Abstract: Methods, apparatus, and processor-readable storage media for temporary partial authentication value provisioning for offline authentication are provided herein. An example computer-implemented method includes generating, in response to a request from an access device, an intermediary set of cryptographic information from an initial set of cryptographic information; modifying the intermediary set of cryptographic information based at least in part on data pertaining to the access device and one or more security parameters, wherein modifying the intermediary set of cryptographic information comprises removing one or more items of the cryptographic information from the intermediary set; and transmitting, over a network connection, the modified intermediary set of cryptographic information to the access device for use in a subsequent offline authentication request.

Abstract: Techniques are provided for ground distance calculations using sanitized location data. One method comprises a service provider obtaining: (i) a geographic zone identifier of multiple predefined geographic zones of a first location of a user, and (ii) a first distance between the first location of the user and multiple reference points that define boundaries of the predefined geographic zones; the service provider obtaining: (i) a geographic zone identifier of the multiple predefined geographic zones of a second location of the user, and (ii) a second distance between the first location of the user and the multiple reference points; and computing a ground distance between the first location and the second location by selecting a subset of the multiple reference points based at least in part on the relative geographic zones of the current and second locations. The user may: (i) estimate the first location and calculate the first distance; and/or (ii) compute the first and second distances.

Abstract: Techniques are provided for community-based anomaly detection policy sharing among organizations. One method comprises obtaining a cluster of organizations derived from clustering multiple organizations based on predefined clustering parameters; obtaining multiple policies from the organizations in the cluster; selecting one of the obtained plurality of policies based on a predefined policy sharing criteria; and sharing the selected policy with one or more of the organizations in the cluster. A use of the selected policy by one or more of the organizations may be simulated to evaluate a performance of the selected policy. The selected policy may be normalized and/or abstracted prior to being shared with organizations in the cluster. A given policy obtained from the organizations in the cluster may be weighted based on an influence rating of one or more source organizations that provided the given policy.

Abstract: Techniques are provided for user behavior analytics using keystroke analysis of pseudo-random data strings. One method comprises obtaining timestamps corresponding to keystroke activities on a device of a user associated with typing a pseudo-random character string comprising multiple characters, wherein at least one timestamp is adjusted based on errors associated with the typing of the pseudo-random character string; determining a time difference between keystroke activities associated with the pseudo-random character string using at least one adjusted timestamp; obtaining a time difference distribution for a subset of character sequences in the pseudo-random character string; determining a probability value for one or more character sequences in the subset; and determining an aggregate probability value for the pseudo-random character string based on the probability values.

Abstract: Techniques are provided for authenticating a user using an endpoint device of the user with a local policy and endpoint data. One method comprises obtaining, at an endpoint device of a given user, behavioral anomalies from a remote engine that generates the behavioral anomalies based on behavior of multiple users; in response to an access request by the given user, performing the following steps at the endpoint device: obtaining authentication data related to the given user and/or the endpoint device; generating features based on the authentication data; applying the features to a behavior model incorporating the behavioral anomalies to determine a behavior score for the access request; and evaluating the access request to make an authentication decision based on the behavior score. The behavior score indicates, for example, a confidence that the given user is an expected user and/or a same user who has previously been validated.

Abstract: Techniques are provided for communication-efficient device delegation. One method comprises, in response to a request for a new signing key of a given device, determining a number of new signing key requests received for the user of the given device; determining a new public verification key of the given device for an identity-based signature scheme by traversing a cryptographic hash chain backwards from a position of an initial selected value of the cryptographic hash chain; computing a new signing key based on public parameters and secret parameters of a backup component and the initial selected value; and providing the new public verification key and the new signing key to the given device. The given device authenticates to an authentication service using an identity-based signature computed using the new signing key. The request for the new signing key is submitted, for example, when the given device is lost, damaged, unavailable or stolen.

Abstract: A method is used in monitoring strength of passwords. A a request is received from a user to use a user password. A password score is determined for the user password. The password score indicates quality of the user password. Based on the password score, the strength of the user password is evaluated in a privacy preserving manner. The privacy preserving manner indicates avoiding storing information regarding the user password after strength of the user password has been evaluated.

Abstract: Techniques are provided for account recovery using an identity assurance scoring system. One method comprises providing multiple available identity assurance techniques, each assigned a corresponding identity assurance value indicating a level of assurance for the corresponding available identity assurance technique; in response to a user request to obtain access to a protected resource following a loss incident of a user authenticator: receiving, from the user, authentication information associated with the available identity assurance techniques; aggregating the corresponding assigned identity assurance values for the received available identity assurance techniques to determine an aggregate identity assurance value; determining if the aggregate identity assurance value satisfies a predefined identity assurance level criteria; and evaluating the user request to access the protected resource based on the determining.

Abstract: Account recovery control systems and methods are provided to support a self-service account recovery process for registered users of an information system. Account recovery protocols implement a secret sharing scheme between trusted referees and registered users of the information system to enable a registered user to regain access to the user's registered account when one or more authentication factors of the registered user are lost (e.g., forgotten, misplaced, damaged, stolen, etc.).

Abstract: Techniques are provided for centralized processing of sensitive user data. One method comprises obtaining, by a service provider, values of predefined features based at least in part on personal information of a user, wherein the values of the predefined features are computed by the user; and processing, by the service provider, the values of the predefined features based on the personal information to detect one or more predefined anomalies associated with the user and/or a device of the user. The predefined anomalies comprise, for example, a risk anomaly, a security level anomaly, a fraud likelihood anomaly, an identity assurance anomaly, and/or a behavior anomaly. The predefined features relate to, for example, a location of the user and/or device-specific information for a device of the user.

