Abstract: This disclosure describes techniques for authenticating one or more devices of a user in association with cloud computing services. The techniques include generating credential portions. The credential portions may be used in a signing protocol between one of the user devices and a cloud authenticator. The signing protocol may generate a signature that may be used in authentication with a cloud computing service. In some cases, the credential portions may be shared with other devices of the user. As such, the cloud authenticate may assist multiple user devices to authenticate with the cloud computing service.

Abstract: An identity server authenticates a first user identity for a user device through a first authentication exchange as part of a passwordless authentication system. The identity server registers with a relying party as an authenticator for a second user identity. The identity server initiates a second authentication exchange by obtaining from the relying party, a credential request associated with the second user identity. Responsive to a determination that the first user identity authenticated in the first authentication exchange is authorized to act as the second user identity, the identity server obtains a credential request response authenticated by the authenticator in the identity server. The identity server completes the second authentication exchange by providing the credential response to the relying party. The second authentication exchange authenticates the user device to the relying party without involving the user device.

Abstract: An authentication system handles authentication requests to apply introspection and policy enforcement. A policy server obtains a client security policy and an authenticator security policy. The policy server obtains an encrypted credential request with client metadata from a client and determines whether the client metadata satisfies the client security policy. The policy server provides the encrypted credential request to an authenticator device and obtains an encrypted credential response with authenticator metadata in response. The policy server determines whether the authenticator metadata satisfies the authenticator security policy. The policy server processes the encrypted credential response, without decrypting the encrypted credential request or the encrypted credential response, based on a determination of whether the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy.

Abstract: This disclosure describes techniques for authenticating one or more devices of a user in association with cloud computing services. The techniques include generating credential portions. The credential portions may be used in a signing protocol between one of the user devices and a cloud authenticator. The signing protocol may generate a signature that may be used in authentication with a cloud computing service. Furthermore, the user may be able to use any one of the user devices to log in to an online service after enrolling only a single user device with the online service. As such, the cloud authenticator may assist multiple user devices to authenticate with the cloud computing service.

Abstract: This disclosure describes techniques for authenticating one or more devices of a user in association with cloud computing services. The techniques include generating credential portions. The credential portions may be used in a signing protocol between one of the user devices and a cloud authenticator. The signing protocol may generate a signature that may be used in authentication with a cloud computing service. In some cases, the credential portions may be shared with other devices of the user. As such, the cloud authenticate may assist multiple user devices to authenticate with the cloud computing service.

Abstract: An identity server authenticates a first user identity for a user device through a first authentication exchange as part of a passwordless authentication system. The identity server registers with a relying party as an authenticator for a second user identity. The identity server initiates a second authentication exchange by obtaining from the relying party, a credential request associated with the second user identity. Responsive to a determination that the first user identity authenticated in the first authentication exchange is authorized to act as the second user identity, the identity server obtains a credential request response authenticated by the authenticator in the identity server. The identity server completes the second authentication exchange by providing the credential response to the relying party. The second authentication exchange authenticates the user device to the relying party without involving the user device.

Abstract: An authentication system handles authentication requests to apply introspection and policy enforcement. A policy server obtains a client security policy and an authenticator security policy. The policy server obtains an encrypted credential request with client metadata from a client and determines whether the client metadata satisfies the client security policy. The policy server provides the encrypted credential request to an authenticator device and obtains an encrypted credential response with authenticator metadata in response. The policy server determines whether the authenticator metadata satisfies the authenticator security policy. The policy server processes the encrypted credential response, without decrypting the encrypted credential request or the encrypted credential response, based on a determination of whether the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy.