Abstract: Methods and systems for protecting sensitive data on a mobile device. In an embodiment, a mobile device processor of a mobile device downloads, from a provider computer, an application including a white box software development kit (SDK). The mobile device processor utilizes a code protection process of the application to obfuscate sensitive user data, stores the obfuscated user data in a regular memory, runs the white box SDK to monitor and protect sensitive applications which execute when conducting transactions, and receives instructions from a trusted application manager computer to at least one of re-obfuscate the sensitive user data and reset a user root key.

Abstract: Methods, apparatus and systems for allowing users to easily and securely enroll directly into a newly issued biometric payment card. In an embodiment, a user is provided with a biometric payment card enrollment package that includes a biometric payment card, an energy sleeve having a power source and at least a front wall and a rear wall defining an opening for accepting the biometric payment card therein, and at least one light-emitting diode (LED). The power source includes circuitry to provide power to an EMV chip of the biometric payment card when the biometric payment card is seated therein, and to provide power to the LED during a biometric enrollment process. In some embodiments, a software development kit (SDK) provided by the issuer of the biometric payment card provides support and guidance which enables the user to enroll directly into the biometric payment card.

Abstract: Systems and methods are provided for verifying identities of users. One exemplary method includes generating a unique identifier (ID) for a user, generating a public/private key pair associated with the unique ID for the user, and receiving at least two images. The images include a first image associated with a physical document indicative of an identity of the user and a second image comprising an image of at least part of the user. The exemplary method further includes validating an integrity of the first image, converting at least the first image to one-way hashed data, when the integrity of the first image is valid, and transmitting the hashed data signed with the private key, the unique ID and the public key to an identification provider, whereby a digital identity record for the user is stored in a ledger data structure.

Abstract: FIDO (“Fast IDentity Online”) authentication processes and systems are described. In an embodiment, a FIDO information systems (IS) computer system receives a FIDO authentication request for a transaction from a user device, which includes user data and user device authenticator data. The FIDO IS computer system then verifies the user data and user device authenticator data, selects a FIDO-certified server, transmits the FIDO authentication request to the selected FIDO server, and receives a challenge message from the selected FIDO-certified server. The FIDO IS computer system next transmits the challenge message to the user device, receives a FIDO authentication response, transmits the FIDO authentication response to the selected FIDO-certified server, receives an authentication result from the FIDO-certified server, and transmits the authentication result to the user device.

Abstract: Systems, devices and methods are described herein for providing digital identities. One exemplary device includes a portable communication device having non-transitory computer executable native code, which configures the portable communication device to facilitate storing of a digital ID token for a user in memory of the portable communication device, as part of a setup procedure of the portable communication device associated with an initial startup of the portable communication device by the user or a startup of the device after a factory reset, whereby the digital ID token is provisioned to the portable communication device, either in dependence of or apart from any application downloaded to the communication device after the setup procedure.

Abstract: A method for registration of a biometric template in a computing device includes: storing, in a first memory of a computing device, a biometric module; receiving, by an input device of the computing device, biometric data of a user; generating, by the biometric module of the computing device, a template based on the biometric data; generating, by a generation module of the computing device, a cryptographic key pair comprised of a private key and a corresponding public key using an encryption algorithm; encrypting, by an encryption module of the computing device, the generated template using the private key; storing, in a second memory of the computing device, the private key, wherein the second memory is a trusted execution environment; and storing, in the computing device, the encrypted template.

Abstract: Systems and methods are provided for managing digital identities in multiple regions, through multiple identity providers, while providing for policy enforcement in connection with the digital identities. One exemplary method includes receiving, at an identity and access management hub (IAMH) in a first region, a request related to a digital identity from a secondary hub disposed in a second region and checking a policy associated with the digital identity. In response, the IAMH solicits at least one claim from a user, at a relying party application and/or website, based on the request and provides the at least one claim to a value-added service associated with the IAMH for verification of the at least one claim. The IAMH then transmits a result of the verification to the relying party associated with the request and provides a token, in response to the request, to a secure resource associated with the relying party.

