Abstract: The disclosed computer-implemented method for detecting misuse of online service access tokens may include (1) receiving a user permission token to access an online service that manages one or more user resources, (2) monitoring, based on utilization of the user permission token, usage data associated with an access token issued to a relying party for accessing the user resources managed by the online service, (3) identifying, based on the usage data, activity associated with the access token being misused by the relying party, and (4) performing, a security action that protects the user resources against the activity associated with the access token being misused by the relying party. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for pairing a mobile device with a computer for password-less login using a network service is provided. The method may include sending a pairing request to a network server from a computing device, wherein the pairing request includes computer authentication data and a computer public key. The network server may pair the mobile device with the computing device; wherein, the computing device may generate a pairing secret key and an associated QR image, which the user is prompted to scan using the mobile device. A pairing agent within the mobile device may validate the computer authentication data and parse the computer public key therefrom. In some embodiments a PIN could be displayed by the computer and entered by the user into the mobile device or silently exchanged between the computer and the mobile device, when proximate to each other, for the mutual authentication data validation.

Abstract: The present disclosure relates to systems and methods for on-boarding an out of the box (OOB) device so as to secure electronic control of the OOB device. In some embodiments, a method may be performed by a computing device having an electronic processor, and may include automatically electronically receiving, by a processor, an electronic request to on-board from the OOB device, and authenticating, by the processor, a standardized certificate associated with the OOB device. The method may further include obtaining, by the processor, a policy authority to electronically control the OOB device. The method may further include securing electronic control of the OOB device, by the processor, based at least in part on the obtained approval.

Abstract: A system and method for pairing a mobile device with a computer for password-less login using a network service is provided. The method may include sending a pairing request to a network server from a computing device, wherein the pairing request includes computer authentication data and a computer public key. The network server may pair the mobile device with the computing device; wherein, the computing device may generate a pairing secret key and an associated QR image, which the user is prompted to scan using the mobile device. A pairing agent within the mobile device may validate the computer authentication data and parse the computer public key therefrom. In some embodiments a PIN could be displayed by the computer and entered by the user into the mobile device or silently exchanged between the computer and the mobile device, when proximate to each other, for the mutual authentication data validation.

Abstract: Mobile push user authentication for native client based logon is described. In one method, an authentication server receives from a user interface at a native client a password for native-client based logon to a remote server. The method determines whether a portion of the password includes a one-time password (OTP). When the password includes an OTP, the method validates the remaining portion of the password as a first authentication factor, and validates the OTP as a second authentication factor. When the password does not include an OTP, the method sends a mobile push notification to a registered device, validates the password as the first authentication factor, receives a response to the mobile push notification, and validates the response to the mobile push notification as the second authentication factor. The native-client based logon is authorized when the first authentication factor and the second authentication factor are validated.

Abstract: The disclosed computer-implemented method for completing multi-factor authentication via mobile devices may include (1) identifying a request to communicate with a user's mobile device to complete multi-factor authentication of the user to an online service, (2) determining that authentication notifications are disabled for attempts made by the user to login to the online service, (3) preventing an authentication notification from being displayed on the user's mobile device, (4) receiving an out-of-band authentication communication from a mobile device, (5) determining that the mobile device that sent the out-of-band authentication communication is the user's mobile device and is therefore trusted to complete the multi-factor authentication of the user to the online service, and (6) enabling the user to login to the online service and automatically receive future notification. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for authenticating devices may include (1) identifying a request from a device for a credentialing service to issue a credential to the device, the request including an application identifier encrypted with a first encryption key, the first encryption key having been derived by the device based on a token provisioned to the device by a vendor of the device, (2) transmitting the request to the credentialing service, (3) receiving, from the credentialing service, the credential encrypted using a second encryption key, the second encryption key having been derived by the device based on the token, and (4) providing the encrypted credential to the device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for synchronizing verification data in a distributed database including client and server databases. The server database may exchange verification data regarding one-time passwords to multiple client databases. An update to the server database may be initiated based on information stored in the client database by pushing updated verification information from the client database to the server database via an SSL tunnel. An update to the client database may be initiated based on information stored in the server database by pulling updated verification data from the server database to the client database via an SSL tunnel. The client database and the server database may include a two-dimensional data field including the verification data and an associated key identifier, and a site ID. The site ID may include a unique identifier to identify the respective database in which it is included.

Abstract: A computing system of an authentication service provider receives a federated identity protocol request triggered by a relying party to validate a user. The federated identity protocol request includes a user identifier of an authenticated identity. The computing system searches mapping data stored in a data store that is coupled to the computing system to identify a type of virtual token associated with the user identifier and authenticates the user by requesting the identified type of virtual token from a user device and verifying a virtual token received from the user device using the mapping data. The computing system sends second-factor authentication results to the relying party via the federated identity protocol.

Abstract: A computer system receives a request to access a server. The request includes a first device tag set. When the first device tag set matches a previously assigned device tag set, the computer system allows access to the server without requesting full access credentials of a user. The computer system invalidates the first device tag set, and sends a second device tag set. When the first device tag set does not match the previously assigned device tag set, the computer system requests full access credentials from the user.

