Abstract: Systems and methods are provided for use in enabling, providing, and managing digital identities in association with mobile communication devices. One exemplary method includes capturing an image of a physical document comprising a biometric of a user associated with the physical document, and extracting the biometric from the image and converting it to a biometric template. The method also includes capturing a biometric of the user and comparing it to the biometric template. The method then includes, when the captured biometric matches the biometric template, transmitting a message to an identification provider comprising at least the image of the physical document and the biometric template, whereby the biometric template is verified against a repository, and binding data representative of the mobile communication device, a mobile application included therein, and the biometric template and/or the captured biometric of the user into a token.

Abstract: Systems and methods are provided for managing digital identities associated with users. One exemplary method includes receiving, at a computing device, an encrypted message from a communication device associated with a user where the messaging includes a changed attribute for the user. The method also includes generating a hash of a digital identity for the user with the changed attribute, generating a hash of the digital identity of the user stored in a ledger data structure, and transmitting a request for the user to attest to the changed attribute when the generated hashes do not match. The method then further includes broadcasting a pending status of the digital identity of the user to a relying party for the digital identity, and storing a certification of the changed attribute, received from the relying party in response to the pending status, based on verification of the changed attribute by the relying party.

Abstract: An enhanced 3D Secure user authentication process and system. In some embodiments, a consumer device processor of a consumer device running a Web Authentication application programming interface (API) transmits a request to a relying party device requesting use of an enhanced 3D Secure authentication service. The consumer device processor then receives a request to authenticate a consumer from the relying party device by using a specific customer verification method (CVM), prompts, by running the Web Authentication API, the consumer to provide input in accordance with the CVM, receives input data in accordance with the CVM from an authenticator of the consumer device, verifies the consumer based on the input data, generates an authentication data package and transmits to the relying party device the authentication data package for processing and forwarding to a 3D Requestor environment.

Abstract: A method for device based biometric authentication includes: storing, in a computing device, an encrypted biometric template; storing, in a first memory of the computing device, at least a first application program; storing, in a second memory of the computing device, at least a second application program and an encryption key, wherein the second memory is a trusted execution environment; receiving, by the second application program of the computing device, a validation request submitted by the first application program; receiving, by an input device of the computing device, biometric data; decrypting, by the second application program of the computing device, the encrypted biometric template using the encryption key; validating, by the second application program of the computing device, the received biometric data using the decrypted biometric template; and transmitting, by the second application program of the computing device, a result of the validation to the first application program.

Abstract: Systems, devices and methods are described herein for verifying digital identities. One exemplary method includes receiving a request for verification from a relying party where the request includes a query related to an attribute of an identity of a user and a MPAN specific to the user. The method also includes identifying at least one verification party enrolled for the user and, when the at least one verification party includes sufficient information to respond to the query, converting the MPAN to an AgencyPAN associated with the at least one verification party. The method then includes submitting the query along with the AgencyPAN to an interface processor associated with the at least one verification party, receiving a response to the query from the interface processor, and transmitting the response to the query to the relying party.

Abstract: Methods, apparatus and systems for allowing users to easily and securely enroll directly into a newly issued biometric payment card. In an embodiment, a user is provided with a biometric payment card enrollment package that includes a biometric payment card, an energy sleeve having a power source and at least a front wall and a rear wall defining an opening for accepting the biometric payment card therein, and at least one light-emitting diode (LED). The power source includes circuitry to provide power to an EMV chip of the biometric payment card when the biometric payment card is seated therein, and to provide power to the LED during a biometric enrollment process. In some embodiments, a software development kit (SDK) provided by the issuer of the biometric payment card provides support and guidance which enables the user to enroll directly into the biometric payment card.

Abstract: Systems and methods are provided for use in provisioning digital identities for users. One exemplary method includes receiving, at a card device, an authentication request and a captured first biometric of a user, from a communication device associated with the user, and comparing the first biometric and a first biometric reference at the card device, in response to the first biometric reference being stored at the card device. The method also includes capturing, at the card device, a second biometric of the user and comparing the second biometric to a second biometric reference stored at the card device. The method further includes compiling a response to the authentication request including a first indicator of the comparison of the first biometric to the first biometric reference and a second indicator of the comparison of the second biometric to the second biometric reference, and transmitting the response to the communication device.