Abstract: Systems and methods are provided for managing digital identities associated with users. One exemplary method includes receiving, at a computing device, an encrypted message from a communication device associated with a user where the messaging includes a changed attribute for the user. The method also includes generating a hash of a digital identity for the user with the changed attribute, generating a hash of the digital identity of the user stored in a ledger data structure, and transmitting a request for the user to attest to the changed attribute when the generated hashes do not match. The method then further includes broadcasting a pending status of the digital identity of the user to a relying party for the digital identity, and storing a certification of the changed attribute, received from the relying party in response to the pending status, based on verification of the changed attribute by the relying party.

Abstract: Systems and methods are provided for use in providing digital identities for users. One exemplary method includes receiving, at a card device, an authentication request and a captured first biometric of the user, from a communication device associated with the user, and comparing the first biometric and a first biometric reference at the card device, when the first biometric reference is stored in at the card device. The method also includes capturing, at the card device, a second biometric of the user and comparing the second biometric to a second biometric reference stored at the card device. The method further includes compiling a response to the authentication request including a first indicator associated with the comparison of the first biometric to the first biometric reference and a second indicator associated with the comparison of the second biometric to the second biometric reference, and transmitting the response to the communication device.

Abstract: Systems and methods are provided for use in provisioning a biometric image template of a user to a card device associated with the user. One exemplary method includes authenticating, by a card device, a portable communication device associated with the user based on a certificate associated with the portable communication device and receiving, at the card device, a biometric image of the user from the portable communication device after the portable communication device is authenticated. The method then includes storing, by the card device, the biometric image of the user in a memory of the card device as a biometric image template of the user, whereby the user may be authenticated, by the card device, based on a subsequent biometric image matching the biometric image template.

Abstract: FIDO (“Fast IDentity Online”) authentication processes and systems are described. In an embodiment, a FIDO information systems (IS) computer system receives a FIDO authentication request for a transaction from a user device, which includes user data and user device authenticator data. The FIDO IS computer system then verifies the user data and user device authenticator data, selects a FIDO-certified server, transmits the FIDO authentication request to the selected FIDO server, and receives a challenge message from the selected FIDO-certified server. The FIDO IS computer system next transmits the challenge message to the user device, receives a FIDO authentication response, transmits the FIDO authentication response to the selected FIDO-certified server, receives an authentication result from the FIDO-certified server, and transmits the authentication result to the user device.

Abstract: Systems and methods are provided for use in enabling, providing, and managing digital identities in association with mobile communication devices. One exemplary method includes capturing an image of a physical document comprising a biometric of a user associated with the physical document, and extracting the biometric from the image and converting it to a biometric template. The method also includes capturing a biometric of the user and comparing it to the biometric template. The method then includes, when the captured biometric matches the biometric template, transmitting a message to an identification provider comprising at least the image of the physical document and the biometric template, whereby the biometric template is verified against a repository, and binding data representative of the mobile communication device, a mobile application included therein, and the biometric template and/or the captured biometric of the user into a token.

Abstract: Systems and methods are provided for use in provisioning a biometric template to a biometric device. One exemplary method includes interacting, at a terminal associated with a banking institution, with a biometric device associated with a user and capturing a biometric of the user. The method also includes transmitting, by the terminal, an image of the captured biometric to a repository including a data structure of multiple biometric references, thereby permitting the repository to confirm the captured biometric against one of the multiple biometric references associated with the user. The method further includes receiving, at the terminal, a confirmation of the captured biometric matching the one of the multiple biometric references, converting the captured biometric to a biometric template upon such confirmation, and provisioning the biometric template to the biometric device, thereby permitting the user to be authenticated in connection with a transaction using the biometric device.