Abstract: A computer-implemented method for authenticating devices may include (1) identifying a request from a device for a credentialing service to issue a credential to the device, the request including an application identifier encrypted with a first encryption key, the first encryption key having been derived by the device based on a token provisioned to the device by a vendor of the device, (2) transmitting the request to the credentialing service, (3) receiving, from the credentialing service, the credential encrypted using a second encryption key, the second encryption key having been derived by the device based on the token, and (4) providing the encrypted credential to the device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for more efficiently establishing a chain of trust from a registrant to a registry. A registrant credential is associated with a Shared Registration command and is sent by a registrar to a registry. Upon successful validation, a token is generated and bound to a registrant identifier. The token is included along with the registrant identifier in subsequent discrete Shared Registration commands submitted to the registry on behalf of the registrant. The registrant thus needs to submit its credential only once for changes that require several discrete commands. Also, it is more efficient for the Shared Registration System to validate a token for a set of commands than to validate different registrant credential for each discrete command.

Abstract: A method for provisioning a mobile device with a secret to be used as a basis for generating One-Time passwords includes receiving a first request using a first communications method. The first request includes a mobile device identifier. The method also includes sending a credential message using a second communications method. The credential message includes an authentication credential. The method also includes receiving a second request using a third communications method different from the second communications method. The second request includes information based upon the authentication credential sent by the provisioning service. The method also includes sending the secret if the authentication credential in the credential message corresponds to the information based upon the authentication credential in the second request.

Abstract: A system for efficiently storing and activating credential seeds that are embedded in authentication devices. Device manufacturers provide copies of credential seeds embedded in the devices to an authentication service. The authentication service stores the credential seeds for authentication devices in a pre-active credential seed data store. When a credential seed is needed to perform a real-time or near real-time authentication of a One Time Password, the credential is fetched from the pre-active credential seed data store, used to authenticate the OTP and injected into the active credential seed data store, which can be a database. Thereafter, the credential seed is fetched from the active credential seed data store for real-time and near real-time authentication of OTPs.

Abstract: A system for authenticating a user to a relying party. A user sends an access request to a relying party web application. In response, the application sends a page with JavaScript that detects a plug-in at the user and detects the relying party domain. The plug-in uses its device certificate or other pre-established credentials to sign a challenge along with other site and user information including the site domain, the authentication service URL and user identifier, and send it, along with the data including the domain and the user identifier, to an authentication service. The service authenticates the information and sends back to the plug-in a short ticket that can be passed on to the relying party, which can validate it using the Radius protocol and an authentication service call, thereby authenticating the user.

Abstract: A method for providing a secret that is provisioned to a first device to a second device includes generating a One-Time Password at the first device using the secret and obtaining an identifier of the secret. The method also includes providing the One-Time Password and the identifier to the second device and sending the One-Time Password and the identifier to a remote provisioning service. The method also includes verifying that the One-Time Password corresponds to the secret, and sending to the second device an encrypted secret and a decryption key for decrypting the encrypted secret. The encrypted secret and the decryption key may be sent using different communications methods. The method also includes decrypting the encrypted secret using the decryption key to provide the secret and storing the secret at the second device.

Abstract: A system and method for more efficiently establishing a chain of trust from a registrant to a registry. A registrant credential is associated with a Shared Registration command and is sent by a registrar to a registry. Upon successful validation, a token is generated and bound to a registrant identifier. The token is included along with the registrant identifier in subsequent discrete Shared Registration commands submitted to the registry on behalf of the registrant. The registrant thus needs to submit its credential only once for changes that require several discrete commands. Also, it is more efficient for the Shared Registration System to validate a token for a set of commands than to validate different registrant credential for each discrete command.

Abstract: Systems and methods for synchronizing verification data in a distributed database including client and server databases. The server database may exchange verification data regarding one-time passwords to multiple client databases. An update to the server database may be initiated based on information stored in the client database by pushing updated verification information from the client database to the server database via an SSL tunnel. An update to the client database may be initiated based on information stored in the server database by pulling updated verification data from the server database to the client database via an SSL tunnel. The client database and the server database may include a two-dimensional data field including the verification data and an associated key identifier, and a site ID. The site ID may include a unique identifier to identify the respective database in which it is included.

Abstract: A method for providing a secret that is provisioned to a first device to a second device includes generating a One-Time Password at the first device using the secret and obtaining an identifier of the secret. The method also includes providing the One-Time Password and the identifier to the second device and sending the One-Time Password and the identifier to a remote provisioning service. The method also includes verifying that the One-Time Password corresponds to the secret, and sending to the second device an encrypted secret and a decryption key for decrypting the encrypted secret. The encrypted secret and the decryption key may be sent using different communications methods. The method also includes decrypting the encrypted secret using the decryption key to provide the secret and storing the secret at the second device.

Abstract: A method for provisioning a mobile device with a secret to be used as a basis for generating One-Time passwords includes receiving a first request using a first communications method. The first request includes a mobile device identifier. The method also includes sending a credential message using a second communications method. The credential message includes an authentication credential. The method also includes receiving a second request using a third communications method different from the second communications method. The second request includes information based upon the authentication credential sent by the provisioning service. The method also includes sending the secret if the authentication credential in the credential message corresponds to the information based upon the authentication credential in the second request.