Abstract: Systems and methods are provided for use in tokenizing credentials for users. One exemplary computer-implemented method includes receiving a tokenization request including a first biometric template for a user, deriving a zero-knowledge proof (ZKP) parameter based on the first biometric template and an identifier associated with the user, and storing the ZKP parameter in a ledger data structure. The method then includes receiving an authentication request for a transaction by the user at a merchant, where the authentication request includes the identifier, generating a subsequent ZKP based on a second biometric template associated with the user and the identifier included in the authentication request, checking the subsequent ZKP against the ZKP parameter stored in the ledger data structure, and transmitting a verified identifier for the user to an authorization network when the check of the subsequent ZKP is successful.

Abstract: FIDO (“Fast IDentity Online”) authentication processes and systems are described. In an embodiment, a FIDO (“Fast IDentity Online”) authentication process includes a FIDO information systems (IS) computer system receiving a FIDO authentication request for a transaction from a user device, the FIDO authentication request including user data and user device authenticator data, then verifying the user data and user device authenticator data, selecting a FIDO-certified server based on a list of authorized authenticators, business rules and the user device authenticator data, and transmitting the FIDO authentication request to the selected FIDO server. The process also includes the FIDO IS computer system receiving an authentication result from the FIDO-certified server, and transmitting the authentication result to the user device.

Abstract: Systems and methods are provided for managing user identities in networks. One exemplary method includes receiving, at a communication device, an API call request for a credential from a relying party. The communication device includes an application that incorporates an SDK. After receiving the API call request for the credential, the communication device authenticates a user associated with the communication device and identified in the API call request. After authentication of the user the communication device generates, via the SDK, a private-public key pair and stores the private key in memory. The communication device compiles, via the SDK, a credential packet include the public key and identity data associated with the user and transmits the credential packet to the relying party, whereby the relying party is registered to the SDK to request assertions of an identity of the user.

Abstract: Methods and apparatus for securing access to an encrypted personal data store on a mobile device. In some embodiments, a universal integrated circuit card (UICC) processor receives, from a mobile device processor of a mobile device having an encrypted Personal Data Store (PDS), a PDS access request associated with a mobile application, then determines that access control rules are stored in at least one access control rules database and transmits to the mobile device processor, the access control rules governing access to the data in the encrypted PDS. The process also includes the UICC processor receiving a request for a symmetric shared secret and transmitting the symmetric shared secret to the mobile device processor for use in accessing the PID of the user stored in the encrypted PDS in accordance with the access control rules.

Abstract: Systems and methods are provided for managing digital identities in multiple regions, through multiple identity providers, while providing for policy enforcement in connection with the digital identities. One exemplary method includes receiving, at an identity and access management hub (IAMH) in a first region, a request related to a digital identity from a secondary hub disposed in a second region and checking a policy associated with the digital identity. In response, the IAMH solicits at least one claim from a user, at a relying party application and/or website, based on the request and provides the at least one claim to a value-added service associated with the IAMH for verification of the at least one claim. The IAMH then transmits a result of the verification to the relying party associated with the request and provides a token, in response to the request, to a secure resource associated with the relying party.

Abstract: A method for real-time invoice updating and account-to-account payment includes: receiving invoice data based on presentation of an invoice by a distributor to a recipient at a delivery location, modification of the invoice by the recipient, and acceptance of the invoice by the recipient; generating a request for payment (RFP) message based on the invoice data; transmitting the RFP message to a financial institution associated with the recipient via a financial institution of the distributor; receiving, from the financial institution associated with the distributor, a payment confirmation for the invoice based on a real-time payment from the financial institution associated with the recipient; generating reconciliation data based on the payment confirmation and the invoice data; and transmitting the reconciliation data to a computing device of the distributor and a computing device of the recipient.

