Abstract: Described herein are a system and techniques for enabling biometric authentication without exposing the authorizing entity to sensitive information. In some embodiments, the system receives a biometric template from a user device which is encrypted using a public key associated with the system. The encrypted biometric template is then provided to a second entity along with a biometric identifier. Upon receiving a request to complete a transaction that includes the biometric identifier and a second biometric template, the second entity may encrypt the second biometric template using the same public key associated with the system and perform a comparison between the two encrypted biometric templates. The resulting match result data file is already encrypted and can be provided to the system to determine an extent to which the two biometric templates match.

Abstract: Embodiments of the invention involve using biometric templates to wirelessly authenticate individuals. In one embodiment, a mobile device may generate a first biometric template and a first public value from a first biometric sample of a user and generate a first cryptographic key by passing the first biometric template to a fuzzy extractor's generate function. An access device may generate a second biometric template from a second biometric sample of the user, generate a second secret cryptographic key by passing the second biometric template and the first public value to the fuzzy extractor's reproduce function, encrypt the second biometric template with the second secret cryptographic key, and broadcast the encrypted template to a plurality of nearby mobile devices including the mobile device. If the mobile device is able to decrypt the encrypted template with the first cryptographic key, the access device can associate the user with the mobile device.

Abstract: A method and system for provisioning access data in a second application on a mobile device using a first application on the mobile device. Authentication data may be input into the first application, and an authentication code may be requested from a remote server. After the authentication code is received by the first application in the mobile device, it can pass the authentication code to a second application that initiates an access data provisioning process.

Abstract: Systems and methods are described for provisioning access credentials to a mobile device using device and authorization codes. Once provisioned, a mobile device can be used to conduct a transaction.

Abstract: Embodiments of the invention involve using biometric templates to wirelessly authenticate individuals. In one embodiment, a mobile device may generate a first biometric template and a first public value from a first biometric sample of a user and generate a first cryptographic key by passing the first biometric template to a fuzzy extractors generate function. An access device may generate a second biometric template from a second biometric sample of the user, generate a second secret cryptographic key by passing the second biometric template and the first public value to the fuzzy extractors reproduce function, encrypt the second biometric template with the second secret cryptographic key, and broadcast the encrypted template to a plurality of nearby mobile devices including the mobile device. If the mobile device is able to decrypt the encrypted template with the first cryptographic key, the access device can associate the user with the mobile device.

Abstract: Embodiments are directed to a method for securely performing biometric authentication online. The method described can be used to securely perform biometric authentication on a mobile device. For protecting the privacy of the user's biometric data, a cryptographic comparison protocol can be used to perform matching of encrypted templates. For example, the cryptographic comparison protocol may involve Fuzzy Extractors (FE), Homomorphic Encryption (HE), and/or Secure Multi-Party Computation (SMPC).

Abstract: Techniques for intelligently deciding the optimal authenticator(s) from amongst those supported by an electronic device are described. The authentication system according to some embodiments may include a dynamic machine learner that incorporates the attributes of: (i) user behavior attributes (e.g., preferred authenticator); (ii) device attributes (e.g., hardware and software specifications, applications, etc.); and (iii) operating environment attributes (e.g., ambient light, noise, etc.), as well as the interplay between the aforementioned attributes over time to make the decision. In some embodiments, the authentication activities and patterns of other users of similar type (e.g., users exhibiting similar behavior across different operating environments) can also be learned and employed to improve the decision making process over time.

Abstract: Embodiments are directed to a method for securely performing biometric authentication online. The method described can be used to securely perform biometric authentication on a mobile device. For protecting the privacy of the users biometric data, a cryptographic comparison protocol can be used to perform matching of encrypted templates. For example, the cryptographic comparison protocol may involve Fuzzy Extractors (FE), Homomorphic Encryption (HE), and/or Secure Multi-Party Computation (SMPC).

Abstract: Embodiments of the invention are directed to methods, apparatuses, computer readable media and systems for providing, along with a token, a token assurance level and data used to generate the token assurance level. At the time a token is issued, one or more Identification and Verification (ID&V) methods may be performed to ensure that the token is replacing a PAN that was legitimately used by a token requestor. A token assurance level may be assigned to a given token in light of the type of ID&V that is performed and the entity performing the ID&V. Different ID&Vs may result in different token assurance levels. An issuer may wish to know the level of assurance and the data used in generating the level of assurance associated with a token prior to authorizing a payment transaction that uses the token.

Abstract: When a user enters a resource provider location with a portable communication device, the portable communication device provides an indication to a transaction processing system that the portable communication device is currently at the resource provider location. At a later time when the user conducts a transaction with a portable transaction device, the fact that the user's portable communication device had been detected at the resource provider a short time ago is taken into account as a positive indicator that the transaction is not fraudulent. By verifying that both the portable communication device and the portable transaction device are present at the resource provider, the risk of approving a fraudulent transaction from a stolen portable transaction device can be reduced.

