Revoking sessions using signaling

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Revoking sessions using signaling

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

REVOKING SESSIONS USING SIGNALING

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Discovering and disambiguating identity providers

Systems, methods, and computer-readable storage media are provided for discovering and disambiguating identity providers such that user knowledge of appropriate identity providers is minimized. Users are presented with options for selecting appropriate providers only when multiple providers have user profiles matching a user identifier. When users are presented with options for selecting appropriate providers, providers that have user profiles matching the identifier are identified utilizing identity information for the application that utilizes the identity provider for its users rather than information identifying the identity provider itself. Where it is determined that no identity provider has a user profile associated with the user identifier (or where it is determined that a particular identity provider would generally be appropriate to be utilized with the user identifier), the opportunity for users to create an authentication account with one or more identity providers or to retry ...

Extraction and representation of three-dimensional (3D) and bidirectional reflectance distribution function (BRDF) parameters from lighted image sequences

Methods and systems are provided that use images to determine lighting information for an object. A computing device can receive an image of the object. For a pixel of the image, the computing device can: apply a first lighting model to determine a first estimate of a bi-directional lighting function (BRDF) for the object at the pixel, apply a second lighting model to determine a second estimate of the BRDF for the object at the pixel, determine a third estimate of the BRDF based on the first and second estimates, and store the third estimate of the BRDF in lighting-storage data. The computing device can provide the lighting-storage data. The BRDF can utilize a number of lighting parameters, such as a normal vector and albedo, reflectivity, and roughness values.

Restricting Access to Public Cloud SaaS Applications to a Single Organization

Allowing an entity managed device to access a tenant associated with the e on a public cloud service while preventing the device from accessing one or more other tenants on the cloud service. A method includes, at the cloud service, obtaining policy from the entity with respect to tenant access. The method further includes, at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service. The method further includes granting or denying the access request based on the policy obtained from the entity. 1. In a computing environment , a system , the system comprising:one or more processors; and at the cloud service, obtaining policy from the entity with respect to tenant access;', 'at the cloud service, receiving a request from the entity managed device to access a tenant at the cloud service; and', 'granting or denying the access request based on the policy obtained from the entity., 'one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to allow an entity managed device to access a tenant associated with the entity on a cloud service while preventing the device from accessing one or more other tenants on the cloud service, including instructions that are executable to configure the computer system to perform at least the following2. The system of claim 1 , wherein granting or denying the access comprises either issuing or preventing issuance of tokens to devices requesting access to tenants at the cloud service.3. The system of claim 1 , wherein the policy specifies URL filtering conditions identifying at least one of allowed tenants or denied tenants.4. The system of claim 1 , wherein obtaining policy from the entity comprises obtaining policy injected into a header of the request from the entity managed device to access a tenant at the cloud service.5. The system of claim 4 , wherein the policy was injected into the ...

FLEXIBLE AUTHENTICATION FOR ONLINE SERVICES WITH UNRELIABLE IDENTITY PROVIDERS

A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user's identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user's identity and then allows the user to access the relying party's online services.

ENABLING PAID-FOR EXCHANGE OF IDENTITY ATTRIBUTES WITH MINIMAL DISCLOSURE CREDENTIALS

The claimed subject matter provides a system and method for enabling paid-for exchange of identity attributes with minimal disclosure credentials. An exemplary method includes requesting a credential from an identity provider by one of a user or a credential agent. The credential may be presented to a relying party, and the presented credential may be verified. Based on verification of the presented credential, a service of the relying party may be accessed by the user. The user, the relying party, a neutral third party, or the credential agent may provide payment for the credential to the identity provider, and the identity provider is unable to determine whether, where, when or by whom the credential has been used. 1. A method for enabling paid-for exchange of identity attributes with minimal disclosure credentials , comprising:requesting a credential from an identity provider by one of a user or a credential agent;presenting the credential to the relying party;verifying the presented credential;accessing a service of the relying party by the user based on verification of the presented credential; andproviding payment from the user, the relying party, a neutral third party, or the credential agent for the credential to the identity provider, wherein the identity provider is unable to determine whether, where, when or by whom the credential has been used.2. The method recited in claim 1 , wherein the relying party has a subscription with the identity provider and the identity provider provides a number of keys to the relying party that are used to verify a presented credential.3. The method recited in claim 1 , wherein the relying party presents the credential to the identity provider for verification claim 1 , and the relying party provides payment to the identity provider for each verification.4. The method recited in claim 1 , comprising presenting the credential to the relying party by satisfying additional security measures provided by a device or a remote ...

ORCHESTRATION OF WEB NOTIFICATIONS

The present invention extends to methods, systems, and computer program products for orchestrating notifications between identity platforms and relying parties. Embodiments enable identity platforms to ensure that users consistently receive notifications, even when the identity platforms lack knowledge of which relying parties are notification capable and which relying parties are incapable of notification. Embodiments include an identity platform generating a frameset having a first content frame for displaying a notification and a second content frame for displaying a relying party web page. When the relying party is notification capable, the relying party web page includes functionality for removing the frameset established by the frameset and displaying the notification within the context of the relying party web page. When a client renders the frameset, the client retrieves and renders the relying party web page, removing the frameset and displaying the notification as directed by the relying party. 1. At a computer system including one or more processors and system memory , the computer system also including a network interface for network communication with other computer systems , a method for efficiently orchestrating notification with an identity platform by ensuring that a client receives a notification despite whether or not the identity platform also provides the notification , the method comprising:an act of receiving a request from a client computer system for web page content of a relying party, the request associated with a user at the client computer system gaining access to the relying party through the identity platform;an act of determining that a notification exists for the user; frame removal functionality, the frame removal functionality configured to cause the client computer system to remove any frameset established by the identity platform which divides a display window at the client computer system into content portions, and to instead ...

HOME REALM DISCOVERY IN MIXED-MODE FEDERATED REALMS

The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface. 1. A computer program product comprising one or more computer storage media having thereon computer-executable instructions that are structured such that , when executed by one or more processors of a computing system , cause an application to perform a method for authenticating identities within a realm in which some identities are authenticated using direct authentication , and some identities are authenticated using federated authentication , the method comprising:an act of responding to requests for service from valid identities in the realm that are to be authenticated by direct authentication with a direct authentication interface;an act of responding to requests for service from valid identities in the realm that are to be authenticated by federated authentication with a federated authentication interface; andan act of responding to requests for service from invalid identities pseudo-randomly with either the direct authentication interface or the federated authentication interface.2. The computer program product in accordance with claim 1 , wherein the method is performed by a service provider or application.3. The computer program product in accordance with claim 2 , wherein the federated authentication interface prompts a user to negotiate authentication with a third- ...

