Users of an identity provider system may be authorized to use a variety of different types of factors from a variety of different factor providers. The identity provider system monitors and analyzes the “health” of the different possible factors available to a user, e.g., their availability relative to error rate. Using the results of the analysis, the identity provider can assess which factors are the most appropriate for a given user seeking authentication and can improve the user experience for the user by emphasizing those most appropriate factors to the user.

A network security system provides portals which enable automatic creation of a dynamic one-time port forwarding rule for an authorized user's current IP address following two factor authentication of the authorized user. Such a dynamic one-time port forwarding rule is utilized to set up a connection, at which point the dynamic one-time port forwarding rule is removed, preventing any attacker from subsequently taking advantage of it. Such a methodology is advantageous as compared to conventional port forwarding in that it is much more secure. Such a methodology is advantageous as compared to traditional port forwarding with access control both in that a user does not always have to utilize the same device with a static IP address, and in that the port forwarding rule representing or exposing a potential vulnerability is deleted after a connection is established.

Embodiments for a computer readable medium including a software module are provided. The software module causes one or more processing devices to obtain a biometric identifier from a user. Access to a resource is requested by providing a software credential token and the biometric identifier. The software credential token corresponds to a hardware credential token, and the hardware credential token is one of a set of hardware credential tokens that are used to access the resource. An indication that access to the resource has been granted is received and after receiving the indication an indication that the access to the resource has been revoked is received. After receiving the indication that access to the resource has been revoked, a biometric identifier is re-obtained from a user and access to the resource is re-requested by providing a software credential token and the re-obtained biometric identifier.

A method is provided for authenticating a user using biometrics and digitized handwritten signature. A verification server uses a data identifier to find a corresponding piece of personal identification data. A user uses a biometric stylus and a handwriting input device to create a handwriting pattern; meanwhile, the biometric stylus acquires fingerprint data of the user. The handwriting input device transmits the fingerprint data and the handwriting pattern to the verification server. The verification server verifies the handwriting pattern and the fingerprint data using a handwriting template and a fingerprint template included in the personal identification data thus found, and obtains user identification data for verifying an identity of the user from the personal identification data when the handwriting pattern and the fingerprint data are successfully verified.

A method performs location-based multi-factor authentication. The method includes a mobile device that receives a first set of authentication credentials provided by a user, and transmits the first set of authentication credentials to an authentication server, which verifies the first set of authentication credentials. The authentication server transmits verified first factor authentication to the mobile device that sends a request for second factor authentication to an authentication system, which causes the mobile device to scan identifier information associated with a secure device, the secure device then sending a second set of authentication credentials to the authentication system. The authentication system verifies the second set of credentials system and transmits verified second factor authentication to the authentication server, which subsequently grants final authentication based on the verified first factor authentication and the verified second factor authentication.

To make a trusted web service call, a client application sends a series of messages to obtain tokens that allow service requests to pass through a service relay. The user obtains a first security token by providing the user's credentials. A second token is obtained from a trust broker that validates the first token. Both tokens are then sent with a service request to a service relay. The service relay validates the second token and then passes the first token and the service request to a connector service. The connector service validates the first token and passes the service request to a target back end service. The connector service acts as the user when communicating with the back end service. Service responses are routed back to the user through the connector service and the service relay.

Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

This disclosure describes techniques for identifying the criticality of an asset in a network. In an example method, a first security metric of a first asset in a network, as well as network data that identifies data flows associated with a second asset in the network are identified. The second asset is a nearest neighbor of the first asset in the network. The method includes determining, based on the network data, a number of hosts in the network that exchanged data traffic with the second asset during a time period and generating a second security metric of the second asset based on the first security metric and the number of hosts. A security policy of the second asset is adjusted based on the security metric.

A computing platform may receive, from a client portal server, a request to authenticate a first user to a first user account. The computing platform may generate a first one-time passcode for a first computing device associated with the first user account and may send, to the first computing device, the first one-time passcode. The computing platform also may generate a second one-time passcode for a second computing device associated with the first user account and may send, to the second computing device, the second one-time passcode. Thereafter, the computing platform may receive first one-time passcode input and second one-time passcode input, which the computing platform may validate. Based on the validating, the computing platform may generate a validation message directing the client portal server to provide the first user with access to the first user account, which the computing platform may send to the client portal server.

A highly secure networked system and methods for storage, processing, and transmission of sensitive information are described. Sensitive, e.g. personal/private, information is cleansed, salted, and hashed by data contributor computing environments. Cleansing, salting, and hashing by multiple data contributor computing environments occurs using the same processes to ensure output hashed values are consistent across multiple sources. The hashed sensitive information is hashed a second time by a secure facility computing environment. The second hashing of the data involves a private salt inaccessible to third parties. The second hashed data is linked to previously hashed data (when possible) and assigned a unique ID. Data dictionaries are created for particular individuals provided access to the highly secure information, e.g. researchers. Prior to a data dictionary being accessible by a researcher computing device, the data dictionary undergoes compliance and statistical analyses regarding potential re-identification of the source unhashed data. The data dictionaries are viewable by researchers as certified views via a secure VPN.