Abstract: Systems and methods for multi-factor authentication are based on validation of an inherence factor and a possession factor obtained in a “frictionless” or almost frictionless manner. A method conducted at a software application executing on a user device associated with a user and connected to a server computer, includes obtaining signing or encryption of a set of data elements using a cryptographic key securely stored for exclusive use by the software application and transmitting the signed or encrypted data elements to the server computer. The method includes transmitting, to the server computer, a payload including contextual data which includes behavioural data collected via one or more contextual data sources. The signed data elements represent a possession factor and the payload including contextual data represents an inherence factor for validation and multi-factor authentication by the server computer.

Abstract: A system and method are provided for identifying a browser instance in a browser session between a server hosting a web domain and the browser instance executing on a user computing device. The method conducted at the browser instance includes obtaining a private key and a public key of a key pair unique to a combination of a web domain and the browser instance being used to access the web domain. The method includes obtaining a browser certificate issued for the key pair and storing the private key at a storage provided by the browser instance for use by the browser instance during an active browser session with the web domain. The private key is stored as unextractable from the storage and with configuration for use by the browser instance during an active browser session with the web domain in signing or cryptographic operations without the private key being revealed.

Abstract: A method provides computer-generated contextual data to an end-point during a digital transaction. The method includes receiving a trigger message relating to a digital transaction between a consumer and a second entity. The trigger message includes a consumer identifier uniquely associated with the consumer and transaction details at least including a characteristic associated with the digital transaction. A data message including information based on an evaluation of the transaction details against a consumer-linked transaction matrix is obtained. The consumer-linked transaction matrix is linked to the consumer and includes information relating to the digital transaction. The data message is transmitted to a remote device with which the consumer interacts during pendency of the transaction and is configured to cause the device to output a prompt to the consumer displaying the data message.

Abstract: A system and method for maintaining a fraud risk profile in a fraud risk engine are described. In a method conducted at a remote server, a payload from a secure mobile application executing on a user mobile device associated with a user is received. The payload including contextual data having been obtained by the secure mobile application and a trust indicator linked to the contextual data. Validity of the contextual data is confirmed by verifying the trust indicator. If the trust indicator is verified, the contextual data is input into a fraud risk engine as truth data. The fraud risk engine maintains a fraud risk profile associated with the user. The fraud risk profile is usable by the fraud risk engine in evaluating a fraud risk associated with an activity associated with the user.

Abstract: A system and method for providing computer-generated contextual data to an end-point during a digital transaction is provided. A method includes receiving a trigger message relating to a digital transaction between a consumer and a second entity. The trigger message includes a consumer identifier uniquely associated with the consumer and transaction details at least including a characteristic associated with the digital transaction. A data message including information based on an evaluation of the transaction details against a consumer-linked transaction matrix is obtained. The consumer-linked transaction matrix is linked to the consumer and includes information relating to the digital transaction. The data message is transmitted to a remote device with which the consumer interacts during pendency of the transaction and is configured to cause the device to output a prompt to the consumer displaying the data message.

Abstract: A protocol-based system and method for establishing a multi-party contract are disclosed. In a method conducted at a computing device associated with an entity, a set of contract data elements relating to a contract to be established is received from either one of another entity or a deal negotiation component associated with the entity. The contract data elements are validated using an associated contract schema and a schema-based validation algorithm. If the contract data elements are valid, the contract data elements are transmitted to the other of the deal negotiation component or another entity. Transmitting the contract data elements to another entity includes generating a digital signature associated with the contract data elements by digitally signing the contract data elements or a representation thereof and transmitting the digital signature and either of the contract data elements or the representation thereof to the other entity.

Abstract: A system and method for secure input using tokens is provided. A computer-implemented method conducted at a server computer includes receiving a transaction confirmation request associated with a transaction. The method includes providing, to an end-user via an online platform, a plurality of user input options associated with the transaction. The method includes receiving, from the end-user via the online platform, a unique token associated with a selected user input option, the unique token having been obtained by the end-user inputting a selection of a user input option into an end-user token generator which is configured to generate the unique token uniquely specifying the selected user input option. The method includes validating the unique token and identifying the selected user input option with which the unique token is associated.

Abstract: A method and system for secure input at a remote service are provided. In a method conducted at a secure input device, a hash operation is performed on a data structure including shared data, the shared data having been obtained from a remote service via an encrypted payload. User input for secure entry at the remote service is received and encoded by performing an operation on corresponding symbols of the user input and an output of the hash operation to output an encoded message, the user input and the encoded message having the same length. The encoded message is output for entry at the remote service.