EFFICIENTLY THROTTLING USER AUTHENTICATION

In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination. 1. At an authentication server computer system including at least one processor and a memory , in a computer networking environment including a plurality of computing systems , a computer-implemented method for efficiently authenticating users while preventing enumeration attacks , the method comprising:an act of receiving user login credentials from a user, the user login credentials including a user identifier and a password; determining that the user identifier does not match any existing user account;', "determining that the user identifier matches at least one existing user account, but the user's account is in a locked state; and", "determining that the user identifier matches at least one existing user account, but the user's password does not match the user identifier; and"], 'an act of making at least one of the following determinationsan act of returning to the user the same response message regardless of which determination is made, the response message indicating that the user's login credentials are invalid, wherein the response message prevents the user ...

HOME REALM DISCOVERY IN MIXED-MODE FEDERATED REALMS

The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface. 1. A computer program product comprising one or more hardware storage devices having thereon computer-executable instructions that are structured such that , when executed by one or more processors of a computing system , cause the computer system to perform a method for authenticating identities within a mixed realm in which some identities are authenticated using direct authentication , and some identities are authenticated using federated authentication , the method comprising:an act of receiving a request for service from an identity within a mixed authentication realm; and when the identity is determined to be valid and the identity is a direct authentication identity, an act of responding to the request for service with a direct authentication interface, the direct authentication interface enabling entry of a direct authentication credential for the identity; and', 'when the identity is determined to be valid and the identity is a federated authentication identity, an act of responding to the request for service with a federated authentication interface, the federated authentication interface enabling entry of a federated authentication credential for the identity., 'an act of determining whether the identity is a valid identity within the realm, and'}2. The computer program ...

Security configuration lifecycle account protection for minors

Described technologies enhance cybersecurity and facilitate computing system account usage by configuring a primary account and a supplementary account together in a security configuration lifecycle. The primary account user may be a parent or other adult, while the supplementary account user may be a child or other person with less capacity than the primary user. Over time, the accounts may transition together through security configurations to give more capabilities to the supplementary user, e.g., login separate from the primary user, and to reduce the control of the primary user over the supplementary account. Security configuration lifecycle stages are implemented, e.g., using capability-security pair data structures and account security configuration code. Despite the security configuration linkage of the accounts, each account may have its own personalized content and its own recommendation history. Lifecycle position identification supports automatic reasoning to select an age-appropriate consent obtention procedure, and facilitates documentary media timeline creation.

Home realm discovery with flat-name usernames

Methods, systems, apparatuses, and computer program products are provided for automatically determining a home realm. An authentication request receiver interface may receive a request to access a resource and a device identifier from a client device. An authenticator may be enacted in response to receiving the request to access the resource that includes a home realm discoverer and an authentication user interface (UI) provider. The home realm discoverer may determine, based at least on the device identifier, the home realm from a plurality of realms. The authentication UI provider may provide, to the client device, an authentication UI via which a flat-name username can be submitted. Based at least on a flat-name user name and the determined home realm, access to the resource may be granted. In this manner, a user may input a flat-name username during sign-in, rather than inputting a realm or an entire e-mail address.

System and Related Methods for Reducing the Resource Consumption of a Convolutional Neural Network

A computer-implemented method for reducing the resource consumption of a convolutional neural network can include obtaining data descriptive of the convolutional neural network. The convolutional neural network can include a plurality of convolutional layers configured to perform convolutions using a plurality of kernels that each includes a plurality of kernel elements. The method can include training, for one or more training iterations, the convolutional neural network using a loss function that includes a group sparsifying regularizer term configured to sparsify a respective subset of the kernel elements of the kernel(s); following at least one training iteration, determining, for each of the kernel(s), whether to modify such kernel to remove the respective subset of the kernel elements based at least in part on respective values of the respective subset of kernel elements; and modifying at least one of the kernel(s) to remove the respective subset of the kernel elements. 1. A computer-implemented method for reducing the resource consumption of a convolutional neural network , the method comprising:obtaining, by one or more computing devices, data descriptive of the convolutional neural network, wherein the convolutional neural network comprises a plurality of convolutional layers configured to perform convolutions using a plurality of kernels, each of the plurality of kernels comprising a plurality of kernel elements;training, by the one or more computing devices for one or more training iterations, the convolutional neural network using a loss function that comprises a group sparsifying regularizer term configured to sparsify a respective subset of the kernel elements of each of one or more kernels of the plurality of kernels of the convolutional neural network;following at least one training iteration, determining, by the one or more computing devices, for each of the one or more kernels, whether to modify such kernel to remove the respective subset of the ...

Signing in to multiple accounts with a single gesture

Methods, systems and computer program products are provided for signing into multiple accounts with a single gesture. Multiple sessions may be generated for multiple user identities based on a single authentication gesture, such as providing a phone number or email and a texted or emailed one-time code or providing a fast online identity (FIDO) key and an unlock gesture. Resources, such as applications, need not, but may be multi-identity aware to support signing into multiple accounts with a single gesture. Users may utilize their multiple identities without any additional sign-ins. Resources or session managers may receive multiple session artifacts concurrently or separately without additional sign-ins. Resources may indicate a capability to receive multiple session artifacts, for example, in registration or call parameters. Multiple identities may be revealed only after verification, for example, to prevent divulging identities to third parties aware of usernames such as phone numbers and email addresses.

Revoking sessions using signaling

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

COMMUNICATING STATE INFORMATION TO LEGACY CLIENTS USING LEGACY PROTOCOLS

When a user account is in an alternate (fault) state, communication or sync between an application provider and a device or client application typically is interrupted. When parties do not support rich fault messaging, communication of the reason for the interruption and remediation steps has been impossible. An application server provides rich fault messaging using applications that do not provide explicit error messaging and protocols that do not provide explicit error messaging without changing either the application or the protocol by additional interactions between an identity provider and the application server. The application server uses authentication state information provided by the identity server to generate a notification sync event that appears to the application and the protocol to be a normal sync event. The notification sync event is used to provide the user with information needed to determine what the problem with the account is and how to fix it. 1. A system comprising:at least one processor of an application server computing device;a memory of the application server computing device; and receive authentication evaluation state information from an identity provider in response to unsuccessful authentication of a user of a client device, wherein credentials received by the identity provider for the user are valid but the client device is in an alternate state in which full synchronization is prevented; and', "send a notification message to a client application executing on the client device, usurping the client application's existing synchronization mechanism, the notification message comprising information identifying a cause of the unsuccessful authentication of the user."], 'at least one module loaded into the memory causing the at least one processor to2. The system of claim 1 , further comprisingsending a notification message to the client application usurping the client application's existing synchronization mechanism, the notification ...

Control of casting to a media renderer

A method and system for controlling casting to a media renderer is provided. A casting control system receives from a requesting device a request to cast media to the media renderer. In response to receiving the request, the casting control system identifies a gatekeeper for the media renderer and notifies the gatekeeper that a request has been received to cast media to the media renderer. After the casting control system receives from the gatekeeper an indication to grant or deny the request, the casting control system allows or denies the casting of the media to the media renderer.