Abstract: Systems and methods are provided for use in provisioning digital identities for users. One exemplary method includes receiving, at a card device, an authentication request and a captured first biometric of a user, from a communication device associated with the user, and comparing the first biometric and a first biometric reference at the card device, in response to the first biometric reference being stored at the card device. The method also includes capturing, at the card device, a second biometric of the user and comparing the second biometric to a second biometric reference stored at the card device. The method further includes compiling a response to the authentication request including a first indicator of the comparison of the first biometric to the first biometric reference and a second indicator of the comparison of the second biometric to the second biometric reference, and transmitting the response to the communication device.

Abstract: Systems, methods, and non-transitory computer readable media decentralizes biometric enrollment. A server receives a request to enroll a user for biometric authentication in association with a unique ID, generates an activation code corresponding to the unique ID, and sends the activation code to the user. A user device receives and validates the activation code. If the activation code is valid, the user device is enabled to: capture at least one biometric image, and to send the biometric image to the server. The server receives at least one biometric image from the user device in response to the activation code and extracts features from at least one biometric image to generate a biometric template based upon the extracted features to enroll the user for biometric authentication without requiring the user to visit a central location to provide at least one biometric image.

Abstract: Methods and systems for protecting sensitive data and applications on a mobile device. In an embodiment, a mobile device processor of a mobile device downloads, from a digital wallet server computer, a mobile wallet application including a white box software development kit (SDK) which includes code protection processes, then obfuscates, by running the code protection processes of the white box SDK, consumer financial data and consumer authentication data and stores the obfuscated consumer financial data and consumer authentication data in a regular memory of the mobile device. The process also includes protecting, by the mobile device processor running the white box SDK, sensitive applications stored in the regular memory which execute during a transaction from attack, and re-obfuscating, by the mobile device processor, at least one of the consumer financial data and the consumer authentication data according to a predetermined time interval.

Abstract: Systems and methods are provided for use in providing digital identities for users. One exemplary method includes receiving, at a card device, an authentication request and a captured first biometric of the user, from a communication device associated with the user, and comparing the first biometric and a first biometric reference at the card device, when the first biometric reference is stored in at the card device. The method also includes capturing, at the card device, a second biometric of the user and comparing the second biometric to a second biometric reference stored at the card device. The method further includes compiling a response to the authentication request including a first indicator associated with the comparison of the first biometric to the first biometric reference and a second indicator associated with the comparison of the second biometric to the second biometric reference, and transmitting the response to the communication device.

Abstract: Methods and systems for permitting sensitive cardholder data to be securely stored in a regular storage element of a smart transaction card. In an embodiment, a transaction card processor of the smart transaction card installs a security application compatible with the operating system of the smart transaction card and that includes a white box cardlet. The transaction card processor uses a code protection process of the white box cardlet to obfuscate biometric reference template data stored in the regular memory of a biometric sensor, next stores the obfuscated biometric reference template data in the regular memory, and then re-obfuscates the biometric reference template data at a predetermined time interval.

Abstract: Systems and methods are provided for verifying identities of users. One exemplary method includes generating a unique identifier (ID) for a user, generating a public/private key pair associated with the unique ID for the user, and receiving at least two images. The images include a first image associated with a physical document indicative of an identity of the user and a second image comprising an image of at least part of the user. The exemplary method further includes validating an integrity of the first image, converting at least the first image to one-way hashed data, when the integrity of the first image is valid, and transmitting the hashed data signed with the private key, the unique ID and the public key to an identification provider, whereby a digital identity record for the user is stored in a ledger data structure.

Abstract: FIDO (“Fast IDentity Online”) authentication processes and systems are described. In an embodiment, a FIDO (“Fast IDentity Online”) authentication process includes a FIDO information systems (IS) computer system receiving a FIDO authentication request for a transaction from a user device, the FIDO authentication request including user data and user device authenticator data, then verifying the user data and user device authenticator data, selecting a FIDO-certified server based on a list of authorized authenticators, business rules and the user device authenticator data, and transmitting the FIDO authentication request to the selected FIDO server. The process also includes the FIDO IS computer system receiving an authentication result from the FIDO-certified server, and transmitting the authentication result to the user device.