Abstract: A system for split keys for wallet recovery includes an interface configured to receive a request to recover a user private key, and a processor configured to provide a request to a credential issuing authority for a first encrypted recovery key share, wherein the request includes a first identification credential, receive the first encrypted recovery key share from the credential issuing authority, provide a request to a trusted organization for a second encrypted recovery key share, wherein the request includes a second identification credential, receive the second encrypted recovery key share from the trusted organization, combine the first encrypted recovery key share and the second encrypted recovery key share to determine a recovered encryption key, and determine the user private key using the recovered encryption key.

Abstract: A system for providing an application includes an interface and a processor. The interface is configured to receive an indication to provide an application to a device. The processor is configured to provide the application to the device. The application is configured to receive a request for credentialed information associated with a user from a requesting server; determine whether a stored credential satisfies the request for the credentialed information; and in response to a determination that the stored credential satisfies the request for the credentialed information: determine a response credential for responding to the request; determine that the user approves sharing the credentialed information indicated by the response credential; and provide the response credential to the requesting server.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a create indication to create a guest credential representing a guest badge associated with a visitor and receive a claim indication from an authentication device to claim the guest credential. The processor is configured to provide the guest credential to the authentication device in response to the claim indication, provide a proof request to the authentication device, receive a proof response from the authentication device, validate the proof response, determine a visitor tracking system associated with a request from the authentication device to authenticate entry, and provide a check-in indication to the visitor tracking system that the visitor has checked in.

Abstract: A system for credential authentication comprises an interface configured to receive a create indication to create a visitor network credential and receive a certify indication to certify an authentication device to use a network, and a processor configured to provide the visitor network credential to the authentication device in response to the certify indication, provide a proof request to the authentication device, receive a proof response, validate the proof response using a distributed ledger, generate a network certificate, and provide the network certificate to the authentication device.

Abstract: A system for credential authentication includes an interface and a processor. The interface is configured to receive a request from an application for authorization to access. Access to the application is requested by a user using a user device. The processor is configured to provide an authentication request to the user device, receive a device credential, wherein the device credential is backed by data stored in a distributed ledger, determine a user identifier and an authentication device associated with the user based at least in part on the device credential, provide a proof request to the authentication device, receive a proof response, determine that the proof response is valid, generate a token, and provide the token to the application authorizing access for the user.

Abstract: A system for credential authentication includes and interface and a processor. The interface is configured to receive a request for authorization to access from an application. The processor is configured to determine a set of credentials that can enable authorization to access; generate a proof request challenge; receive a proof response; determine that the proof response is valid based at least in part on information stored in a distributed ledger; generate a token; and provide the token.

Abstract: A system for credential storing and verifying includes an interface and a processor. The interface is configured to receive an indication to register a credential. The processor is configured to indicate to store in a distributed ledger a DID document associated with a holder identifier using a smart contract. Storing using the smart contract employs a dual signature authentication scheme to authorize storing based at least in part on an individual signature and a ledger writer signature. The processor is further configured to indicate to store in the distributed ledger a schema associated with an issuer of the credential using the smart contract and indicate to store in the distributed ledger a credential definition associated with the schema using the smart contract.

Abstract: A system for providing access is configured to receive an application access request from an application for authorization to access and a sensitive data access request from the application for authorization to access a document that includes sensitive data. The system is further configured to determine to authorize access to the application in response to the application access request; to determine the user authentication device in response to the sensitive data access request; to provide a secondary request for authorization to access sensitive data to the user authentication device in response to the sensitive data access request, receive a secondary request response from the user authentication device to the secondary request; and to provide the secondary request response to the application enabling access to the sensitive data, where the document is encrypted for delivery to the application for the user using a blinding secret and an identity private key.

Abstract: A system for credential authentication include an interface configured to receive a create indication to create a location aware credential, wherein the location aware credential specifies visit location data and receive a check in indication to check in from an authentication device, wherein the authentication device provides the check in indication to check in in response to determining that a detected location is within a geographic boundary designated in the visit location data of the location aware credential, and a processor configured to provide a proof request, receive a proof response, validate the proof response using a distributed ledger, and provide a success indication of successful check in.

Abstract: A system includes an interface and a processor. The interface is configured to receive, at an application routing platform, an API call for an application platform comprising a signed tenant token. The processor is configured to determine that the signed tenant token is valid; determine an application platform token for the application platform; associate a root certificate with the application platform token; determine routing information to the application platform based at least in part on the API call; and provide the application platform the API call and the application platform token using the routing information to enable access to the application platform, wherein the application platform determines whether the application platform token is valid using the root certificate and executes the API call in response to a determination that the application platform token is valid.