Efficiently throttling user authentication

In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

GLOBAL SIGN-OUT ON SHARED DEVICES

Heuristics can be used to determine if an alternate behavior is desired on a particular mobile device to enable one-touch sign-out. The alternate behavior can be the appearance of a sign-out experience and mechanism. For example, instead of a “sign out” link appearing, an “end of shift” link can be displayed. Heuristics can be used to determine if a particular mobile device is a shared device. If the device is a shared device, this information can be made discoverable to mobile applications (e.g. by including a “shared device” flag in authentication tokens). When a mobile application finds the shared device flag indicates the device is shared, the “Sign-out” link for the mobile application can be replaced with an “End my shift” link. In response to a user clicking on the link, a global sign out can delete session artifacts on the device and/or on the server. Refresh tokens can be revoked to ensure that a user is signed out of third party mobile applications. 1. A computing device for enabling global sign-out comprising:a memory connected to at least one processor, the at least one processor configured to change the behavior of a mobile application on a shared device by:determining by heuristics that a device is a shared device; andin response to a sign-out gesture performing a global sign out.2. The computing device of claim 1 , wherein the heuristics are based on an identity of a user.3. The computing device of claim 1 , wherein the heuristics are based on characteristics of the device.4. The computing device of claim 1 , wherein the heuristics are based on a network connection type.5. The computing device of claim 1 , wherein the heuristics are based on a location of the device.6. The computing device of claim 1 , further comprising:replacing sign out behavior with global sign out behavior.7. The computing device of claim 1 , wherein the global sign out behavior comprises deleting shared session state artifacts.8. The computing device of claim 1 , wherein global ...

Suspicious credential change detection and mitigation

Suspicious credential changes are automatically detected and mitigated. A comparison of data surrounding user-account credential changes with suspicious change patterns forms a basis for detecting suspicious credential changes. More particularly, if a credential change substantially matches a known suspicious change pattern, the credential change can be flagged as suspicious. After a credential change is determined to be suspicious, one or more mitigation activities can be triggered to allay adverse effects associated with a suspicious credential change.

SYSTEM AND METHOD FOR AUTHENTICATION SESSION TRANSFER USING APPLICATION DOWNLOAD LINKS

Methods for authentication session transfer using application download links are performed by systems and devices. A user or administrator at a first device enables the user to use an application at the user's mobile device. The user or administrator provides a request for the mobile application from the first device to an identity service. The identity service generates a uniform resource locator (URL) that encodes an authentication object generated by the identity service that is specific to the user's identity, and provides the URL to the mobile device. The identity service receives the authentication object back from a browser session of the URL at the user device, and establishes an authenticated browser session of the URL using the authentication object. The identity services authenticates the user's identity for the mobile application responsive to the mobile application invoking the authenticated browser session at the user device. 1. A system , comprising:a processing system comprising one or more processors; and [ receive information associated with a user that includes at least one identifier; and', 'generate an authentication object associated with an identity of the user;, 'an object generator configured to, generate a first URL that encodes the authentication object; and', 'provide the first URL to a device associated with the user; and, 'a uniform resource locator (URL) generator configured to, receive the authentication object from the device associated with the user subsequent to the first URL being provided and via a first browser session that is instantiated responsive to activation of the first URL at the device associated with the user; and', 'authenticate the identity of the user for a software application based on the authentication object being received., 'an authenticator, associated with the first URL, configured to], 'a memory configured to store program code to be executed by the processing system, the program code including2. The system ...

EXTENDED DOMAIN PLATFORM FOR NONMEMBER USER ACCOUNT MANAGEMENT

A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege. 1. A system for managing multiple domain platforms including first and second domain platforms separated from each other , the first domain platform configured to grant a first user access privilege to user accounts registered to the first domain platform , the second domain platform configured to grant a second user access privilege to user accounts registered to the second domain platform , the first user access privilege including a first privilege that is unavailable to user accounts not registered to the first domain platform , the second user access privilege including a second privilege that is available to the user accounts registered to the first domain platform but is otherwise unavailable to users not registered to the first domain platform , the system comprising:a processor; and receiving, from a first user, identification information of a second user added to a communication session;', 'determining whether the first user is registered to the first domain platform;', 'determining, based on the received identification information, whether the second user is registered to the first domain ...

Resource-based selection of identity provider

The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Revoking sessions using signaling

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Learning neural network structure

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for training neural networks. In one aspect, a system includes a neural network shrinking engine that is configured to receive a neural network being trained and generate a reduced neural network by a shrinking process. The shrinking process includes training the neural network based on a shrinking engine loss function that includes terms penalizing active neurons of the neural network and removing inactive neurons from the neural network. The system includes a neural network expansion engine that is configured to receive the neural network being trained and generate an expanded neural network by an expansion process including adding new neurons to the neural network and training the neural network based on an expanding engine loss function. The system includes a training subsystem that generates reduced neural networks and expanded neural networks.

Extraction and Representation of Three-Dimensional (3D) and Bidirectional Reflectance Distribution Function (BRDF) Parameters from Lighted Image Sequences

Methods and systems are provided that use images to determine lighting information for an object. A computing device can receive an image of the object. For a pixel of the image, the computing device can: apply a first lighting model to determine a first estimate of a bi-directional lighting function (BRDF) for the object at the pixel, apply a second lighting model to determine a second estimate of the BRDF for the object at the pixel, determine a third estimate of the BRDF based on the first and second estimates, and store the third estimate of the BRDF in lighting-storage data. The computing device can provide the lighting-storage data. The BRDF can utilize a number of lighting parameters, such as a normal vector and albedo, reflectivity, and roughness values.

INTEGRATED CONSENT SYSTEM

A system for creating an account with an identity provider. The system receives a request to create an identity provider account with the identity provider for use in logging onto a third-party system. The system generates one or more display pages for providing an integrated-consent user experience. The integrated-consent user experience includes a display page for collecting both new-account information and scope-of-consent information whereby a user consents to share information with the third-party system. After the user provides the new-account information that includes user credentials for the identity provider account and consents to share account information of the identity provider account with the third-party system, the system creates the identity provider account for the user. When the user subsequently signs in to the third-party system using the user credentials for the identity provider account, the third-party system accesses account information of the identity provider account based on the scope-of-consent information. 1. A method performed by a computing system for creating an account for a user with an identity provider , the method comprising:receiving a request to create an identity provider account with the identity provider for use in logging onto a third-party system;generating one or more display pages for providing an integrated-consent user experience that includes at least one of the one or more display pages for collecting both some new-account information and scope-of-consent information for consenting to share account information with the third-party system; andafter the user provides the new-account information that includes user credentials for the identity provider account and a scope of consent to share account information of the identity provider account with the third-party system, creating for the user the identity provider account and recording an indication of the scope of consentwherein the user subsequently signs in to the ...

