Abstract: A processor-implemented system and method for dynamically retrieving an attribute value of an identity claim for a user using a digitally signed access token that is digitally signed by a user device, at a relying party device associated with a relying party. The method includes (i) making an API call to retrieve at least one identity claim for the user, (ii) processing each identity claim of the user to identify if at least one by-reference identity claim that includes a URL of an endpoint, (iii) obtaining the digitally signed access token that is digitally signed by the user device, (iv) invoking the URL of the endpoint with the at least one by-reference identity claim and the digitally signed access token, and (v) dynamically retrieving the attribute value from the URL of the endpoint from an issuing party device associated with an issuing party.

Abstract: A processor-implemented system and method for dynamically retrieving an attribute value of an identity claim for a user using a digitally signed access token that is digitally signed by a user device, at a relying party device associated with a relying party. The method includes (i) making an API call to retrieve at least one identity claim for the user, (ii) processing each identity claim of the user, with the relying party device, to identify if at least one by-reference identity claim that includes a URL of an endpoint, (iii) obtaining the digitally signed access token that is digitally signed by the user device, (iv) invoking the URL of the endpoint with the at least one by-reference identity claim and the digitally signed access token, and (v) dynamically retrieving the attribute value from the URL of the endpoint from an issuing party device associated with an issuing party.

Abstract: A system for split keys for wallet recovery includes an interface configured to receive a request to recover a user private key, and a processor configured to provide a request to a credential issuing authority for a first encrypted recovery key share, wherein the request includes a first identification credential, receive the first encrypted recovery key share from the credential issuing authority, provide a request to a trusted organization for a second encrypted recovery key share, wherein the request includes a second identification credential, receive the second encrypted recovery key share from the trusted organization, combine the first encrypted recovery key share and the second encrypted recovery key share to determine a recovered encryption key, and determine the user private key using the recovered encryption key.

Abstract: A processor-implemented system and method for dynamically retrieving an attribute value of an identity claim for a user using a digitally signed access token that is digitally signed by a user device, at a relying party device associated with a relying party. The method includes (i) making an API call to retrieve at least one identity claim for the user, (ii) processing each identity claim of the user, with the relying party device, to identify if at least one by-reference identity claim that includes a URL of an endpoint, (iii) obtaining the digitally signed access token that is digitally signed by the user device, (iv) invoking the URL of the endpoint with the at least one by-reference identity claim and the digitally signed access token, and (v) dynamically retrieving the attribute value from the URL of the endpoint from an issuing party device associated with an issuing party.

Abstract: A processor-implemented system and method for enabling a relying party device associated with a relying party to verify an identity of a user. The method includes the steps of (i) generating, using a cryptographic processor on a user device associated with the user, a first set of credentials including a public-private key pair associated with the user, (ii) receiving at least one cryptographic challenge from the relying party device associated with the relying party, (iii) verifying at least one of a biometric or a PIN code, (iv) responding to the at least one cryptographic challenge by performing the at least one cryptographic operation on the cryptographic challenge using the user private key to form a result of the at least one cryptographic operation and (v) transmitting the result of the at least one cryptographic operation as a cryptographic challenge response to the relying party device.

Abstract: A credential accessing system includes an interface and a processor. The interface is configured to receive a request to access a credential using a credential access application. The processor is configured to execute the credential access application in response to a request from a user application, wherein the request from the user application comprises an indication of a target application. Executing the credential access application comprises:1) receiving an indication of interactive control, wherein interactive control is redirected from the user application, and wherein the indication of interactive control comprises the indication to access the credential; 2) determine whether to allow access to the credential; and 3) in response to determining to allow access to the credential, access the credential and provide the credential to the target application; and 4) indicate to redirect interactive control to the target application.

Abstract: A system for blockchain-based authentication comprises an interface and a processor configured to (i) receive, by a first device, a command from a second device, where the first device is associated with a first trust certificate, (ii) receive a second trust certificate from the second device, (iii) communicate a cryptographic challenge using a public key of the second device to the second device, (iv) receive a response to the cryptographic challenge from the second device, (v) check whether the response matches with a predetermined correct response or not, and (vi) authenticate the second device and execute the commend received from the second device only if the response matches with the predetermined correct response.

Abstract: A processor-implemented system and method for dynamically retrieving an attribute value of an identity claim for a user using a digitally signed access token that is digitally signed by a user device, at a relying party device associated with a relying party. The method includes (i) making an API call to retrieve at least one identity claim for the user, (ii) processing each identity claim of the user, with the relying party device, to identify if at least one by-reference identity claim that includes a URL of an endpoint, (iii) obtaining the digitally signed access token that is digitally signed by the user device, (iv) invoking the URL of the endpoint with the at least one by-reference identity claim and the digitally signed access token, and (v) dynamically retrieving the attribute value from the URL of the endpoint from an issuing party device associated with an issuing party.

Abstract: A system for access control includes an interface to receive an access request from a first user application for permission to access a first digital identity wallet application and a processor to: determine whether to grant access for the first user application to the first digital identity wallet application, wherein access is granted for the first user application to the first digital identity wallet application in response to the first user application belonging to a first circle of trust and the first digital identity wallet application belonging to the first circle of trust; and in response to determining to grant access for the first user application to the first digital identity wallet application, provide an access granting indication.

Abstract: A processor-implemented method includes (i) automatically defining a first Circle of Trust (CoT) by a first CoT administrator, in a CoT database, (ii) automatically receiving, at a digital identity management (DIM) server, a first digital identity wallet (DIW) application request from a first DIW application provider server, (iii) automatically adding the first DIW application to the CoT database if the first CoT administrator approves the first DIW application request, (iv) automatically receiving, at the DIM server, a relying party application request from the at least one relying party application associated with the relying party and (v) automatically adding, the at least one relying party application to the CoT database, if the first CoT administrator approves the relying party application request.