Abstract: A system for creating an identity mapping on a distributed ledger includes an interface and a processor. The interface is configured to receive a request to create an identity mapping on a distributed ledger. The processor is configured to generate an identity key pair; generate a mobile encryption key; encrypt a private identity key of the identity key pair using the mobile encryption key to create an encrypted private key; store the encrypted private key; create a mapping document; sign the mapping document with the private identity key of the identity key pair; and provide the signed mapping document to be stored in a distributed ledger.

Abstract: A system for credential authentication comprises an interface configured to receive a create indication to create a badge credential representing an employee badge and receive a claim indication from an authentication device to claim the badge credential, and a processor configured to provide the badge credential to the authentication device in response to the claim indication, receive a proof response from the authentication device comprising the badge credential and a lock identifier, validate the proof response using a distributed ledger, and provide a token for unlocking a lock associated with the lock identifier to the authentication device.

Abstract: A system for access control includes an interface to receive an access request from a first user application for permission to access a first digital identity wallet application and a processor to: determine whether to grant access for the first user application to the first digital identity wallet application, wherein access is granted for the first user application to the first digital identity wallet application in response to the first user application belonging to a first circle of trust and the first digital identity wallet application belonging to the first circle of trust; and in response to determining to grant access for the first user application to the first digital identity wallet application, provide an access granting indication.

Abstract: The system comprises an interface and a processor. The interface is configured to receive a request from an application for authorization to access, wherein access to the application is requested by a user, and receive a task request from the application for authorization to access a task, wherein access to the task is requested by the user. The processor is configured to authenticate the request from the application for authorization to access, determine that the task comprises a sensitive task, determine a user authentication device, provide a challenge for a digital credential to the user authentication device, wherein the digital credential is backed by data stored in a distributed ledger, receive a response from the user authentication device, determine the response is valid, and provide an authorization to access the sensitive task.

Abstract: The system for credential authentication comprises an interface and a processor. The interface is configured to receive a request from an application for authorization to access, wherein access to the application is requested by a user using a user device. The processor is configured to provide a login request to the user; validate a login response; determine a user authentication device based on the login response; provide a proof request to the user authentication device; receive a proof response; determine that the proof response is valid using a distributed ledger; generate a token; and provide the token to the application authorizing access for the user.

Abstract: A system for providing an application includes an interface and a processor. The interface is configured to receive an indication to provide an application to a device. The processor is configured to provide the application to the device. The application is configured to: receive a request for a list of valid credentials; determine a list of stored credentials; provide the list of stored credentials to a database system; receive an indication of revoked credentials from the database system; and determine the list of valid credentials based at least in part on the list of stored credentials and the revoked credentials.

Abstract: A system for key storage and recovery includes an interface and a processor. The interface is configured to receive an indication to create a set of recovery encryption key shares. The processor is configured to receive a selection of one or more trusted entities from one or more categories; create a set of recovery encryption key shares based at least in part on one or more recovery encryption keys; and for a trusted entity of the trusted entities: 1) determine a trusted entity public key associated with the trusted entity; encrypt a recovery encryption key share of the set of recovery encryption key shares with the trusted entity public key to generate a trusted entity encrypted recovery encryption key share; and provide the trusted entity encrypted recovery encryption key share to the trusted entity.

Abstract: receive, at an application routing platform, an API call for an application platform comprising a signed tenant token. The processor is configured to determine that the signed tenant token is valid; determine an application platform token for the application platform; associate a root certificate with the application platform token; determine routing information to the application platform based at least in part on the API call; and provide the application platform the API call and the application platform token using the routing information to enable access to the application platform, wherein the application platform determines whether the application platform token is valid using the root certificate and executes the API call in response to a determination that the application platform token is valid.

Abstract: A system for split keys for wallet recovery includes an interface configured to receive a request to recover a user private key, and a processor configured to provide a request to a credential issuing authority for a first encrypted recovery key share, wherein the request includes a first identification credential, receive the first encrypted recovery key share from the credential issuing authority, provide a request to a trusted organization for a second encrypted recovery key share, wherein the request includes a second identification credential, receive the second encrypted recovery key share from the trusted organization, combine the first encrypted recovery key share and the second encrypted recovery key share to determine a recovered encryption key, and determine the user private key using the recovered encryption key.

Abstract: A system for providing an application includes an interface and a processor. The interface is configured to receive an indication to provide an application to a device. The processor is configured to provide the application to the device. The application is configured to receive a request for credentialed information associated with a user from a requesting server; determine whether a stored credential satisfies the request for the credentialed information; and in response to a determination that the stored credential satisfies the request for the credentialed information: determine a response credential for responding to the request; determine that the user approves sharing the credentialed information indicated by the response credential; and provide the response credential to the requesting server.