Protecting against malicious discovery of account existence

A sign-in system can be protected against enumeration attacks while providing an improved sign-in experience for legitimate users by disclosing whether or not an account exists. An account within a specified domain can be identified by an account identifier such as a username. Before a threshold throttling value is reached, account existence/non-existence information can be provided in response to an access request. In response to reaching or exceeding a specified threshold throttling value, account existence/non-existence information can cease to be provided. Entering a valid account identifier/authenticating credential credentials pair provides access to the computer system regardless of whether or not the threshold was reached or exceeded or not reached.

ALTERING DEVICE BEHAVIOR WITH LIMITED PURPOSE ACCOUNTS

A limited purpose account can be provided to a legitimate user to avoid some types of anti-abuse mechanisms from being triggered when the user connects to an identity verifier using a username known to belong to a limited purpose account. A limited purpose account is an account in which certain privileges of ordinary use are disabled or curtailed. A limited purpose account may be an account that can only be used with a limited number of applications or for a limited amount of time, thus reducing the ability of the limited purpose user to gain unauthorized access to resources. The operating system can reset itself to a previous state when the account is disconnected or when the device is turned off. 1. A computing device for enabling limited purpose accounts comprising:an operating system for processing limited purpose accounts loaded into a memory;the memory connected to a processor, the processor configured to:send a request for connection to an identity verifier, the request comprising a username associated with a limited purpose account, the limited purpose account comprising an account for which anti-abuse logic applied to the account is altered; andin response to receiving a notification from the identity verifier indicating the account is a limited purpose account, automatically shutting down the computing device when a configurable period of time has elapsed.2. The computing device of claim 1 , wherein limited purpose account usernames are provided to the identity verifier by a user of the computing device.3. The computing device of claim 2 , wherein the user is a manufacturer of the computing device.4. The computing device of claim 1 , wherein limited purpose account usernames are determined by inclusion of a limited purpose domain name in the username maintained by the identify verifier.5. The computing device of claim 1 , wherein changes to settings of the operating system are not made to the operating system during first run logic.6. The computing device ...

METHODS FOR PROVISIONING AND MANAGEMENT OF GAMER ACCOUNTS FOR E-TOURNAMENTS

Authenticating an E-tournament identity using personal identity credentials. A method includes determining that a gaming device is configured for use in an E-tournament. The method further includes receiving from the device, user personal identity credentials. As a result, the method further includes, signing in to an E-tournament identity using the personal identity credentials. 1. A computer system comprising:one or more processors; andone or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to authenticating an E-tournament identity using personal identity credentials, including instructions that are executable to configure the computer system to perform at least the following:determine that a gaming device is configured for use in an E-tournament;receive from the device, user personal identity credentials; andas a result, sign in to an E-tournament identity using the personal identity credentials.2. The computer system of claim 1 , wherein the one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to configure the gaming device for use in the E-tournament using mobile device management.3. The computer system of claim 1 , wherein the one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to apply non-competition advantageous attributes of the personal identity to the E-tournament identity.4. The computer system of claim 1 , wherein the one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to apply approved attributes of the personal identity to the E-tournament identity.5. The computer system of claim 1 , wherein the one or more computer-readable media ...

DISCOVERING AND DISAMBIGUATING IDENTITY PROVIDERS

Systems, methods, and computer-readable storage media are provided for discovering and disambiguating identity providers such that user knowledge of appropriate identity providers is minimized. Users are presented with options for selecting appropriate providers only when multiple providers have user profiles matching a user identifier. When users are presented with options for selecting appropriate providers, providers that have user profiles matching the identifier are identified utilizing identity information for the application that utilizes the identity provider for its users rather than information identifying the identity provider itself. Where it is determined that no identity provider has a user profile associated with the user identifier (or where it is determined that a particular identity provider would generally be appropriate to be utilized with the user identifier), the opportunity for users to create an authentication account with one or more identity providers or to retry with a different user identifier is provided. 1. One or more computer-readable storage media storing computer-useable instructions that , when used by one or more computing devices , cause the one or more computing devices to perform a method for discovering and disambiguating identity providers , the method comprising:receiving a single user identifier;placing one or more Application Programming Interface (API) calls to perform discovery on the user identifier against a plurality of identity providers to determine if any identity providers of the plurality have an identity profile that matches the user identifier; andif it is determined that a single identity provider of the plurality has a user profile that matches the user identifier, providing redirect instructions for authenticating against the single identity provider;if it is determined that multiple identity providers of the plurality have a user profile that matches the user identifier, providing instructions for rendering ...

SYNCHRONIZING CREDENTIAL HASHES BETWEEN DIRECTORY SERVICES

The subject disclosure is directed towards securely synchronizing passwords that are changed at a source location (e.g., an on-premises directory service) to a target location (e.g., a cloud directory service), so that the same credentials may be used to log into the source or target location, yet without necessarily having each domain controller handle the synchronization. The plaintext password is not revealed, instead using hash values computed therefrom to represent the password-related data. The target may receive a secondary hash of a primary hash, and thereby only receive and store a password blob. Authentication is accomplished by using the same hashing algorithms at the target service to compute a blob and compare against the synchronized blob. Also described are crypto agility and/or changing hashing algorithms without requiring a user password change. 1. In a computing environment , a method comprising , receiving a hash value computed based upon a plaintext password , in which the hash value was computed in response to a password change event at a source service , and exporting data that corresponds to the hash value to a target service to synchronize the data that corresponds to the hash value to the target service for use in identity authentication.2. The method of wherein the hash value is computed with a primary hashing algorithm claim 1 , and further comprising claim 1 , secondarily hashing the hash value into a secret-protected blob using a secondary hash algorithm to compute the data that corresponds to the hash value for exporting to the target service.3. The method of wherein secondarily hashing the hash value into the secret-protected blob comprises using random salt and a number of iterations.4. The method of wherein receiving the hash value comprises requesting change data from a directory service.5. The method of further comprising parsing the change data into password change data comprising the hash value.6. The method of further comprising ...

TRAINING NEURAL NETWORKS USING CONSISTENCY MEASURES

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for training a neural network using consistency measures. One of the methods includes processing a particular training example from a mediator training data set using a first neural network to generate a first output for a first machine learning task; processing the particular training example in the mediator training data set using each of one or more second neural networks, wherein each second neural network is configured to generate a second output for a respective second machine learning task; determining, for each second machine learning task, a consistency target output for the first machine learning task; determining, for each second machine learning task, an error between the first output and the consistency target output corresponding to the second machine learning task; and generating a parameter update for the first neural network from the determined errors. 1. A method for training a first neural network having a plurality of first network parameters to perform a first machine learning task , the method comprising:obtaining a mediator training data set comprising a plurality of unlabeled training examples;processing a particular training example in the mediator training data set using the first neural network to generate a first output for the first machine learning task;processing the particular training example in the mediator training data set using each of one or more second neural networks, wherein each second neural network is configured to process the particular training example to generate a second output for a respective second machine learning task that is different from the first machine learning task;determining, for each second machine learning task and from the second output of the corresponding second neural network, a consistency target output for the first machine learning task that would be consistent with a relationship between outputs for ...