Abstract: A system and method for authenticating a transaction are provided. In a method at a server computer of an authentication service provider, an authentication request is received which requests authentication of a transaction and includes transaction details describing the transaction. An encryption key being unique to the authentication service provider and a user mobile device is obtained. An authentication prompt including at least some of the transaction details is generated. A payload including the authentication prompt is encrypted using the encryption key to output an encrypted payload. The encrypted payload is provided via a first communication channel to a user for acquisition and decryption by the user mobile device using a decryption key corresponding to the encryption key.

Abstract: A method and system for associating a unique device identifier with a potential security threat are described. In a method conducted at a remotely accessible server, a unique device identifier is received from a computing device. The unique device identifier is associated with a record and is usable in identifying the computing device. An interaction data element is received from the computing device. The received interaction data element is validated including confirming that the received interaction data element matches an expected interaction data element associated with the record. Based on determining that the received interaction data element is not valid, the record is updated to associate the unique device identifier with a potential security threat. The interaction data element is updated periodically according to a sequence. The expected interaction data element changes based on the sequence.

Abstract: A system and method for authenticating a transaction are provided. In a method at a server computer of an authentication service provider, an authentication request is received which requests authentication of a transaction and includes transaction details describing the transaction. An encryption key being unique to the authentication service provider and a user mobile device is obtained. An authentication prompt including at least some of the transaction details is generated. A payload including the authentication prompt is encrypted using the encryption key to output an encrypted payload. The encrypted payload is provided via a first communication channel to a user for acquisition and decryption by the user mobile device using a decryption key corresponding to the encryption key.

Abstract: A method and system for secure input at a remote service are provided. In a method conducted at a secure input device, a hash operation is performed on a data structure including shared data, the shared data having been obtained from a remote service via an encrypted payload. User input for secure entry at the remote service is received and encoded by performing an operation on corresponding symbols of the user input and an output of the hash operation to output an encoded message, the user input and the encoded message having the same length. The encoded message is output for entry at the remote service.

Abstract: A system and method for determining a compromise risk associated with a unique device identifier. In a method conducted at a server an interaction data element is received from a mobile handset, the handset having provided a unique device identifier usable by the server in identifying the handset. The received interaction data element is validated against a record associated with the device identifier including identifying the received interaction data element in a list including a subset of previously used interaction data elements. If the received interaction data element is valid a newly generated interaction data element is obtained. The list of previously used interaction data elements is updated with the newly generated interaction data element. The newly generated interaction data element is transmitted to the handset for presentation to the server. If the received interaction data element is not valid, the device identifier is associated with a potential security threat.

Abstract: A system and method for verifying an association between a communication device and a user are provided. In a method conducted at a remote server, a token is received from a communication device via a secure communication channel by way of which the communication device is uniquely identifiable by the remote server. At least a portion of the token includes or has been derived from a credential stored within a portable credential device of the user and having previously been associated with the user in a user account. The received token is validated and, if valid, the association between the communication device and the user is verified. In one embodiment the communication device executes an application and the method includes verifying the association between the application and the user. In one embodiment, the user account is a user financial account against which the user may conduct financial transactions.

Abstract: A system and method for secure authentication performed on a mobile communication device. The method includes an authentication application carrying out the steps of: receiving a unique identifier for a transaction from a first application provided on the same mobile communication device as the authentication application; receiving an encrypted transaction from a remote secure server; decrypting or obtaining decryption of the transaction with a private key of the authentication application; signing or obtaining signing of the transaction with the private key; signing the transaction with the unique identifier; and transmitting the signed transaction back to the remote secure server.

Abstract: The invention provides a system and method for signing a user workstation onto an access restricted network utilizing a mobile communication device. The method includes receiving a sign-on request from a mobile communication device of a user of the network, looking up a user certificate included in the sign-on request in an enrollment database and retrieving identifiers relating to the user, the workstation and network from the database, and transmitting a sign-on command to an authentication driver operating on the workstation, in response to which the authentication driver negotiates a sign-on operation of the workstation onto the network.

Abstract: A method and system for authenticating secure transactions between a transacting user and a secure transaction host is provided. The system includes a mobile phone software application installed on a transacting user's mobile phone which is configured to compose a digital fingerprint uniquely associated with the specific mobile phone on which it is installed. The system further includes an authentication service provider with which users of the system may be enrolled by registering at least the digital identifiers composed by the applications installed on their mobile communication devices in an authentication database. The authentication service provider is configured to authenticate secure transactions on request from secure transaction hosts by sending transaction confirmation requests to mobile phones of enrolled users requiring them to confirm or deny secure transactions before such transactions are allowed to be finalized.