Abstract: Techniques for managing an application token may include providing, by a first service provider application on a communication device to a first service provider computer, a first request for a first application token, receiving, by an account management application on the communication device from a token service computer in communication with the first service provider computer, the first application token, and storing the first application token in a token container in the account management application.

Abstract: A method is disclosed. The method includes receiving, by a token service computer, a token request message, the token request message being originated from a token requestor computer. The method also includes determining, by the token service computer, two or more access tokens based upon a single credential, and then transmitting the two or more access tokens to the token requestor computer in a token response message.

Abstract: Techniques for managing an application token may include providing, by a first service provider application on a communication device to a first service provider computer, a first request for a first application token, receiving, by an account management application on the communication device from a token service computer in communication with the first service provider computer, the first application token, and storing the first application token in a token container in the account management application.

Abstract: A method and system for provisioning credentials is disclosed. The method includes receiving, by a token provider computer, a token request message from a token requestor computer that comprises an initial access identifier. The token provider computer transmits the initial access identifier to a first authorization computer, and then the token provider computer receives an intermediate access identifier. The token provider computer then transmits a token activation request message to a second authorization computer based at least in part on the intermediate access identifier. The token provider computer then receives a token activation response message from the second authorization computer. The token provider computer then provides the token to the token requestor computer.

Abstract: Techniques are described for managing master keys for token requestors to use in generating cryptograms such as TAVVs. A processor computer generates a first master key for a token requestor, the first master key being generated based on (a) a second master key managed by the processor computer and (b) an identifier of the token requestor. The processor computer transmits, to a token requestor computer corresponding to the token requestor, the first master key. The processor computer receives, from the token requestor computer, a request for a token. Responsive to receiving the request for the token, the processor computer transmits the token to the token requestor computer; and receives, from the token requestor computer, an authorization request message comprising the token and a cryptogram generated by the token requestor computer using the first master key and the token.

Abstract: A method and system for provisioning credentials is disclosed. The method includes receiving, by a token provider computer, a token request message from a token requestor computer that comprises an initial access identifier. The token provider computer transmits the initial access identifier to a first authorization computer, and then the token provider computer receives an intermediate access identifier. The token provider computer then transmits a token activation request message to a second authorization computer based at least in part on the intermediate access identifier. The token provider computer then receives a token activation response message from the second authorization computer. The token provider computer then provides the token to the token requestor computer.

Abstract: This disclosure provides solutions for automatically grouping network devices (e.g., endpoints) into clusters based on device characteristics. In some aspects, the disclosed technology also provides solutions for generating user selectable queries based on cluster characteristics. A process of the disclosed technology can include steps for identifying one or more device characteristics associated with a first network device, identifying one or more cluster characteristics for each of a first cluster and a second cluster, and comparing the device characteristics associated with the first network device with the one or more cluster characteristics for the first cluster and the second cluster. The process can further include steps for adding the first network device to the first cluster based on the cluster characteristics for the first cluster and the device characteristics for the first network device. Systems and machine-readable media are also provided.

Abstract: A method is disclosed, and includes receiving from a token requestor, a token data request message comprising an initial resource provider identifier, and determining a permanent resource provider identifier using the initial resource provider identifier. The method also includes determining a verification value, and associating the permanent resource provider identifier with a token, the verification value, and domain controls.

Abstract: The present embodiments relate to systems and methods for token-for-token provisioning. A server computer can receive a message from a second token requestor. The message can include a request for a second token and can include a first token or the message can include a cryptogram request message. The server computer can transmit a provisioning request message to an authorizing entity computer requesting an authentication of a credential and receive a provisioning response message from the authorizing entity computer authenticating the credential. Any of the server computer or the authorizing entity computer can generate the second token. The server computer can provide the second token to a second token requestor for use in a recurring transaction. The first token and the second token can both be associated with a credential.

Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for discovering policy scopes within an enterprise network and managing network policies for discovered policy scopes. In one aspect, a method includes identifying one or more communities of devices in an enterprise network; defining, from the one or more communities of devices, policy scopes in the enterprise network; generating a hierarchical representation of the policy scopes; identifying, based on the hierarchical representation of the policy scopes, one or more policies governing traffic flow between devices associated with each of the policy scopes; and managing application of the one or more policies at the devices.