Optimized sign out for single account services

An identity provider IP service provides an optimized sign out experience for a user accessing a single account service. The IP service designates a first account of a service as signed in based on first credentials provided by a user. The IP service provides a first security token for the first account to the service. Upon receiving a first sign out notification, the IP service determines whether the user wants to switch to a second account of the service. Upon determining that the user wants to switch to the second account, the IP service designates the second account as signed in based on second credentials provided by the user, provides a second security token for the second account to the service, and designates the first account as soft signed out so that the user can switch to the first account without re-providing the first credentials.

SYNCHRONIZING CREDENTIAL HASHES BETWEEN DIRECTORY SERVICES

The subject disclosure is directed towards securely synchronizing passwords that are changed at a source location (e.g., an on-premises directory service) to a target location (e.g., a cloud directory service), so that the same credentials may be used to log into the source or target location, yet without necessarily having each domain controller handle the synchronization. The plaintext password is not revealed, instead using hash values computed therefrom to represent the password-related data. The target may receive a secondary hash of a primary hash, and thereby only receive and store a password blob. Authentication is accomplished by using the same hashing algorithms at the target service to compute a blob and compare against the synchronized blob. Also described are crypto agility and/or changing hashing algorithms without requiring a user password change. 1. In a computing environment , a method comprising , receiving a hash value computed based upon a plaintext password , in which the hash value was computed in response to a password change event at a source service , and exporting data that corresponds to the hash value to a target service to synchronize the data that corresponds to the hash value to the target service for use in identity authentication.2. The method of wherein the hash value is computed with a primary hashing algorithm claim 1 , and further comprising claim 1 , secondarily hashing the hash value into a secret-protected blob using a secondary hash algorithm to compute the data that corresponds to the hash value for exporting to the target service.3. The method of wherein secondarily hashing the hash value into the secret-protected blob comprises using random salt and a number of iterations.4. The method of wherein receiving the hash value comprises requesting change data from a directory service.5. The method of further comprising parsing the change data into password change data comprising the hash value.6. The method of further comprising ...

Synchronizing credential hashes between directory services

The subject disclosure is directed towards securely synchronizing passwords that are changed at a source location (e.g., an on-premises directory service) to a target location (e.g., a cloud directory service), so that the same credentials may be used to log into the source or target location, yet without necessarily having each domain controller handle the synchronization. The plaintext password is not revealed, instead using hash values computed therefrom to represent the password-related data. The target may receive a secondary hash of a primary hash, and thereby only receive and store a password blob. Authentication is accomplished by using the same hashing algorithms at the target service to compute a blob and compare against the synchronized blob. Also described are crypto agility and/or changing hashing algorithms without requiring a user password change.

TWO-FACTOR AUTHENTICATION

Systems, methods, and computer-readable storage media are provided for authenticating users to secure services or apps utilizing reversed, hands-free and/or continuous two-factor authentication. When a user desires to access a secure service or app for which s/he is already registered, the user, having a registered mobile computing device in proximity to his or her presence, comes within a threshold distance of a computing device that includes the desired secure service or app. The computing device authenticates the particular mobile computing device as associated with the particular registered user that utilized that mobile device during registration. Subsequent to such device authentication, the user is able to login to the service or app by simply providing his or her user credentials at a login form associated therewith. Two-factor authentication in accordance with embodiments hereof is more secure and more efficient that traditional authentication methodologies. 1. A reverse two-factor authentication system comprising:a processor;a computer storage medium comprising computer executable instructions embodied thereon that when executed by the processor configure the system to:detect, at a first time instance, that a first computing device is within a threshold distance of a second computing device, the second computing device including a service or app for which authentication is required;determine that the first computing device is associated with at least one device authentication credential indicating that the first computing device was utilized by a registered user upon registering for access to the service or app;receive the at least one device authentication credential;after receiving the at least one device authentication credential, receive at least one user credential associated with a user of the second computing device;verify that the at least one user credential is associated with the registered user; andpermit the user of the second computing device ...

PERSONAL IDENTIFIER SIGN-IN FOR ORGANIZATIONAL USERS

A method and system performed by a computing system for signing in using personal identifiers input via a sign-in portal that supports multiple tenants is provided. The system receives a sign-in request for a user that includes a personal identifier. The personal identifier uniquely identifies a person but does not include an identification of a tenant. The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, a tenant to which the personal identifier is mapped. The mapping maps personal identifiers of users to tenants. The system retrieves, from a user store for the tenant, user information relating to the user. The system then creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated. 1. A method performed by a computing system , the method comprising:receiving a sign-in request for a user, the sign-in request including a personal identifier wherein the personal identifier uniquely identifies a person;performing a verification based on the personal identifier to authenticate the user;identifying from a mapping a tenant to which the personal identifier is mapped, wherein the mapping maps personal identifiers of users to tenants;retrieving, from a user store for the tenant, user information relating to the user;creating a security token based on the user information; andafter successful verification of the user, sending the security token as evidence that the user has been authenticated.2. The method of further comprising claim 1 , when the personal identifier is mapped to multiple tenants claim 1 , receiving from the user a selection of a tenant for which the user is to be authenticated.3. The method of wherein the personal identifier is a phone number.4. The method of wherein the performing of the verification includes sending a verification ...

Organizational sign-in across sovereign environments

A system of a primary cloud for signing in users is provided. The system receives a sign-in request for a user that includes a personal identifier (e.g., phone number). The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, an entity to which the personal identifier is mapped. When the entity is associated with an external cloud, the system sends a sign-in request to the external cloud for authentication by the external cloud. When the entity is associated with an internal tenant, the system retrieves user information relating to the user and creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated.

Late binding of social identity in invitation management systems

Performing late binding of a social network identification (ID) to a guest ID for use in an identity platform. A guest ID is created for a second user that gives access to a shared application of an identity platform that is associated with a first user. Subsequent to creating the guest ID, permission is requested from the second user to bind social network IDs of social networks of which the second user is a member to the guest ID. In response to receiving permission, binding the social network IDs to the guest ID is performed. The binding gives the identity platform access to profile attributes of the second user from the social networks, and allows it to write information such as a merit badge back on the second user's social network profile. A federation binding may also be created that allows the second user to sign into the shared application using their social network ID.

Account Verification in Deferred Provisioning Systems

Provisioning a user account. A method includes, at a local entity contacting an identity system to begin user account provisioning. The method further includes receiving from the identity system a correlating factor related to a verification code sent to the user from the identity system. The method further includes receiving from the user, profile information entered into the local entity, where the profile information is to be stored in the user account. The method further includes receiving from the user the verification code corresponding to the correlating factor. The method further includes sending the correlating factor, user entered verification code and the user entered profile information to the identity system, where the identity system determines that the verification code properly correlates to the correlating factor, and as a result provisions the user account and stores the profile information in the user account.