Abstract: Embodiments of the invention are directed to methods, apparatuses, computer readable media and systems for providing, along with a token, a token assurance level and data used to generate the token assurance level. At the time a token is issued, one or more Identification and Verification (ID&V) methods may be performed to ensure that the token is replacing a PAN that was legitimately used by a token requestor. A token assurance level may be assigned to a given token in light of the type of ID&V that is performed and the entity performing the ID&V. Different ID&Vs may result in different token assurance levels. An issuer may wish to know the level of assurance and the data used in generating the level of assurance associated with a token prior to authorizing a payment transaction that uses the token.

Abstract: Systems and methods are described for provisioning access credentials to a mobile device using device and authorization codes. Once provisioned, a mobile device can be used to conduct a transaction.

Abstract: Provided is a computer-implemented method for authenticating a customer during payment transactions based on biometric identification parameters of the customer that includes receiving image data associated with an image template for identification of a customer, receiving image data associated with an image of a biometric identification parameter of the customer during a payment transaction between the customer and a merchant, establishing a short-range communication connection with a user device associated with the customer during the payment transaction between the customer and the merchant, authenticating an identity of the customer for the payment transaction via the short-range communication connection, determining an account identifier of an account of the customer based on authenticating the identity of the customer for the payment transaction, and processing the payment transaction using the account identifier of the account of the customer. A system and computer program product are also disclosed.

Abstract: Systems and methods are described for provisioning access credentials to a mobile device using device and authorization codes. Once provisioned, a mobile device can be used to conduct a transaction.

Abstract: Provided is a computer-implemented method for authenticating a customer during payment transactions based on biometric identification parameters of the customer that includes receiving image data associated with an image template for identification of a customer, receiving image data associated with an image of a biometric identification parameter of the customer during a payment transaction between the customer and a merchant, establishing a short-range communication connection with a user device associated with the customer during the payment transaction between the customer and the merchant, authenticating an identity of the customer for the payment transaction via the short-range communication connection, determining an account identifier of an account of the customer based on authenticating the identity of the customer for the payment transaction, and processing the payment transaction using the account identifier of the account of the customer. A system and computer program product are also disclosed.

Abstract: A first biometric sample of a user is received by an access device from a user device. First biometric information is generated in an obscured format, based on the first biometric sample. A plurality of biometric information is received in an obscured format. The plurality of biometric information corresponds to a plurality of users, and was obtained from biometric samples of the plurality of users. The first biometric information in the obscured format is compared to the plurality of biometric information in the obscured format, and a match result is generated based on the comparing. The match result is provided to a server computer. Based on the match result, information indicating that one of the plurality of users that is associated with one of the plurality of biometric information is the user associated with the first biometric information is received.

Abstract: A method by an access device comprising obtaining a first biometric sample of a user; generating a first biometric template or a derivative thereof from the first biometric sample; transmitting the first biometric template or the derivative thereof to a mobile device, wherein the mobile device or the user determines if the access device is an authentic access device; receiving a confirmation of a match between the first biometric template and a second biometric template on the mobile device; and conducting a transaction between the access device and the mobile device, after the mobile device or the user determines that the access device is authentic.

Abstract: The invention is directed to a system that enables an authentication process that involves secure multi-party computation. The authentication process can be performed between a user device operated by a user and an access device. The user device and the access device may conduct the authentication process such that enrollment information and authentication information input by the user is not transmitted between the devices. Instead, the user device may determine and utilize obfuscated values associated with the authentication information. The user device may also determine an obfuscated authentication function that can be utilized to determine an authentication result without revealing enrollment information and authentication information associated with the user. The user can be authenticated based on the authentication result.

Abstract: Client devices can send access request messages to resource management computers to request access to a resource. A data security hub can provide centralized routing between different client devices, resource management computers, and authentication data processing servers. The data security hub can reduce the risk of sensitive authentication information from leaking (e.g., due to a breach) by limiting the amount or types of authentication information distributed to the data processing servers. The data security hub can limited the authentication information being distributed based on its sensitivity, the trust level of the client device, and the security level of the requested resource. The data security hub can also evaluate the client devices and data processing servers to identify security breaches and can cancel or reroute access requests accordingly. Thus, the data security hub can maintain resource security while better preserving the privacy of the client device's authentication information.

Abstract: A biometric matching process is disclosed. The biometric matching process may be used to obtain access to a resource managed by an access device using only biometric information. In some embodiments, a biometric template is stored in relation to a user device and/or account information, and is obscured. Upon receiving a request for access to a resource from an access device, the system may identify a number of user devices in proximity to the access device. Biometric templates associated with each of those user devices may be compared to a biometric template received from the access device. Upon identifying a match, the system may provide the access device with account information stored in relation to the matched biometric template. The access device may then complete a transaction using the provided account information and grant access to the requested resource.