A method for a two-factor authentication process includes, responsive to determining a first user authentication was prompted in a first application on a first device associated with a user, identifying a second application on a second device based on a user profile associated with the user. The method identifies a first event from a plurality of events that previously occurred in the second application in a select time frame, wherein the first event relates to a first action performed by the user in the second application. The method generates an authentication question based on the first event, wherein the authentication question is a second user authentication. Responsive to determining an answer provided by the user to the authentication question is correct, the method grants access to the first user authentication prompt.

Disclosed are various embodiments for determining authentication assurance using algorithmic decay. In an embodiment, an authentication request associated with an account is received. At least one historical authentication event associated with the account is determined. A measure of authentication assurance is determined based at least in part on applying an exponential time decay to at least one authentication assurance value individually corresponding to the historical authentication event(s). A response to the authentication request is generated based at least in part on the measure of authentication assurance.

According to examples, an apparatus may include a memory on which is stored machine-readable instructions that may cause a processor to receive a user credential from a terminal, in which the user credential is stored in a machine-readable code on a user device and the terminal obtained the machine-readable code from the user device. The processor may also identify at least one authentication factor associated with the user based on the user credential, in which the authentication factor(s) includes a physical location associated with the user and/or a time-based factor. The processor may further determine whether the authentication factor(s) indicates that the user is to be granted access to the terminal and based on a determination that the authentication factor(s) indicates that the user is to be granted access to the terminal, may grant the user access to the terminal.

An access control system includes an access control device and an authentication system. The access control device has an RFID reader for receiving RFID information and at least one other authentication device for receiving authentication information. The authorization system grants or denies access based on the RFID information and the authentication information. The access control device and authorization system are part of a same secure community of interest. A computer implemented method of granting access to a secure zone includes receiving an RFID information from an access control device; comparing the RFID information to RFID information already stored; if the RFID information does not match the RFID information already stored, sending a deny access code to the access control device; if the RFID information does match the RFID information already stored, requesting authentication information; receiving authentication information; comparing the authentication information to authentication information already stored; if the authentication information does not match the authentication information already stored, sending a deny access code to the access control device; and if the authentication information does match the authentication information already stored, sending a grant access code to the access control device.

Aspects described herein may utilize self-federation in a plugin-based authentication system to support combinations of authentication processes. The authentication system may include a plugin that executes an authentication process that is a combination of two or more other authentication processes. This plugin may handle the combined authentication process by self-federating back to the authentication interface, generating its own authentication requests under each of the subsidiary authentication processes. Thus, the self-federating plugin corresponding to the combined authentication process may allow the authentication system to support authentication requests that indicate the combined authentication process. This “chained” authentication process, accomplished through self-federation, may allow the authentication system to reuse existing code paths and avoid downsides associated with duplication of code.

The present disclosure provides systems, devices, methods, and computer-readable media for user, device, or server authentication. A device can include processing circuitry to perform operations comprising generating, by a transducer, biometric data of the user in response to detection of the user performing a non-authentication operation with the device, providing the biometric data to an authentication server for user verification, wherein the authentication server is registered with and verified by the device and the device is registered with and verified by the authentication server, permitting the user access to functionality of the device in response to a results communication from the authentication server indicating the user verification passed, and denying the user access to functionality of the device in response to the results communication from the authentication server indicating that the user verification failed.

A dual-factor PIN based authentication system and method uses a cryptogram provided by a contactless card associated with the client in association with a PIN stored by the contactless card to authenticate the client. In some embodiments, cryptogram authentication may be preconditioned upon a PIN match determination by the contactless card. In other embodiments, the cryptogram may be formed at least in part using the personal identification number (PIN) stored on the contactless card encoded using a dynamic key stored by the contactless card and uniquely associated with the client. Authentication may be achieved by comparing the cryptogram formed using the PIN against an expected cryptogram generated an expected PIN and an expected dynamic key.

Authentication of a user of an OAuth client by an OAuth authorization server, comprising exposing an authentication state machine, where the states of the state machine are hypermedia-based representations of login resources, and transitions between states are represented by hypermedia links, wherein the authentication state machine is exposed to the client by an API adhering to the principles of REpresentational State Transfer (REST). When the final state of the state machine has been reached, a secondary access token is issued to the client, thereby authenticating the user, wherein hypermedia representations which are sent to the client are encoded so as to be readily parsable by the client.

A physical token-based centralized authentication system for IoT devices is provided. The system transfers authentication of the IoT device on cloud to the IoT gateway for centralized authentication. User may respond on the IoT gateway via a U2F token to complete authentication of the IoT device. By transferring a kernel of authentication from a large number of scattered single IoT terminals to nodes of the trusted IoT gateway, the system overcomes defects such as numerous IoT devices, limited terminal resources, high authentication cost, and cumbersome operations while enhancing security of the IoT environment, thereby enhancing security of authentication for IoT environment and improving efficiencies of device authentication and management.

To enhance convenience in an authentication system using a plurality of types of authentication, a terminal device transmits authentication data including a face image and a voice of a user, the position of the terminal device, to the server device. The server device uses the received authentication data to perform individual authentications including face authentication, voiceprint authentication, position adequacy verification. The server device applies adds up weighted scores of the individual authentications to calculate a comprehensive score. When the comprehensive score exceeds a first threshold, a high security operation is permitted. When the comprehensive score is not higher than the first threshold and exceeds a second threshold, a low security operation is permitted. When performing additional authentication using additional authentication data received from the terminal device, the comprehensive score further includes the additional authentication score, and the high security operation is permitted when the comprehensive score exceeds the first threshold.