EXTENDED DOMAIN PLATFORM FOR NONMEMBER USER ACCOUNT MANAGEMENT

A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege. 1. A device comprising:a processor; and detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform;', 'based on the detection that the first user has invited the second user to the communication session, causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and', 'granting the second user account the second user privilege., 'a memory in communication with the processor, the memory comprising executable instructions that, when executed by the processor, cause the processor to control the device to perform functions ...

Fusing Multiple Depth Sensing Modalities

A method includes receiving a first depth map that includes a plurality of first pixel depths and a second depth map that includes a plurality of second pixel depths. The first depth map corresponds to a reference depth scale and the second depth map corresponds to a relative depth scale. The method includes aligning the second pixel depths with the first pixel depths. The method includes transforming the aligned region of the second pixel depths such that transformed second edge pixel depths of the aligned region are coextensive with first edge pixel depths surrounding the corresponding region of the first pixel depths. The method includes generating a third depth map. The third depth map includes a first region corresponding to the first pixel depths and a second region corresponding to the transformed and aligned region of the second pixel depths.

Nested Access Privilege Check for Multi-Tenant Organizations

Techniques for managing an access privilege for users of an organization having first and second tenants includes storing, at a data storage, first user account data of a first user account associated with a first user of the first tenant, the first user account data including a first object identifier, a first tenant identifier and first access privilege information including access privileges granted to the first user account of the first tenant to access one or more resources; creating, for the first user associated with the first tenant, a second user account of the second tenant and second user account data of the second user account; setting the second user account data to include linked account information including the first object identifier and the first tenant identifier of the first user account data; and storing, at the data storage, the second user account data including the linked account information.

System and method for authentication session transfer using application download links

Methods for authentication session transfer using application download links are performed by systems and devices. A user or administrator at a first device enables the user to use an application at the user's mobile device. The user or administrator provides a request for the mobile application from the first device to an identity service. The identity service generates a uniform resource locator (URL) that encodes an authentication object generated by the identity service that is specific to the user's identity, and provides the URL to the mobile device. The identity service receives the authentication object back from a browser session of the URL at the user device, and establishes an authenticated browser session of the URL using the authentication object. The identity services authenticates the user's identity for the mobile application responsive to the mobile application invoking the authenticated browser session at the user device.

Systems and related methods for reducing the resource consumption of a convolutional neural network

A computer-implemented method for reducing the resource consumption of a convolutional neural network can include obtaining data descriptive of the convolutional neural network. The convolutional neural network can include a plurality of convolutional layers configured to perform convolutions using a plurality of kernels that each includes a plurality of kernel elements. The method can include training, for one or more training iterations, the convolutional neural network using a loss function that includes a group sparsifying regularizer term configured to sparsify a respective subset of the kernel elements of the kernel(s); following at least one training iteration, determining, for each of the kernel(s), whether to modify such kernel to remove the respective subset of the kernel elements based at least in part on respective values of the respective subset of kernel elements; and modifying at least one of the kernel(s) to remove the respective subset of the kernel elements.

Communicating state information to legacy clients using legacy protocols

When a user account is in an alternate (fault) state, communication or sync between an application provider and a device or client application typically is interrupted. When parties do not support rich fault messaging, communication of the reason for the interruption and remediation steps has been impossible. An application server provides rich fault messaging using applications that do not provide explicit error messaging and protocols that do not provide explicit error messaging without changing either the application or the protocol by additional interactions between an identity provider and the application server. The application server uses authentication state information provided by the identity server to generate a notification sync event that appears to the application and the protocol to be a normal sync event. The notification sync event is used to provide the user with information needed to determine what the problem with the account is and how to fix it.

Extended domain platform for nonmember user account management

A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege.

Altering device behavior with limited purpose accounts

A limited purpose account can be provided to a legitimate user to avoid some types of anti-abuse mechanisms from being triggered when the user connects to an identity verifier using a username known to belong to a limited purpose account. A limited purpose account is an account in which certain privileges of ordinary use are disabled or curtailed. A limited purpose account may be an account that can only be used with a limited number of applications or for a limited amount of time, thus reducing the ability of the limited purpose user to gain unauthorized access to resources. The operating system can reset itself to a previous state when the account is disconnected or when the device is turned off.

Altering device behavior with limited purpose accounts

A limited purpose account can be provided to a legitimate user to avoid some types of anti-abuse mechanisms from being triggered when the user connects to an identity verifier using a username known to belong to a limited purpose account. A limited purpose account is an account in which certain privileges of ordinary use are disabled or curtailed. A limited purpose account may be an account that can only be used with a limited number of applications or for a limited amount of time, thus reducing the ability of the limited purpose user to gain unauthorized access to resources. The operating system can reset itself to a previous state when the account is disconnected or when the device is turned off.

Account verification in deferred provisioning systems

Provisioning a user account. A method includes, at a local entity contacting an identity system to begin user account provisioning. The method further includes receiving from the identity system a correlating factor related to a verification code sent to the user from the identity system. The method further includes receiving from the user, profile information entered into the local entity, where the profile information is to be stored in the user account. The method further includes receiving from the user the verification code corresponding to the correlating factor. The method further includes sending the correlating factor, user entered verification code and the user entered profile information to the identity system, where the identity system determines that the verification code properly correlates to the correlating factor, and as a result provisions the user account and stores the profile information in the user account.

Extended domain platform for nonmember user account management

A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege.

Learning neural network structure

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for training neural networks. In one aspect, a system includes a neural network shrinking engine that is configured to receive a neural network being trained and generate a reduced neural network by a shrinking process. The shrinking process includes training the neural network based on a shrinking engine loss function that includes terms penalizing active neurons of the neural network and removing inactive neurons from the neural network. The system includes a neural network expansion engine that is configured to receive the neural network being trained and generate an expanded neural network by an expansion process including adding new neurons to the neural network and training the neural network based on an expanding engine loss function. The system includes a training subsystem that generates reduced neural networks and expanded neural networks.

Learning neural network structure

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for training neural networks. In one aspect, a system includes a neural network shrinking engine that is configured to receive a neural network being trained and generate a reduced neural network by a shrinking process. The shrinking process includes training the neural network based on a shrinking engine loss function that includes terms penalizing active neurons of the neural network and removing inactive neurons from the neural network. The system includes a neural network expansion engine that is configured to receive the neural network being trained and generate an expanded neural network by an expansion process including adding new neurons to the neural network and training the neural network based on an expanding engine loss function. The system includes a training subsystem that generates reduced neural networks and expanded neural networks.