Abstract: A mobile device includes a wireless transceiver, a host processor, a secure element (SE), and a near field communication (NFC) system having an NFC transceiver and an NFC controller implementing a contactless front end. The contactless front end routes a near field communication related to a payment transaction between the NFC system and the SE without going to or from the host processor. The contactless front end routes a near field communication not related to a payment transaction, but requiring a security function, between the NFC system and the SE without going to or from the host processor. The contactless front end routes a near field communication not related to a payment transaction, and not requiring a security function, between the NFC system and host processor without going to or from the SE.

Abstract: Systems and methods are provided for verifying identities of users. One exemplary method includes generating a unique identifier (ID) for a user, generating a public/private key pair associated with the unique ID for the user, and receiving at least two images. The images include a first image associated with a physical document indicative of an identity of the user and a second image comprising an image of at least part of the user. The exemplary method further includes validating an integrity of the first image, converting at least the first image to one-way hashed data, when the integrity of the first image is valid, and transmitting the hashed data signed with the private key, the unique ID and the public key to an identification provider, whereby a digital identity record for the user is stored in a ledger data structure.

Abstract: Methods and systems for permitting sensitive cardholder data to be securely stored in a regular storage element of a smart transaction card. In an embodiment, a transaction card processor of the smart transaction card installs a security application compatible with the operating system of the smart transaction card and that includes a white box cardlet. The transaction card processor uses a code protection process of the white box cardlet to obfuscate biometric reference template data stored in the regular memory of a biometric sensor, next stores the obfuscated biometric reference template data in the regular memory, and then re-obfuscates the biometric reference template data at a predetermined time interval.

Abstract: Systems, methods, and non-transitory computer readable media decentralizes biometric enrollment. A server receives a request to enroll a user for biometric authentication in association with a unique ID, generates an activation code corresponding to the unique ID, and sends the activation code to the user. A user device receives and validates the activation code. If the activation code is valid, the user device is enabled to: capture at least one biometric image, and to send the biometric image to the server. The server receives at least one biometric image from the user device in response to the activation code and extracts features from at least one biometric image to generate a biometric template based upon the extracted features to enroll the user for biometric authentication without requiring the user to visit a central location to provide at least one biometric image.

Abstract: Systems, methods, and non-transitory computer readable medium use external databases for biometric authentication. A server receives a request for authentication of a user from a requestor. A notification is sent to a user device associated with the user from the server. A biometric image is received within the server in response to the notification. A biometric ID of the user is sent from the server to an external database for identifying a biometric template stored with the external database. An authentication result indicative of a match between the biometric image and the biometric template is determined and the authentication result is sent to the requestor. The external databases are owned by a third party, and the biometric template of the user was previously generated and stored within the external database in association with the biometric ID.

Abstract: Systems, methods, and non-transitory computer readable media relate to smartcard biometric enrollment. In an embodiment that does not require a user to visit a central location to provide fingerprint images, an activation code corresponding to a unique ID that uniquely identifies a user of a service is generated and sent to the user. In response, at least one finger image is received from a user device. The image is processed to isolate a fingerprint image, which is used to generate a biometric template that is sent to a smartcard manufacturer and used to configure a smartcard for biometric authentication of the user. In another embodiment, a kiosk/ATM provides smartcard biometric enrollment by detecting a smartcard in the smartcard reader, verifying an ID of a user associated with the smartcard, capturing a biometric image from the user, processing the biometric image to generate a biometric template, and storing the biometric template on the smartcard.

Abstract: Methods and systems for protecting sensitive data on a mobile device. In an embodiment, a mobile device processor of a mobile device downloads, from a provider computer, an application including a white box software development kit (SDK). The mobile device processor utilizes a code protection process of the application to obfuscate sensitive user data, stores the obfuscated user data in a regular memory, runs the white box SDK to monitor and protect sensitive applications which execute when conducting transactions, and receives instructions from a trusted application manager computer to at least one of re-obfuscate the sensitive user data and reset a user root key.