The present invention comprises scanning, by a mobile device of the user, a QR code generated by a server application when the user requests access to a secure web portal and generating, within a client application, a login code which is used to authenticate the user within an authentication service and then being redirected to the requested portal.

A device detects a communication involving a user associated with an account and a service representative, and sends, to a user device associated with the account, an authentication notification that causes the user device to display an authentication field for the user. The device sends, to a service representative device associated with the service representative, a message that indicates that the service representative is to request, via the communication, the user to enter personal information associated with the user into the authentication field, where the user device is configured to generate a first authentication code based on a user input received from the user device in the authentication field. The device generates a second authentication code based on personal information associated with the account from a data structure, receives the first authentication code, and performs an action based on the first authentication code and the second authentication code.

An example method facilitates dynamic runtime execution of computer code that is selectively injected into messages in accordance with predetermined configuration rules for automatic execution at a message destination. The injection of code into messages, such as messages exchanged during an authenticated computing session, by a policy enforcement system, can be used to efficiently effectuate enhance computing environment security and computing resource use. For example, in a specific embodiment, code for detecting a browser-close event and then terminating a computing session can be automatically executed client side via a browser extension or plugin, thereby helping to eliminate the accumulation of stale computing sessions; thereby mitigating associated security risks and computing resource consumption of stale computing sessions. In another example embodiment, injected code encrypts session cookies, such as via a Time based One Time Password (TOTP).

A method and system for detecting impersonated network traffic by a protected computing device and a network protection system. The method includes the computing device receiving installation of a browser application, the browser application configured to generate requests to communicate with other computers via the World Wide Web and receiving a configuration for the browser application. The browser application is configured to obtain a short-lived password (SLP) in coordination with generating a request and insert the short-lived password into the generated request before transmitting the request. The SLP is synchronized with an expected value generated by the network protection system. The transmitted request is passed to the network protection system and treated as legitimate network traffic by the network protection system only if the network protection system detects and verifies the SLP.

A rollover system is provided to facilitate transitioning of client devices in a shared account network environment, from an old password to a new replacement password. The switching of passwords may take place gradually during a rollout period for client devices without required downtime and reducing a risk of lockouts. During the rollover period, a prior salt is temporarily carried over to a new verifier for the replacement password. Two new verifiers are generated: a temporary new verifier using the old salt for verification during the rollover period and another new verifier using a different new salt for verification after the rollover period had expired. During the rollover period, authentication involves the use of the temporary new verifier with the old salt or by the old verifier and old salt of the prior password. After the rollover period, authentication is based on the new verifier with a new salt.

Managing an authenticated user session. A method includes a resource provider computer system subscribing to a conditional access termination service for an entity configured to obtain resources from the resource provider computer system through a user session. The resource provider computer system receives an event, related to resource requests, for the entity from the conditional access termination service. The resource provider computer system receives a request for resources from the entity. The resource provider computer system evaluates the request with respect to the event. The resource provider computer system responds to the request based on evaluating the request with respect to the event.

An electronic lockbox control system allows visiting agents (such a “showing agents” in a real estate sales situation) to make an appointment to visit a property that is protected by an electronic lockbox, using a time-sensitive authorizing credential that is provided by a central computer; and then, if that visiting agent is delayed because of an earlier appointment, the central computer can automatically create a new time-sensitive authorizing credential that is time-shifted, so that visiting agent can later visit that remote property and obtain access to that lockbox at the later, time-shifted appointment time. Another interested party (e.g., a homeowner) can decline that later, time-shifted appointment. The visiting agent can carry a smart phone with a GPS receiver, and the central computer can use his GPS coordinates to calculate his physical position, and calculate his travel time to the next lockbox location to automatically create the new, time-shifted appointment time.

A server comprises a communications module; a processor coupled with the communications module; and a memory coupled to the processor and storing processor-executable instructions which, when executed by the processor, configure the processor to send, via the communications module and to a remote computing device, a signal causing the remote computing device to display a unique code and a telephone number; monitor at least one instant messaging account associated with the telephone number for the unique code; after determining that the unique code has been received at the at least one instant messaging account associated with the displayed telephone number, determine that authentication for a particular account has been successful; and in response to determining that authentication for the particular account has been successful, initiate an authenticated session.

Exemplary embodiments may use a contactless card as a secondary form of authentication in a multi-factor authentication for a secure messaging service. The recipient party of a request to initiate a messaging service session (such as a server computing device) may be programmed to use the phone number of the originating device to look up records regarding an identity of a party and their associated phone number as a primary credential and then may require an authentication credential originating from the contactless card as a secondary credential for the initiating party. In some instances, the credential originating from the contactless card is a onetime password that is valid only for a period of time. The recipient party determines whether the onetime password is valid. If both credentials are valid, a secure messaging session may be initiated with the initiating party.

Techniques are described for enabling software applications to obtain temporary security credentials used to interact with a cloud provider network and, upon the revocation of an active set of temporary security credentials used by an application (e.g., due to concerns about the temporary credential's potential exposure to one or more unauthorized third parties), to readily obtain new temporary security credentials that the application can use to continue operation with minimal interruption. The temporary security credentials can be used, for example, to enable the cloud provider network to authenticate requests sent by software applications or users to various services or other components of the cloud provider network. An operator of a cloud provider network may provide a software development kit (SDK) that application developers can use to incorporate functionality related to the management of temporary security credentials.