Revoking sessions using signaling

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Revoking sessions using signaling

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user's login account has been compromised, where the user's login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

Revoking sessions using signaling

Efficiently throttling user authentication

In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Efficiently throttling user authentication

In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Efficiently throttling user authentication

Account verification in deferred provisioning systems

Provisioning a user account. A method includes, at a local entity contacting an identity system to begin user account provisioning. The method further includes receiving from the identity system a correlating factor related to a verification code sent to the user from the identity system. The method further includes receiving from the user, profile information entered into the local entity, where the profile information is to be stored in the user account. The method further includes receiving from the user the verification code corresponding to the correlating factor. The method further includes sending the correlating factor, user entered verification code and the user entered profile information to the identity system, where the identity system determines that the verification code properly correlates to the correlating factor, and as a result provisions the user account and stores the profile information in the user account.

Intelligent download and session copy

Disclosed in some examples, are methods, systems, devices, and machine-readable mediums that use one or more images (e.g., Quick-Response (QR) codes) displayed by a first application to both provide the location to obtain a second application and to copy a session from the first application to the second application once downloaded. In some examples, a session comprises an authentication session such that, when the session is copied, the user is logged into a network-based service within the second application with a same account as the user is already logged into with first application.

Extended domain platform for nonmember user account management

A device including a processor and a memory, in which the memory includes executable instructions for detecting that a first user has invited a second user to a communication session, wherein the first user is associated with a first user account registered to a first domain platform and the second user is not associated with any of user accounts registered to the first domain platform, the first domain platform defining a first user privilege granted to the user accounts registered to the first domain platform; causing a second user account associated with the second user to be created and registered to a second domain platform, the second domain platform being different from the first domain platform and defining a second user privilege granted to user accounts registered to the second domain platform; and granting the second user account the second user privilege.

Nested access privilege check for multi-tenant organizations

Techniques for managing access to content are provided that include receiving a first signal requesting an indication whether a user has an access privilege to access to a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource, determining that a first user account associated with the user does not have an access privilege to access the resource; performing a nested access privilege check to determine whether the user is associated with a second user account that has the access privilege to access the resource; and granting via the communication network access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account and the second user account is associated with the access privilege to access the resource.

Extended domain platform for nonmember user account management

Personal identifier sign-in for organizational users

A method and system performed by a computing system for signing in using personal identifiers input via a sign-in portal that supports multiple tenants is provided. The system receives a sign-in request for a user that includes a personal identifier. The personal identifier uniquely identifies a person but does not include an identification of a tenant. The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, a tenant to which the personal identifier is mapped. The mapping maps personal identifiers of users to tenants. The system retrieves, from a user store for the tenant, user information relating to the user. The system then creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated.

Two-factor authentication

Intelligent download and session copy

Disclosed in some examples, are methods, systems, devices, and machine-readable mediums that use one or more images (e.g., Quick-Response (QR) codes) displayed by a first application to both provide the location to obtain a second application and to copy a session from the first application to the second application once downloaded. In some examples, a session comprises an authentication session such that, when the session is copied, the user is logged into a network-based service within the second application with a same account as the user is already logged into with first application.

Framework for training machine-learned models on extremely large datasets

A MapReduce-based training framework exploits both data parallelism and model parallelism to scale training of complex models. Particular model architectures facilitate and benefit from use of such training framework. As one example, a machine-learned model can include a shared feature extraction portion configured to receive and process a data input to produce an intermediate feature representation and a plurality of prediction heads that are configured to receive and process the intermediate feature representation to respectively produce a plurality of predictions. For example, the data input can be a video and the plurality of predictions can be a plurality of classifications for content of the video (e.g., relative to a plurality of classes).

Framework for Training Machine-Learned Models on Extremely Large Datasets

A MapReduce-based training framework exploits both data parallelism and model parallelism to scale training of complex models. Particular model architectures facilitate and benefit from use of such training framework. As one example, a machine-learned model can include a shared feature extraction portion configured to receive and process a data input to produce an intermediate feature representation and a plurality of prediction heads that are configured to receive and process the intermediate feature representation to respectively produce a plurality of predictions. For example, the data input can be a video and the plurality of predictions can be a plurality of classifications for content of the video (e.g., relative to a plurality of classes).

Account verification in deferred provisioning systems

Suspicious credential change detection and mitigation

Suspicious credential changes are automatically detected and mitigated. A comparison of data surrounding user-account credential changes with suspicious change patterns forms a basis for detecting suspicious credential changes. More particularly, if a credential change substantially matches a known suspicious change pattern, the credential change can be flagged as suspicious. After a credential change is determined to be suspicious, one or more mitigation activities can be triggered to allay adverse effects associated with a suspicious credential change.

Altering device behavior with limited purpose accounts

Global sign-out on shared devices

Nested Access Privilege Check for Multi-Tenant Organizations

Techniques for managing access to content are provided that include receiving a first signal requesting an indication whether a user has an access privilege to access to a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource, determining that a first user account associated with the user does not have an access privilege to access the resource; performing a nested access privilege check to determine whether the user is associated with a second user account that has the access privilege to access the resource; and granting via the communication network access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account and the second user account is associated with the access privilege to access the resource.

Nested access privilege check for multi-tenant organizations

Techniques for managing access to content are provided that include receiving a first signal requesting an indication whether a user has an access privilege to access to a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource, determining that a first user account associated with the user does not have an access privilege to access the resource; performing a nested access privilege check to determine whether the user is associated with a second user account that has the access privilege to access the resource; and granting via the communication network access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account and the second user account is associated with the access privilege to access the resource.

Resource-based selection of identity provider

The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Resource-based selection of identity provider

The automatic selection of an identity provider to be used to authenticate users when requesting to access network resources for a tenant. The authentication is initiated by checking the username against the directory of the tenant. If that check results in finding an entry for the username in that directory, the entry is checked for an identity provider. If that check results in finding an identity provider, the user is directed to that found identity provider for authentication. Thus, in many, most, or all cases, an identity provider is found and selected for authentication of the user without the user having to manually select the identity provider. The username may be an internal user of an entity. The selection of the identity provider works in either case since there would still be an entry for that user in the directory of the tenant.

Security configuration lifecycle account protection for minors

Described technologies enhance cybersecurity and facilitate computing system account usage by configuring a primary account and a supplementary account together in a security configuration lifecycle. The primary account user may be a parent or other adult, while the supplementary account user may be a child or other person with less capacity than the primary user. Over time, the accounts may transition together through security configurations to give more capabilities to the supplementary user, e.g., login separate from the primary user, and to reduce the control of the primary user over the supplementary account. Security configuration lifecycle stages are implemented, e.g., using capability-security pair data structures and account security configuration code. Despite the security configuration linkage of the accounts, each account may have its own personalized content and its own recommendation history. Lifecycle position identification supports automatic reasoning to select an age-appropriate consent obtention procedure, and facilitates documentary media timeline creation.

