response (IVR) system. After the relying party requests the user's account information, the user may be redirected, at least momentarily, to an IVR system provided by the identity provider. The IVR system may authenticate the user. Once authenticated, the identity provider may provide the user information to the relying party. By authenticating the user, the identity provider may provide the user information to the relying party without compromising user credentials or other private or sensitive information of the user.

Abstract: Cross Site Request Forgery (CSRF) and other types of fraudulent submission can be mitigated using state information that typically is already maintained for various users. Each submission requiring authentication can include a state identifier (ID). The state ID can be compared to a corresponding secure state ID stored in a secure location, such as in a secure token or cookie or in a variable on a page that can only be accessed by code executing in the same security context as the site to which the request is made. If the received state ID is valid and matches the secure state ID, the submission is processed. Otherwise, an interstitial element is generated to prompt the user to confirm the prior submission. A subsequent confirmation submission confirming the prior submission and containing the proper state ID can be processed. If no such confirmation is received, the submission is not processed.

Abstract: Technologies are described herein for providing out-of-band authentication of an e-mail message. A recipient of an e-mail message purporting to be from an organization forwards the e-mail message or submits its content to that organization for authentication. The authenticity of the e-mail message is determined based on authentication data, such as outgoing message logs or authentication keys, maintained at the source of the e-mail message. Upon authenticating the e-mail message, the recipient is informed of the authenticity of the e-mail message.

Abstract: Disclosed are various embodiments for identifying a table of non-decoy data matching a set of criteria. Decoy data is inserted into the table of non-decoy data. The decoy data is detected in a result comprising the decoy data, the result generated in response to an access of the data store. An alarm is generated based at least upon the result.

Abstract: Disclosed are various embodiments for assessing risk associated with different software applications which are installed on user computing devices in an enterprise networked environment. Ratings are generated for the different software applications based at least in part on respective characteristics of the different software applications. Risk profiles are generated for the installations of the different software applications on the user computing devices in the networked environment. The risk profiles are generated based at least in part on the respective ratings, the respective user computing devices, and the respective end users associated with the respective user computing devices.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information when transmitting data to services. A content server may store entity identifiers that respectively represent entities associated with the content server. The content server may send anonymized responses to requests for data from multiple services, the data being associated with entity identifiers. The anonymized responses may comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers. The requesting services may each receive a different anonymous identifier representing a single entity.