Abstract: Embodiments implement multifactor authentication without a user footprint. An application programming interface call from a client application can be received that includes a messaging identifier. A transaction identifier can be transmitted to the client application and stored. Using a shared secret, a temporary password can be generated, where the shared secret can be associated with the transaction identifier and can be stored. The temporary password can be transmitted to the messaging identifier. A second application programming interface call can be received that includes a reference transaction identifier and input, where a user provides the input to the client application. The user can be authenticated when the reference transaction identifier matches a transaction identifier stored and the input matches an expected password that is based on a stored shared secret associated with the matching stored transaction identifier.

Abstract: Embodiments perform bulk multifactor authentication (MFA) enrollment in an identity cloud management system. An entity can be created in the identity cloud management system, where the entity is issued a credential that includes a permissions scope for communicating with the identity cloud management system. A bulk set of user identities and MFA enrollment information including MFA security factors for the user identities and a status for the user identities can be received in association with the credential, where the MFA security factors include a mix of communication addresses and shared secrets. A subset of the user identities that include a status that indicates MFA enrollment can be enrolled, where the enrolling includes creating an MFA footprint for the subset of user identities within an MFA database, and each created MFA footprint includes a received MFA security factor.

Abstract: An example system and method facilitates establishment of secure communications between software systems, e.g., a client computing device and one or more servers (e.g., a cloud) using Multi Factor Authentication (MFA) via strategic use of tokens. An example method for overcoming longstanding security loopholes and usability issues with conventional MFA methods includes efficiently securing registration code (e.g., via public key cryptography and tokens) and exchanged data (e.g., message payloads), in part by embedding a signed token (e.g., a JWT token signed by a private key of the server system) in a registration link used by a client system to communicate with one or more servers of a server system.

Abstract: Embodiments perform bulk multifactor authentication (MFA) enrollment in an identity cloud management system. An entity can be created in the identity cloud management system, where the entity is issued a credential that includes a permissions scope for communicating with the identity cloud management system. A bulk set of user identities and MFA enrollment information including MFA security factors for the user identities and a status for the user identities can be received in association with the credential, where the MFA security factors include a mix of communication addresses and shared secrets. A subset of the user identities that include a status that indicates MFA enrollment can be enrolled, where the enrolling includes creating an MFA footprint for the subset of user identities within an MFA database, and each created MFA footprint includes a received MFA security factor.

Abstract: Techniques related to authentication and authorization are disclosed. In some embodiments, an access management system is provided for increasing the reliability of notification-based authentication and/or authorization. Push notifications, for example, may be used as part of multifactor authentication processing or authorization processing. In certain embodiments, in response to an event triggering an authentication or authorization flow for a user, multiple different ways are provided for delivering notifications related to the authentication or authorization flow to the user's device (e.g., a client device registered for push notification-based authentication or authorization). By providing multiple ways for communicating notifications related to the authentication or authorization to the user's device, the chance that an authentication-related or authorization-related notification is missed or not delivered to the user's device is dramatically reduced.

Abstract: Techniques are described for enrolling an authentication device for generating time-based one-time passwords (TOTPs) for use with multi-factor authentication (MFA). A user is prompted to initiate an enrollment procedure after successful authentication based on a first authentication factor in connection with a request for a resource protected by an access management (AM) system. The authentication device contacts the AM system to establish that the authentication device is a trusted device (e.g., through validation of an authentication token contained in a Quick Response (QR) code generated by the AM system). After the authentication device has been established as a trusted device, the AM system sends a shared secret to the authentication device, which uses the shared secret to complete enrollment (e.g., by generating a TOTP for verification by the AM system). A session is then created for the user to enable access to the protected resource.

Abstract: Embodiments implement multifactor authentication without a user footprint. An application programming interface call from a client application can be received that includes a messaging identifier. A transaction identifier can be transmitted to the client application and stored. Using a shared secret, a temporary password can be generated, where the shared secret can be associated with the transaction identifier and can be stored. The temporary password can be transmitted to the messaging identifier. A second application programming interface call can be received that includes a reference transaction identifier and input, where a user provides the input to the client application. The user can be authenticated when the reference transaction identifier matches a transaction identifier stored and the input matches an expected password that is based on a stored shared secret associated with the matching stored transaction identifier.

Abstract: Techniques are described for enrolling an authentication device for generating time-based one-time passwords (TOTPs) for use with multi-factor authentication (MFA). A user is prompted to initiate an enrollment procedure after successful authentication based on a first authentication factor in connection with a request for a resource protected by an access management (AM) system. The authentication device contacts the AM system to establish that the authentication device is a trusted device (e.g., through validation of an authentication token contained in a Quick Response (QR) code generated by the AM system). After the authentication device has been established as a trusted device, the AM system sends a shared secret to the authentication device, which uses the shared secret to complete enrollment (e.g., by generating a TOTP for verification by the AM system). A session is then created for the user to enable access to the protected resource.

Abstract: An example system and method facilitates establishment of secure communications between software systems, e.g., a client computing device and one or more servers (e.g., a cloud) using Multi Factor Authentication (MFA) via strategic use of tokens. An example method for overcoming longstanding security loopholes and usability issues with conventional MFA methods includes efficiently securing registration code (e.g., via public key cryptography and tokens) and exchanged data (e.g., message payloads), in part by embedding a signed token (e.g., a JWT token signed by a private key of the server system) in a registration link used by a client system to communicate with one or more servers of a server system.

Abstract: Techniques related to authentication and authorization are disclosed. In some embodiments, an access management system is provided for increasing the reliability of notification-based authentication and/or authorization. Push notifications, for example, may be used as part of multifactor authentication processing or authorization processing. In certain embodiments, in response to an event triggering an authentication or authorization flow for a user, multiple different ways are provided for delivering notifications related to the authentication or authorization flow to the user's device (e.g., a client device registered for push notification-based authentication or authorization). By providing multiple ways for communicating notifications related to the authentication or authorization to the user's device, the chance that an authentication-related or authorization-related notification is missed or not delivered to the user's device is dramatically reduced.

Abstract: A method, system and computer program product for retrieving information from a relational database using user defined facets in a faceted query may include receiving a faceted query and receiving at least one user defined facet group query. The method may also include filtering out facets in the faceted query that relate to metadata in the relational database. The method may additionally include associating each remaining facet in the faceted query with a corresponding user defined facet group query of the at least one user defined facet group query to provide a set of user defined facet groups. An SQL query may be generated for the faceted query using the set of user defined facet groups. Information from the relational database may be retrieved responsive to the SQL query.

Abstract: A method, system and computer program product for retrieving information from a relational database using user defined facets in a faceted query may include receiving a faceted query and receiving at least one user defined facet group query. The method may also include filtering out facets in the faceted query that relate to metadata in the relational database. The method may additionally include associating each remaining facet in the faceted query with a corresponding user defined facet group query of the at least one user defined facet group query to provide a set of user defined facet groups. An SQL query may be generated for the faceted query using the set of user defined facet groups Information from the relational database may be retrieved responsive to the SQL query.