Abstract: Policy-based techniques are provided for dynamic access control for resources. One method comprises, upon a user attempt to access a given resource, identifying a policy defined for access to the given resource, wherein the policy comprises a rule and an allowed issuer of a verifiable claim; determining if the rule and the allowed issuer are satisfied based on an evaluation of the verifiable claim; and allowing the user to access the given resource if the rule and the allowed issuer are satisfied. A given rule can specify a threshold for a data item obtained from an allowed issuer. The policy can be stored by one or more policy hubs. A plurality of policy hubs can be organized in a hierarchical structure, such that one given policy is applied to the given resource in a predictable manner.

Abstract: Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Abstract: Techniques are provided for selecting attributes to cluster users for a user application entitlement evaluation.

Abstract: Techniques are provided for client-driven shared secret updates for client authentication. One method comprises, in response to a first authentication of a client by a server using a given shared secret, updating, by the client, the given shared secret to generate an updated shared secret and storing the updated shared secret with the server; and submitting the updated shared secret to the server as part of a second authentication of the client. The updating is optionally performed by one or more of a password vault and a browser extension. The client may randomly select the updated shared secret or compute the updated shared secret in a predefined manner. The server may evaluate whether the client stores the updated shared secret with the server in connection with the first authentication and implement one or more predefined steps when the updated shared secret is not stored with the server.

Abstract: A method includes receiving, over an audio channel at a first audio input device, a first audio signal. The method also includes analyzing the first audio signal to identify at least a first portion of authentication data transmitted from an authentication token. The method further includes verifying transmittal of the authentication data by the authentication token utilizing at least a second audio signal. The second audio signal is received at a second audio input device, and the second audio signal comprises at least a second portion of the authentication data. The method further includes providing the authentication data to a validating application responsive to verifying transmittal of the authentication data by the authentication token.

Abstract: Techniques are provided for identity assurance using a posture profile. One method comprises obtaining a posture profile of a user indicating a behavior of the user while sitting in a seat and/or standing on a mat; performing the following steps, in response to a request of the user to obtain access to a protected resource: receiving identity assurance information comprising: (i) configuration information about a configuration of the seat and/or the mat at a time of the request of the user; and/or (ii) user information about the user one or more of: sitting in the seat and standing on the mat at the time of the request of the user; determining if the identity assurance information satisfies a predefined identity assurance criteria; and providing an identity assurance result.

Abstract: A method includes obtaining assembly code of a first software module, the assembly code comprising one or more assembly functions each comprising at least one basic block. The method also includes computing fingerprints of the basic blocks of the first software module by application of a fuzzy hash function, generating a representation of the first software module as a set of assembly functions each represented as a sequence of fingerprints of its associated basic blocks, and determining a similarity score between the first software module and at least a second software module classified as a given software module type. The similarity score is based on distances between the fingerprints of the basic blocks of the assembly functions of the first software module and corresponding fingerprints of the second software module. The method further includes determining a measure of code sharing between the first and second software modules based on the similarity score.

Abstract: A method includes obtaining a given web page, parsing the given web page to identify one or more frame tags for one or more inline frames of the given web page, and extracting a set of features of a given inline frame from a given one of the identified frame tags in the given web page, the extracted set of features comprising one or more style features, one or more destination features and one or more context features of the given identified frame tag. The method also includes classifying the given inline frame as one of a malicious frame type and a benign frame type utilizing at least one model and at least a portion of the extracted set of features, and controlling access by one or more client devices associated with an enterprise to the given web page responsive to classifying the given inline frame as the malicious frame type.

Abstract: Techniques are provided for account recovery using an identity assurance scoring system. One method comprises providing multiple available identity assurance techniques, each assigned a corresponding identity assurance value indicating a level of assurance for the corresponding available identity assurance technique; in response to a user request to obtain access to a protected resource following a loss incident of a user authenticator: receiving, from the user, authentication information associated with the available identity assurance techniques; aggregating the corresponding assigned identity assurance values for the received available identity assurance techniques to determine an aggregate identity assurance value; determining if the aggregate identity assurance value satisfies a predefined identity assurance level criteria; and evaluating the user request to access the protected resource based on the determining.

Abstract: Techniques are provided for authenticating a user using shared secret seed updates for one-time passcode (OTP) generation. One method comprises, in response to a first authentication of a client using a given OTP derived from a given shared secret seed, updating, by a server, the given shared secret seed using the given OTP and/or a timestamp from the first authentication to generate an updated given shared secret seed; and evaluating a second authentication using a new OTP derived from the updated given shared secret seed. An anomaly may be detected when the client attempts the second authentication using an OTP and the server determines that the OTP was generated by a previously used shared secret seed. The server may store a set of previously accepted OTPs, and evaluate the previously accepted OTPs to validate the new OTP.

