Edge network-based account protection service

What we claim is as follows: 1. A method of account protection, comprising: at a first server: responsive to receipt of a request associated with a client access to a resource, injecting a script and returning the resource to the client; responsive to receipt of an automated post from the client, the automated post including data collected as a result of the script being executed, forwarding the automated post to an account protection service; at a second server distinct from the first server and that executes the account protection service: responsive to receiving the automated post, issuing a request for a user profile, the user profile having been computed from information derived from one or more prior successful logins by the client; responsive to receipt of the user profile, calculating a user score; returning the user score to the first server; at the first server: responsive to receipt of the user score, applying a policy to the user score, and taking an action based on whether the user score satisfies the policy. 2. The method as described in claim 1 wherein the user score represents a degree to which a current login matches a model of a successful login, wherein the model is derived from the information derived from the one or more prior successful logins. 3. The method as described in claim 2 further including updating the model based as additional successful logins occur. 4. The method as described in claim 1 wherein the data collected as a result of executing the script includes one of: device- and user agent-specific attributes for user recognition. 5. The method as described in claim 1 wherein the first server also augments the automated post with edge data prior to forwarding the automated post to the second server. 6. The method as described in claim 5 wherein the edge data comprising information specific to the request and that differs between or among at least one of: users, user agents and devices. 7. The method as described in claim 5 wherein the information is one of: a geolocation of the endpoint, a user-agent header, and a TLS fingerprint. 8. The method as described in claim 1 wherein a user profile includes an indication of whether sufficient data has been collected for the user profile to be considered for use in generating the user score. 9. The method as described in claim 1 wherein the user score is augmented to included information representing which parts of a set of user recognition data aligned with the user profile. 10. The method as described in claim 1 wherein the user score is returned to the first server upon receipt at the first server of a login request to a protected endpoint. 11. The method as described in claim 10 wherein the login request is associated with a hosted login to the protected endpoint, the hosted login provided by an identity and access mechanism. 12. The method as described in claim 1 wherein the automated post is associated with collection of data useful for detecting whether the client is a bot. 13. The method as described in claim 1 wherein the user score is also computed based on additional risk data. 14. The method as described in claim 13 wherein the additional risk data is client reputation data. 15. The method as described in claim 1 wherein the account protection service protects against an account takeover (ATO) attack by which a malicious actor associated with the client gains access to an account at a web site or application. 16. The method as described in claim 1 wherein the account protection service protects against a new account fraud (NAF) by which a malicious actor associated with the client creates an account a web site or application by claiming to be a person other than his or her true identity. 17. The method as described in claim 1 wherein the action includes providing an access token to the endpoint. 18. The method as described in claim 1 wherein the action includes forwarding a login request to a customer origin. 19. Apparatus, comprising: a set of hardware processors; computer memory associated with the set of hardware processors and holding computer program code configured as a first server, and a second server, the program code configured: at the first server: responsive to receipt of a request associated with a client access to a resource, injecting a script and returning the resource to the client; responsive to receipt of an automated post from the client, the automated post including data collected as a result of the script being executed, forwarding the automated post to an account protection service; at the second server and that executes the account protection service: responsive to receiving the automated post, issuing a request for a user profile, the user profile having been computed from information derived from one or more prior successful logins by the client; responsive to receipt of the user profile, calculating a user score; returning the user score to the first server; at the first server: responsive to receipt of the user score, applying a policy to the user score, and taking an action based on whether the user score satisfies the policy. 20. The apparatus as described in claim 19 wherein the account protection service protects against one of: an account takeover (ATO) attack by which a malicious actor associated with the client gains access to an account at a web site or application, and a new account fraud (NAF) by which a malicious actor associated with the client creates an account a web site or application by claiming to be a person other than his or her true identity.