Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: Techniques are disclosed relating to biometric authentication. In one embodiment, a computing device includes a controller circuit, a camera, and a secure circuit. The controller circuit is coupled to a button and detects when the button has been pressed. The camera captures a set of biometric data of a user. The secure circuit performs an authentication of the user by confirming that a notification identifying the button being pressed was received from the controller circuit and by comparing the set of biometric data with another set of biometric data for an authorized user of the computing device. In some embodiments, the controller circuit is configured to maintain a timestamp indicative of when the button has been pressed and usable by the secure circuit to confirm that the button is pressed within a threshold time period of the authentication being performed.

Abstract: Implementations of the subject technology provide for performing, by a device, a request for obtaining information related to a phone authentication certificate (PAC) that was generated for the device, the PAC authenticating that a particular phone number is associated with the device, the request including packets of data. The subject technology receives the information related to the PAC, the information including an indication that the PAC was generated for the device. The subject technology sends, from the device, a request for validating the PAC to a remote server based at least in part on the information related to the PAC. Further, the subject technology receives a confirmation of validating the PAC from the remote server based at least in part on the information related to the PAC.

Abstract: Systems, methods, and computer-readable media for validating online access to secure device functionality are provided that may use shared secrets between different subsystems and limited use validation data.

Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: Techniques are disclosed relating to securely receiving and storing credentials. In some embodiments, a computing device includes an application executable to supply a credential to an external system. A secure circuit of the computing device is configured to send, to a credential storage, a request for the credential, the request including a first certificate identifying a first public key and a stipulation to perform a user authentication before permitting use of a first private key corresponding to the first public key. The secure circuit receives, from the credential storage, the credential encrypted using the first public key and, based on the stipulation, performs the user authentication prior to decrypting the credential and supplying it to the application. In some embodiments, the secure circuit receives the first certificate by providing information about hardware included in the computing device to a hardware verification service.

Abstract: One or more user accounts can be linked together to form a group of linked user accounts to access content items assigned to the other user accounts in the group of linked user accounts. Prior to completing a purchase for a content item, a requesting user can be alerted that a member of the group of linked user accounts has access to the content item. Content items assigned to a member of a group of linked user accounts can be downloaded by one or more other members of the group of linked user accounts along with a Digital Rights Management (DRM) key that enables use of the content item. The DRM key can represent the group relationship between the downloading user account and the content owner's user account to which the content item is assigned.

Abstract: Systems, methods, and computer-readable media for validating online access to secure device functionality are provided that may use shared secrets between different subsystems and limited use validation data.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: A content request communication, e.g., generated using a first processor of a device, can be transmitted to a web server. A response communication including content identifying a first value can be received from the web server. The first processor can facilitate presentation of the content on a first display of the device. A communication can be received at a second processor of the device from a remote server. The communication can include data representing a second value and can be generated at the remote server using information received from the web server. Further, the second processor can produce a secure verification output that can be presented on a separate, second display, representing at least the second value. The presentation on first display can at least partially overlap in time with the presentation on the second display.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: A user device can verify a user's identity to a server while protecting user privacy by not sharing any personal data with any other device. To ensure user privacy and to allow multiple independent enrollments, the user device performs an enrollment process in which the user device locally collects and uses biometric data together with a random salt to generate a set of public/private key pairs from which biometric information cannot be extracted. The public keys and the salt, but not the biometric data, are sent to a server to store. To verify user identity, a user device can repeat the collection of biometric data from the user and the generation of public/private key pairs using the salt obtained from the server. If the device can prove to the server its possession of at least a minimum number of correct private keys, the user's identity can be verified.

Abstract: A method and apparatus of a device that forwards an email from a first party to a second party is described. In an exemplary embodiment, the device receives an email, where the email includes a first email address associated with the first party, the first party email address is a “from” email address, a second email address associated with a second party, the second email address is a “to” email address; and the second email address is an anonymized email address. The device further extracts a local part of the second email address and the device determines a first party identifier from at least the local part of the first email address. In addition, the device determines a replacement address for the second email address using at least the first party identifier and replaces the second email address with the replacement address. The device further forwards the email using the replacement address.

Abstract: The subject technology receives assessment values determined by a first machine learning model deployed on a client electronic device, the assessment values being indicative of classifications of input data and the assessment values being associated with constraint data that comprises a probability distribution of the assessment values with respect to the classifications of the input data. The subject technology applies the assessment values determined by the first machine learning model to a second machine learning model to determine the classifications of the input data. The subject technology determines whether accuracies of the classifications determined by the second machine learning model conform with the probability distribution for corresponding assessment values determined by the first machine learning model.

Abstract: Techniques are disclosed relating to securely receiving and storing credentials. In some embodiments, a computing device includes an application executable to supply a credential to an external system. A secure circuit of the computing device is configured to send, to a credential storage, a request for the credential, the request including a first certificate identifying a first public key and a stipulation to perform a user authentication before permitting use of a first private key corresponding to the first public key. The secure circuit receives, from the credential storage, the credential encrypted using the first public key and, based on the stipulation, performs the user authentication prior to decrypting the credential and supplying it to the application. In some embodiments, the secure circuit receives the first certificate by providing information about hardware included in the computing device to a hardware verification service.

Abstract: A device implementing a system for using a verified claim of identity includes at least one processor configured to receive a verified claim including information to identify a user of a device, the verified claim being signed by a server based on verification of the information by an identity verification provider separate from the server, the verified claim being specific to the device. The at least one processor is further configured to send, to a service provider, a request for a service provided by the service provider, and receive, from the service provider and in response to the sending, a request for the verified claim. The at least one processor is further configured to send, in response to the receiving, the verified claim to the service provider.

Abstract: A device implementing a system for using a verified claim of identity includes at least one processor configured to send, to a service provider, a request for a service provided by the service provider. The at least one processor may be further configured to receive, from the service provider and in response to the sending, a request for a verified claim, the verified claim comprising plural data fields to identify a user of a device and being a digital certificate signed by a server, the verified claim being associated with to the device. The at least one processor may be further configured to, in response to the receiving, determine a confidence assessment for the verified claim based on a comparison between the plural data fields in the verified claim and corresponding data locally-stored on a device, and send the confidence assessment and the verified claim to the service provider.

Abstract: A device implementing the subject system may include a processor configured to send, to a service provider, a request for a service provided by the service provider. The processor may be further configured to receive, in response to sending the request for the service, a request for a verified claim, the verified claim comprising first information to identify a user of a device and being a digital certificate signed by a server, the verified claim being associated with the device. The processor may be further configured to send, in response to receiving the request for the verified claim, the verified claim to the service provider, and receive a request for second information to identify the user, the second information being different than the first information, the request for the second information being based on a determination that the first information is not sufficient to identify the user.

Abstract: A device implementing a system for using a verified claim of identity may include at least one processor configured to receive a response vector corresponding to a verified claim of a user of a device, the verified claim comprising plural data fields to identify the user and being a digital certificate signed by a server, the verified claim being associated with the device, the response vector comprising, for each field of the plural data fields, a confidence score indicating a likelihood that the field is accurate. The at least one processor may be further configured to receive, from the device, a request for a service, determine, in response to receiving the request, that service is to be provided to the device based on the response vector and the verified claim, and provide the service to the device based on the determining.