Access control to Web-based services in organization-spanning business processes requires the establishment of a trust relationship between the requesting user and the service provider. In identity federations the attestation of a strong user authentication by the users’ identity provider might reduce trust management requirements at the organizational level, thus potentially increasing the flexibility of this relationship. With this said however, the availability of strong authentication controls at the identity provider’s site, that is, for two-factor authen- tication, cannot be generally assumed. Thus, a service provider’s attempt to enforce the use of such systems in turn reduces structural flexibility. This paper proposes a cloud-based biometric authentication system, provided by an external authentication service provider, which enhances existing identity management infrastructures flexibly on an on-demand ba- sis by sustaining authentication through a second factor. Here, a generic architecture for cloud-based biometric systems and a prototype implementation based on keystroke dynam- ics is provided. The biometric system features low dependence on dedicated sensory hard- ware and thus leverages the structural flexibility of a security infrastructure. Additionally, it provides for end-to-end integrity mechanisms between the authentication service provider and the identity federation’s business service provider to further improve access control.