Abstract: Policy-based techniques are provided for dynamic access control for resources. One method comprises, upon a user attempt to access a given resource, identifying a policy defined for access to the given resource, wherein the policy comprises a rule and an allowed issuer of a verifiable claim; determining if the rule and the allowed issuer are satisfied based on an evaluation of the verifiable claim; and allowing the user to access the given resource if the rule and the allowed issuer are satisfied. A given rule can specify a threshold for a data item obtained from an allowed issuer. The policy can be stored by one or more policy hubs. A plurality of policy hubs can be organized in a hierarchical structure, such that one given policy is applied to the given resource in a predictable manner.

Abstract: Techniques are provided for identity assurance using a posture profile. One method comprises obtaining a posture profile of a user indicating a behavior of the user while sitting in a seat and/or standing on a mat; performing the following steps, in response to a request of the user to obtain access to a protected resource: receiving identity assurance information comprising: (i) configuration information about a configuration of the seat and/or the mat at a time of the request of the user; and/or (ii) user information about the user one or more of: sitting in the seat and standing on the mat at the time of the request of the user; determining if the identity assurance information satisfies a predefined identity assurance criteria; and providing an identity assurance result.

Abstract: Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Abstract: Techniques are provided for account recovery using an identity assurance scoring system. One method comprises providing multiple available identity assurance techniques, each assigned a corresponding identity assurance value indicating a level of assurance for the corresponding available identity assurance technique; in response to a user request to obtain access to a protected resource following a loss incident of a user authenticator: receiving, from the user, authentication information associated with the available identity assurance techniques; aggregating the corresponding assigned identity assurance values for the received available identity assurance techniques to determine an aggregate identity assurance value; determining if the aggregate identity assurance value satisfies a predefined identity assurance level criteria; and evaluating the user request to access the protected resource based on the determining.

Abstract: Techniques are provided for client-driven shared secret updates for client authentication. One method comprises, in response to a first authentication of a client by a server using a given shared secret, updating, by the client, the given shared secret to generate an updated shared secret and storing the updated shared secret with the server; and submitting the updated shared secret to the server as part of a second authentication of the client. The updating is optionally performed by one or more of a password vault and a browser extension. The client may randomly select the updated shared secret or compute the updated shared secret in a predefined manner. The server may evaluate whether the client stores the updated shared secret with the server in connection with the first authentication and implement one or more predefined steps when the updated shared secret is not stored with the server.

Abstract: Techniques are provided for authenticating a user using shared secret seed updates for one-time passcode (OTP) generation. One method comprises, in response to a first authentication of a client using a given OTP derived from a given shared secret seed, updating, by a server, the given shared secret seed using the given OTP and/or a timestamp from the first authentication to generate an updated given shared secret seed; and evaluating a second authentication using a new OTP derived from the updated given shared secret seed. An anomaly may be detected when the client attempts the second authentication using an OTP and the server determines that the OTP was generated by a previously used shared secret seed. The server may store a set of previously accepted OTPs, and evaluate the previously accepted OTPs to validate the new OTP.

Abstract: Static and dynamic embodiments are presented for generating chaff passwords for use in a password-hardening system. Chaff passwords are generated by modifying portions of base passwords based on a distribution with which particular strings of digits and symbols appear in user passwords. Location oblivious chaff passwords are generated from a chaff set of passwords obtained from a chaff generation method by applying a random permutation over the elements of the obtained chaff set of passwords.

Abstract: A method includes receiving, over an audio channel at a first audio input device, a first audio signal. The method also includes analyzing the first audio signal to identify at least a first portion of authentication data transmitted from an authentication token. The method further includes verifying transmittal of the authentication data by the authentication token utilizing at least a second audio signal. The second audio signal is received at a second audio input device, and the second audio signal comprises at least a second portion of the authentication data. The method further includes providing the authentication data to a validating application responsive to verifying transmittal of the authentication data by the authentication token.

Abstract: Techniques are provided for implementing predefined access policies based on auxiliary information embedded in one-time passcode authentication tokens. An exemplary method comprises receiving an authentication passcode generated by a token of a user, wherein the received authentication passcode is derived from a secret seed and based on at least one protocode and embedded auxiliary information; processing the received authentication passcode to extract the embedded auxiliary information from the received authentication passcode, wherein the embedded auxiliary information comprises (i) a silent alarm signal indicating a potential compromise of the token, and (ii) a drifting key signal indicating a current drifting key state of the token, wherein the drifting key signal is processed to detect a cloning of the token; and implementing a predefined access policy (e.g., replace or disable the token of one or more users) based on respective values of the silent alarm signal and the drifting key signal.

Abstract: Techniques are provided for selecting attributes to cluster users for a user application entitlement evaluation.