Abstract: A system for key storage and recovery includes an interface and a processor. The interface is configured to receive an indication to create a set of recovery encryption key shares. The processor is configured to receive a selection of one or more trusted entities from one or more categories; create a set of recovery encryption key shares based at least in part on one or more recovery encryption keys; and for a trusted entity of the trusted entities: 1) determine a trusted entity public key associated with the trusted entity; encrypt a recovery encryption key share of the set of recovery encryption key shares with the trusted entity public key to generate a trusted entity encrypted recovery encryption key share; and provide the trusted entity encrypted recovery encryption key share to the trusted entity.

Abstract: A system for blockchain-based authentication comprises an interface and a processor configured to (i) receive, by a first device, a command from a second device, where the first device is associated with a first trust certificate, (ii) receive a second trust certificate from the second device, (iii) communicate a cryptographic challenge using a public key of the second device to the second device, (iv) receive a response to the cryptographic challenge from the second device, (v) check whether the response matches with a predetermined correct response or not, and (vi) authenticate the second device and execute the commend received from the second device only if the response matches with the predetermined correct response.

Abstract: A system for authenticating a user at a relying party application using an authentication application and automatically redirecting to a target application includes a processor. The processor is configured to 1) make an API call that comprises (i) an authentication challenge that corresponds to an authentication request and (ii) a call back URL that is specified by a relying party application; 2) retrieve at least one of a target application link or a null value from a table; 3) authenticating the user based on an authentication challenge response to the at least one authentication challenge; and 4) invoking the target application link from the table to automatically redirect from the authentication application to the target application specified in the target application link.

Abstract: A system for blockchain-based authentication comprises an interface and a processor configured to (i) receive, by a first device, a command from a second device, where the first device is associated with a first trust certificate, (ii) receive a second trust certificate from the second device, (iii) communicate a cryptographic challenge using a public key of the second device to the second device, (iv) receive a response to the cryptographic challenge from the second device, (v) check whether the response matches with a predetermined correct response or not, and (vi) authenticate the second device and execute the commend received from the second device only if the response matches with the predetermined correct response.

Abstract: A system for split keys for wallet recovery includes an interface configured to receive a request to recover a user private key, and a processor configured to provide a request to a credential issuing authority for a first encrypted recovery key share, wherein the request includes a first identification credential, receive the first encrypted recovery key share from the credential issuing authority, provide a request to a trusted organization for a second encrypted recovery key share, wherein the request includes a second identification credential, receive the second encrypted recovery key share from the trusted organization, combine the first encrypted recovery key share and the second encrypted recovery key share to determine a recovered encryption key, and determine the user private key using the recovered encryption key.

Abstract: A processor-implemented system and method for enabling a relying party device associated with a relying party to verify an identity of a user. The method includes the steps of (i) generating, using a cryptographic processor on a user device associated with the user, a first set of credentials including a public-private key pair associated with the user, (ii) receiving at least one cryptographic challenge from the relying party device associated with the relying party, (iii) verifying at least one of a biometric or a PIN code, (iv) responding to the at least one cryptographic challenge by performing the at least one cryptographic operation on the cryptographic challenge using the user private key to form a result of the at least one cryptographic operation and (v) transmitting the result of the at least one cryptographic operation as a cryptographic challenge response to the relying party device.

Abstract: A processor-implemented system and method for enabling a relying party device associated with a relying party to verify an identity of a user. The method includes the steps of (i) generating, using a cryptographic processor on a user device associated with the user, a first set of credentials including a public-private key pair associated with the user, (ii) receiving at least one cryptographic challenge from the relying party device associated with the relying party, (iii) verifying at least one of a biometric or a PIN code, (iv) responding to the at least one cryptographic challenge by performing the at least one cryptographic operation on the cryptographic challenge using the user private key to form a result of the at least one cryptographic operation and (v) transmitting the result of the at least one cryptographic operation as a cryptographic challenge response to the relying party device.

Abstract: A method, software, and system for a Digital Identity Management (DIM) system is discussed. The system facilitates the creation of a Public Key/Private Key pair based user credentials using the Trusted Execution Environment in mobile phones, and is protected by DIM app with the user's biometrics and/or a PIN code. Identity tokens representing identity attributes of the user are issued by Issuing Parties using Hardware Security Modules and stored in the DIM app on the mobile device.

Abstract: A processor-implemented system and method for enabling a relying party device associated with a relying party to verify an identity of a user. The method includes the steps of (i) generating, using a cryptographic processor on a user device associated with the user, a first set of credentials including a public-private key pair associated with the user, (ii) receiving at least one cryptographic challenge from the relying party device associated with the relying party, (iii) verifying at least one of a biometric or a PIN code, (iv) responding to the at least one cryptographic challenge by performing the at least one cryptographic operation on the cryptographic challenge using the user private key to form a result of the at least one cryptographic operation and (v) transmitting the result of the at least one cryptographic operation as a cryptographic challenge response to the relying party device.

Abstract: A system for blockchain-based authentication comprises an interface and a processor configured to (i) receive, by a first device, a command from a second device, where the first device is associated with a first trust certificate, (ii) receive a second trust certificate from the second device, (iii) communicate a cryptographic challenge using a public key of the second device to the second device, (iv) receive a response to the cryptographic challenge from the second device, (v) check whether the response matches with a predetermined correct response or not, and (vi) authenticate the second device and execute the commend received from the second device only if the response matches with the predetermined correct response.