Abstract: A method is disclosed. The method includes receiving, by a token gateway, a first request message from a token requestor computer. The token gateway determines at least one token service computer from a plurality of token service computers, each token service computer in the plurality of token service computers operating independently of each other. The token gateway transmits at least one second request message to the at least one token service computer and receives, at least one first response message comprising at least one token and/or supplemental data associated with the at least one token from the at least one token service computer. The token gateway transmits a second response message to the token requestor computer, the second response message comprising the at least one token and/or the supplemental data.

Abstract: A method is disclosed. The method includes receiving, by a token service computer, a token request message, the token request message being originated from a token requestor computer. The method also includes determining, by the token service computer, two or more access tokens based upon a single credential, and then transmitting the two or more access tokens to the token requestor computer in a token response message.

Abstract: An authentication request message from a user conducting an interaction at a resource provider computer is received. It is determined that data representing an indication that the resource provider is trusted by the user and including a trusted marker is present in a database. Authentication to the user is provided, and information indicating that the user has been authenticated and the trusted marker are sent so that authorization request message for the interaction that includes the trusted marker is generated. The trusted marker is validated, and the authorization request message including information related to the interaction and the validated trusted marker is sent to an authorizing entity computer.

Abstract: An enhanced authentication system is described. One embodiment of the invention is directed to a method comprising: receiving, by a token service computer and from an initiating computer, a first authentication request message including verification method data and a token; transmitting, by the token service computer, a second authentication request message comprising the token and the verification method data to an access control server; receiving, by the token service computer from the access control server, an authentication response message comprising the token and a user authentication verification value; and transmitting, by the token service computer to the initiating computer, the authentication response message comprising the token, the user authentication verification value, and a token authentication verification value.

Abstract: A system and method of establishing a resource provider as a trusted listing are disclosed. The method includes receiving, by a directory server computer, an indication from a user that a resource provider is trusted. The directory server computer is programmed to provide a first level of authentication. The method then includes storing, in a database, data representing the indication from the user that the resource provider is trusted. The method then includes receiving an authentication request message from the user conducting an interaction at the resource provider computer and determining that the data representing the indication from the user that the resource provider is trusted is present. In response to determining, the method includes providing a second level of authentication to the user before the user is allowed to complete the interaction. The second level of authentication is lower than the first level.

Abstract: An enhanced authentication system is described. One embodiment of the invention is directed to a method comprising: receiving, by a token service computer and from an initiating computer, a first authentication request message including verification method data and a token; transmitting, by the token service computer, a second authentication request message comprising the token and the verification method data to an access control server; receiving, by the token service computer from the access control server, an authentication response message comprising the token and a user authentication verification value; and transmitting, by the token service computer to the initiating computer, the authentication response message comprising the token, the user authentication verification value, and a token authentication verification value.

Abstract: A method is disclosed. The method includes receiving, by a token service computer, a token request message, the token request message being originated from a token requestor computer. The method also includes determining, by the token service computer, two or more access tokens based upon a single credential, and then transmitting the two or more access tokens to the token requestor computer in a token response message.

Abstract: Embodiments of the invention are directed to systems and methods for authenticating a user device using an authenticating device that has previously been associated with a user and/or a credential. The user may initiate a transaction at the user device. An authenticating device associated with the transaction may be sent an authentication request corresponding to the user device. The user may indicate whether or not the user device is authenticated utilizing the authenticating device. If the user device is authenticated, the transaction may proceed. If the user device is not authenticated the transaction may be rejected.

Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for discovering policy scopes within an enterprise network and managing network policies for discovered policy scopes. In one aspect, a method includes identifying one or more communities of devices in an enterprise network; defining, from the one or more communities of devices, policy scopes in the enterprise network; generating a hierarchical representation of the policy scopes; identifying, based on the hierarchical representation of the policy scopes, one or more policies governing traffic flow between devices associated with each of the policy scopes; and managing application of the one or more policies at the devices.

Abstract: A method is disclosed. The method includes receiving, by a token service computer, a token request message, the token request message being originated from a token requestor computer. The method also includes determining, by the token service computer, two or more access tokens based upon a single credential, and then transmitting the two or more access tokens to the token requestor computer in a token response message.