Security configuration lifecycle account protection for minors

Described technologies enhance cybersecurity and facilitate computing system account usage by configuring a primary account and a supplementary account together in a security configuration lifecycle. The primary account user may be a parent or other adult, while the supplementary account user may be a child or other person with less capacity than the primary user. Over time, the accounts may transition together through security configurations to give more capabilities to the supplementary user, e.g., login separate from the primary user, and to reduce the control of the primary user over the supplementary account. Security configuration lifecycle stages are implemented, e.g., using capability-security pair data structures and account security configuration code. Despite the security configuration linkage of the accounts, each account may have its own personalized content and its own recommendation history. Lifecycle position identification supports automatic reasoning to select an age-appropriate consent obtention procedure, and facilitates documentary media timeline creation.

Security configuration lifecycle account protection for minors

Intelligent download and session copy

Disclosed in some examples, are methods, systems, devices, and machine-readable mediums that use one or more images (e.g., Quick-Response (QR) codes) displayed by a first application to both provide the location to obtain a second application and to copy a session from the first application to the second application once downloaded. In some examples, a session comprises an authentication session such that, when the session is copied, the user is logged into a network-based service within the second application with a same account as the user is already logged into with first application.

Control of casting to a media renderer

A method and system for controlling casting to a media renderer is provided. A casting control system receives from a requesting device a request to cast media to the media renderer. In response to receiving the request, the casting control system identifies a gatekeeper for the media renderer and notifies the gatekeeper that a request has been received to cast media to the media renderer. After the casting control system receives from the gatekeeper an indication to grant or deny the request, the casting control system allows or denies the casting of the media to the media renderer.

Control of casting to a media renderer

A method and system for controlling casting to a media renderer is provided. A casting control system receives from a requesting device a request to cast media to the media renderer. In response to receiving the request, the casting control system identifies a gatekeeper for the media renderer and notifies the gatekeeper that a request has been received to cast media to the media renderer. After the casting control system receives from the gatekeeper an indication to grant or deny the request, the casting control system allows or denies the casting of the media to the media renderer.

Personal identifier sign-in for organizational users

A method and system performed by a computing system for signing in using personal identifiers input via a sign-in portal that supports multiple tenants is provided. The system receives a sign-in request for a user that includes a personal identifier. The personal identifier uniquely identifies a person but does not include an identification of a tenant. The system performs a verification based on the personal identifier to authenticate the user. The system identifies, from a mapping, a tenant to which the personal identifier is mapped. The mapping maps personal identifiers of users to tenants. The system retrieves, from a user store for the tenant, user information relating to the user. The system then creates a security token based on the user information. If verification of the user was successful, the system sends the security token to the sign-in portal as evidence that the user has been authenticated.

Two-factor authentication

Systems, methods, and computer-readable storage media are provided for authenticating users to secure services or apps utilizing reversed, hands-free and/or continuous two-factor authentication. When a user desires to access a secure service or app for which s/he is already registered, the user, having a registered mobile computing device in proximity to his or her presence, comes within a threshold distance of a computing device that includes the desired secure service or app. The computing device authenticates the particular mobile computing device as associated with the particular registered user that utilized that mobile device during registration. Subsequent to such device authentication, the user is able to login to the service or app by simply providing his or her user credentials at a login form associated therewith. Two-factor authentication in accordance with embodiments hereof is more secure and more efficient that traditional authentication methodologies.

Integrated consent system

A system for creating an account with an identity provider. The system receives a request to create an identity provider account with the identity provider for use in logging onto a third-party system. The system generates one or more display pages for providing an integrated-consent user experience. The integrated-consent user experience includes a display page for collecting both new-account information and scope-of-consent information whereby a user consents to share information with the third-party system. After the user provides the new-account information that includes user credentials for the identity provider account and consents to share account information of the identity provider account with the third-party system, the system creates the identity provider account for the user. When the user subsequently signs in to the third-party system using the user credentials for the identity provider account, the third-party system accesses account information of the identity provider account based on the scope-of-consent information.

Global sign-out on shared devices

Heuristics can be used to determine if an alternate behavior is desired on a particular mobile device to enable one-touch sign-out. The alternate behavior can be the appearance of a sign-out experience and mechanism. For example, instead of a "sign out" link appearing, an "end of shift" link can be displayed. Heuristics can be used to determine if a particular mobile device is a shared device. If the device is a shared device, this information can be made discoverable to mobile applications (e.g. by including a "shared device" flag in authentication tokens). When a mobile application finds the shared device flag indicates the device is shared, the "Sign-out" link for the mobile application can be replaced with an "End my shift" link. In response to a user clicking on the link, a global sign out can delete session artifacts on the device and/or on the server

Suspicious credential change detection and mitigation

Suspicious credential changes are automatically detected and mitigated. A comparison of data surrounding user-account credential changes with suspicious change patterns forms a basis for detecting suspicious credential changes. More particularly, if a credential change substantially matches a known suspicious change pattern, the credential change can be flagged as suspicious. After a credential change is determined to be suspicious, one or more mitigation activities can be triggered to allay adverse effects associated with a suspicious credential change.

Optimized sign out for single account services

An identity provider IP service provides an optimized sign out experience for a user accessing a single account service. The IP service designates a first account of a service as signed in based on first credentials provided by a user. The IP service provides a first security token for the first account to the service. Upon receiving a first sign out notification, the IP service determines whether the user wants to switch to a second account of the service. Upon determining that the user wants to switch to the second account, the IP service designates the second account as signed in based on second credentials provided by the user, provides a second security token for the second account to the service, and designates the first account as soft signed out so that the user can switch to the first account without re-providing the first credentials.

Global sign-out on shared devices

Heuristics can be used to determine if an alternate behavior is desired on a particular mobile device to enable one-touch sign-out. The alternate behavior can be the appearance of a sign-out experience and mechanism. For example, instead of a "sign out" link appearing, an "end of shift" link can be displayed. Heuristics can be used to determine if a particular mobile device is a shared device. If the device is a shared device, this information can be made discoverable to mobile applications (e.g. by including a "shared device" flag in authentication tokens). When a mobile application finds the shared device flag indicates the device is shared, the "Sign-out" link for the mobile application can be replaced with an "End my shift" link. In response to a user clicking on the link, a global sign out can delete session artifacts on the device and/or on the server

Home realm discovery with flat-name usernames

Methods, systems, apparatuses, and computer program products are provided for automatically determining a home realm. An authentication request receiver interface may receive a request to access a resource and a device identifier from a client device. An authenticator may be enacted in response to receiving the request to access the resource that includes a home realm discoverer and an authentication user interface (UI) provider. The home realm discoverer may determine, based at least on the device identifier, the home realm from a plurality of realms. The authentication UI provider may provide, to the client device, an authentication UI via which a flat-name username can be submitted. Based at least on a flat-name user name and the determined home realm, access to the resource may be granted. In this manner, a user may input a flat-name username during sign-in, rather than inputting a realm or an entire e-mail address.