Abstract: Techniques are provided for ground distance calculations using sanitized location data. One method comprises a service provider obtaining: (i) a geographic zone identifier of multiple predefined geographic zones of a first location of a user, and (ii) a first distance between the first location of the user and multiple reference points that define boundaries of the predefined geographic zones; the service provider obtaining: (i) a geographic zone identifier of the multiple predefined geographic zones of a second location of the user, and (ii) a second distance between the first location of the user and the multiple reference points; and computing a ground distance between the first location and the second location by selecting a subset of the multiple reference points based at least in part on the relative geographic zones of the current and second locations. The user may: (i) estimate the first location and calculate the first distance; and/or (ii) compute the first and second distances.

Abstract: Techniques are provided for account recovery using an identity assurance scoring system. One method comprises providing multiple available identity assurance techniques, each assigned a corresponding identity assurance value indicating a level of assurance for the corresponding available identity assurance technique; in response to a user request to obtain access to a protected resource following a loss incident of a user authenticator: receiving, from the user, authentication information associated with the available identity assurance techniques; aggregating the corresponding assigned identity assurance values for the received available identity assurance techniques to determine an aggregate identity assurance value; determining if the aggregate identity assurance value satisfies a predefined identity assurance level criteria; and evaluating the user request to access the protected resource based on the determining.

Abstract: Techniques are provided for communication-efficient device delegation. One method comprises, in response to a request for a new signing key of a given device, determining a number of new signing key requests received for the user of the given device; determining a new public verification key of the given device for an identity-based signature scheme by traversing a cryptographic hash chain backwards from a position of an initial selected value of the cryptographic hash chain; computing a new signing key based on public parameters and secret parameters of a backup component and the initial selected value; and providing the new public verification key and the new signing key to the given device. The given device authenticates to an authentication service using an identity-based signature computed using the new signing key. The request for the new signing key is submitted, for example, when the given device is lost, damaged, unavailable or stolen.

Abstract: Account recovery control systems and methods are provided to support a self-service account recovery process for registered users of an information system. Account recovery protocols implement a secret sharing scheme between trusted referees and registered users of the information system to enable a registered user to regain access to the user's registered account when one or more authentication factors of the registered user are lost (e.g., forgotten, misplaced, damaged, stolen, etc.).

Abstract: Methods, apparatus, and processor-readable storage media for temporary partial authentication value provisioning for offline authentication are provided herein. An example computer-implemented method includes generating, in response to a request from an access device, an intermediary set of cryptographic information from an initial set of cryptographic information; modifying the intermediary set of cryptographic information based at least in part on data pertaining to the access device and one or more security parameters, wherein modifying the intermediary set of cryptographic information comprises removing one or more items of the cryptographic information from the intermediary set; and transmitting, over a network connection, the modified intermediary set of cryptographic information to the access device for use in a subsequent offline authentication request.

Abstract: Techniques are provided for authenticating a user using an endpoint device of the user with a local policy and endpoint data. One method comprises obtaining, at an endpoint device of a given user, behavioral anomalies from a remote engine that generates the behavioral anomalies based on behavior of multiple users; in response to an access request by the given user, performing the following steps at the endpoint device: obtaining authentication data related to the given user and/or the endpoint device; generating features based on the authentication data; applying the features to a behavior model incorporating the behavioral anomalies to determine a behavior score for the access request; and evaluating the access request to make an authentication decision based on the behavior score. The behavior score indicates, for example, a confidence that the given user is an expected user and/or a same user who has previously been validated.

Abstract: Techniques are provided for community-based anomaly detection policy sharing among organizations. One method comprises obtaining a cluster of organizations derived from clustering multiple organizations based on predefined clustering parameters; obtaining multiple policies from the organizations in the cluster; selecting one of the obtained plurality of policies based on a predefined policy sharing criteria; and sharing the selected policy with one or more of the organizations in the cluster. A use of the selected policy by one or more of the organizations is optionally simulated to evaluate a performance of the selected policy. The selected policy is optionally normalized and/or abstracted prior to being shared with organizations in the at least one cluster. A given policy obtained from the organizations in the cluster is optionally weighted based on an influence rating of one or more source organizations that provided the given policy.

Abstract: A method is used in monitoring strength of passwords. A a request is received from a user to use a user password. A password score is determined for the user password. The password score indicates quality of the user password. Based on the password score, the strength of the user password is evaluated in a privacy preserving manner. The privacy preserving manner indicates avoiding storing information regarding the user password after strength of the user password has been evaluated.

Abstract: A method is used in managing enterprise authentication policies using password strength. A request is received from an enterprise user to use a user password in order to access a protected resource within an enterprise. A password score for the user password is determined. The password score indicates quality of the user password. A user risk score for the enterprise user is determined based on the password score. An enterprise authentication policy is enforced based on the user risk score. The user risk score is determined each time the enterprise user uses the user password.

Abstract: Disclosed are techniques for securely sharing a content item. The techniques comprise receiving an authorization grant. The techniques also comprise utilizing the authorization grant to obtain an access token. The access token includes credentials for enabling access to a content item. The techniques further include requesting one of an encryption or decryption key from a key management system. The one of the encryption or decryption key facilitates encryption or decryption operations in connection with the content item. The techniques still further comprising performing an encryption or decryption operation in connection with the content item. The one of the encryption or decryption operation is performed using the corresponding one of the encryption or decryption key.