A system for implementing and managing network-based, variable authentication protocols receives information relating to a digital monetary transaction. Additionally, the system accesses an initial authentication protocol dataset. The system also generates a variable authentication protocol dataset. The system then communicates the variable authentication protocol dataset to the point-of-sale computer system. The system also receives, from the point-of-sale computer system, authentication tokens. Further, the system validates the authentication tokens in view of the variable authentication protocol dataset. Further still, in response to the validation of the authentication tokens, the system processes the digital monetary transaction.

A service provider provides flexible access to services using an identity provider. The service provider is associated with a custom access policy used by the identity provider to authenticate access requests associated with client devices for services of the client system. The custom access policy describes a set of access levels corresponding to variable levels of access to services of the service provider. The identity provider authenticates access requests by client devices using one or more device signals from the client devices. In some embodiments, the identity provider determines a device trust score for the client device using the one or more device signals. The identity provider provides an authentication response to the client system based on the custom access policy. The client system uses the authentication response to determine an access level for the client device from the set of access levels described by the custom access policy.

A method including receiving, by a first server from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating a type associated with the encrypted authentication packet and a crypted payload including one or more encrypted fields; and transmitting, by the first server to the second server, a response based at least in part on determining the type associated with the encrypted authentication packet and on decrypting the one or more encrypted fields. Various other aspects are contemplated.

Systems and methods for credential translation are described. In some embodiments, an Information Handling System (IHS) may include: a host processor; an embedded controller coupled to the processor; and an off-host authentication processing system coupled to the embedded controller and segregated from the host processor, the off-host authentication processing system further comprising: an off-host processor; and an off-host memory coupled to the off-host processor, the off-host memory having program instructions stored thereon that, upon execution, cause the off-host processor to: receive a certificate from a web-access management server; store the certificate in the off-host memory; and request that a user of the IHS provide a first authentication factor to be associated with the certificate such that, when the first authentication factor is presented to the off-host processor, the certificate is released from the off-host memory.

Provided is a process including: relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser and one or more destination servers; determining to terminate subsequent authenticated access by the client web browser; and sending, from the server at the first domain, instructions that cause the client web browser to delete or modify an access token stored in memory of the client web browser.

Systems and methods are provided for performing operations including: receiving, via a messaging application of a user device, a request to recover access to an account of a user of the messaging application; accessing a first object corresponding to a first key; receiving, from a first friend of the user on the messaging application, a second object corresponding to a first portion of a second key; receiving, from a second friend of the user on the messaging application, a third object corresponding to a second portion of the second key; deriving the second key based on the second and third objects; and recovering access to the account of the user based on the first key and the second key.

A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

A client communications device and method for generating a user message comprising an assertion for verification by a remote server device is described. Payload data for the user message as generated by a secure application resident on the communications device is received. Biometric authentication of the user is performed as a first level security mechanism. If biometric authentication of the user is successful, a digital signature is generated based on the message payload as a second level security mechanism. The digital signature is generated using a private signature key stored in a secure element of the client device. A third level security mechanism is applied by authenticating the user message using a secure application-specific key. In implementations, the digital signature is generated in a secure environment of the client device which has sole access to the secure element after successful biometric authentication. The user message comprising the message payload and the digital signature is generated for sending to the remote server device. The verification may be required during a financial transaction. A corresponding server communications device and method is also described.

Physical security methods and equipment are applied to mobile devices that use multi-factor authentication mobile apps. Herein, a password management mobile app physically escrows each encrypted password that must be stored into two parts. These are then distributed between two separate, independent physical devices. Only one of those parts is kept only in a separate user gadget like a keyfob. Any reconstitution of each password after decryption requires that the user have on-hand both the mobile device and the separate user gadget. Such reconstitution is one password at a time, and only as needed, and released for use in remote authentication with a master user password entry.

An example device includes a connection engine to establish a secure connection with a second device. The device includes a security engine to determine a shared security state for the first device and the second device based on a security state of the first device and a security state of the second device. The security engine is to detect a change in the security state of the first device should occur. The security engine is to change the shared security state at the first device. The security engine is to indicate to the second device the change in the shared security state at the first device.