Abstract: Provided is a process that establishes user identities within a decentralized data store, like a blockchain. A user's mobile device may establish credential values within a trusted execution environment of the mobile device. Representations of those credentials may be generated on the mobile device and transmitted for storage in association with an identity of the user established on the blockchain. Similarly, one or more key-pairs may be generated or otherwise used by the mobile device for signatures and signature verification. Private keys may remain resident on the device (or known and input by the user) while corresponding public keys may be stored in associated with the user identity on the blockchain. A private key is used to sign representations of credentials and other values as a proof of knowledge of the private key and credential values for authentication of the user to the user identity on the blockchain.

Abstract: Provided is a process that establishes representations and permits users to login to a relying device to which a mobile device has registered. Credential values of the user are established within a trusted execution environment of the mobile device and representations of those credentials are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access to the relying device via secure session. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access by causing the mobile device to obtain a value by which the relying device may be accessed. The user of the mobile device may authenticate with the mobile device based on a policy received from the server to obtain a value by which the relying device may be accessed.

Abstract: Provided is a process for authentication of a user on a mobile device. The user of the mobile device may authenticate with the mobile device, and credentials may be conveyed to a server via a relying device. The mobile device may directly communicate credentials to the relying device. In some examples, the user of the mobile device may authenticate using the mobile device without inputting credentials on the relying device. Credentials conveyed to the server by the relying device and authenticated by the server may permit user access to the relying device or access to an online resource from the relying device.

Abstract: Provided is a process for mobile-initiated authentications to web services. Credential values of the user are established within a trusted execution environment of the mobile device and representations are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may convey access to a web-based service from a relying device. The server may pass credentials corresponding to the web-service received from the mobile device and verified to permit user access to the web-service to the relying device. The relying device presents credentials to the web-service to login, authenticate, or otherwise obtain user-level permission for the user on the relying device. The user of the mobile device may authenticate with the mobile device to the server, and may initiate the authentication process from the mobile device, without inputting credentials corresponding to the web-service on the relying device.

Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.

Abstract: Provided is a process that establishes user identities within a decentralized data store, like a blockchain. A user's mobile device may establish credential values within a trusted execution environment of the mobile device. Representations of those credentials may be generated on the mobile device and transmitted for storage in association with an identity of the user established on the blockchain. Similarly, one or more key-pairs may be generated or otherwise used by the mobile device for signatures and signature verification. Private keys may remain resident on the device (or known and input by the user) while corresponding public keys may be stored in associated with the user identity on the blockchain. A private key is used to sign representations of credentials and other values as a proof of knowledge of the private key and credential values for authentication of the user to the user identity on the blockchain.

Abstract: Provided is a process that establishes representations and permits users to login to a relying device to which a mobile device has registered. Credential values of the user are established within a trusted execution environment of the mobile device and representations of those credentials are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access to the relying device via secure session. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access by causing the mobile device to obtain a value by which the relying device may be accessed. The user of the mobile device may authenticate with the mobile device based on a policy received from the server to obtain a value by which the relying device may be accessed.

Abstract: Spending digital currency without owning digital currency may be facilitated. The user may use a software application running on the user's computing platform to scan a digital currency public address quick-response code (QR), or a near-field-communication (NFC) based public address. The user may be prompted to swipe-to-authenticate the transaction. The user may authenticate the transaction by fingerprint-swiping a biometric-enabled transitory password authentication device. The biometric-enabled transitory password authentication device may transmit an encrypted transitory password a server via the user's computing platform. Upon receiving and verifying the transaction, the server may send an amount of digital currency to the target address on behalf of the user. The server may charge the user's debit card an equivalent amount of sovereign currency.

Abstract: Provided is a process that affords out-of-band authentication for confirmation of physical access or when a device utilized for out-of-band authentication lacks connectivity to a network. An asymmetric cryptographic key-pair is established, a first device obtaining a key operable to decrypt data. A remote server obtaining a key operable to encrypt data and associating that key with an identifier of an identity or account associated with a user. An access attempt from the second device is received in association with the identifier of the identity associated with the user. A notification including data encrypted by the encryption key is generated by the remote server and transmitted to the second device. The first device obtains the notification data from the second device and decrypts the data to determine a notification response which is returned to the remote server for verification to permit or deny the access attempt of the second device.

Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.

Abstract: Provided is a process that establishes user identities within a decentralized data store, like a blockchain. A user's mobile device may establish credential values within a trusted execution environment of the mobile device. Representations of those credentials may be generated on the mobile device and transmitted for storage in association with an identity of the user established on the blockchain. Similarly, one or more key-pairs may be generated or otherwise used by the mobile device for signatures and signature verification. Private keys may remain resident on the device (or known and input by the user) while corresponding public keys may be stored in association with the user identity on the blockchain. A private key is used to sign representations of credentials and other values as a proof of knowledge of the private key and credential values for authentication of the user to the user identity on the blockchain.

Abstract: Provided is a process for mobile-initiated authentications to web services. Credential values of the user are established within a trusted execution environment of the mobile device and representations are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may convey access to a web-based service from a relying device. The server may pass credentials corresponding to the web-service received from the mobile device and verified to permit user access to the web-service to the relying device. The relying device presents credentials to the web-service to login, authenticate, or otherwise obtain user-level permission for the user on the relying device. The user of the mobile device may authenticate with the mobile device to the server, and may initiate the authentication process from the mobile device, without inputting credentials corresponding to the web-service on the relying device.

Abstract: Provided is a process that establishes representations and permits users to login to a relying device to which a mobile device has registered. Credential values of the user are established within a trusted execution environment of the mobile device and representations of those credentials are transmitted to a server. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access to the relying device via secure session. The user of the mobile device may authenticate with the mobile device to the server, which may permit user access by causing the mobile device to obtain a value by which the relying device may be accessed. The user of the mobile device may authenticate with the mobile device based on a policy received from the server to obtain a value by which the relying device may be accessed.

Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.

Abstract: Secure authentication of third-party applications and/or websites may be facilitated using a biometric-enabled transitory password authentication device. Exemplary implementations may replace a login requirement with a simple and secure swipe-to-authenticate mechanism in order to gain access to a third-party application and/or website. According to some implementations, a user may have a user computing platform linked to a physically separate authentication device. The user may access the third-party application and/or website via the user computing platform. The user computing platform may detect a login requirement associated with the third-party application and/or website. The user computing platform may prompt the user to swipe-to-authenticate. By using the swipe-to-authenticate mechanism, the user may gain access to the third-party application and/or website.

Abstract: Secure authentication may be facilitated using a biometric-enabled transitory password authentication device. Exemplary implementations may facilitate secure payments and/or authentication via an application running on a user computing platform (e.g., a mobile device) simultaneously coordinating with both a server and the authentication device, which may act in some respects as an external hardware token. Exemplary implementations may rely on combining three parameters to establish a three-factor based approach to authentication in a fraud-free manner for digital wallets, third-party software, and/or other purposes. The three-factor based approach to authentication may require something the user possesses (e.g., the authentication device), something the user is (e.g., a biometric identifier such as a fingerprint), and something the user knows (e.g., an image or numeric based pin used to unlock the authentication device).