Embodiments of the present disclosure provide a method and apparatus for configuring a security carrier, including: adding a carrier batch field to a security carrier list, encoding, for each security carrier in the security carrier list, a plurality of pieces of batch feature information of the security carrier according to a preset encoding rule, so as to generate carrier batch information of each security carrier, and to add same to the security carrier list; and then, according to identifier information and the carrier batch information of each security carrier, configuring a supplementary security domain, a card application, an application installation package and an application provider that need to be preset for each security carrier. Since the carrier batch information contains a plurality of pieces of batch feature information of the security carrier, security carriers in the security carrier list can be effectively distinguished according to the identifier information and the carrier batch information of the security carriers, thus a plurality of preset items that need to be preset for a plurality of security carriers having the same carrier batch information can be configured, so as to improve configuration efficiency for the security carriers.

The present invention puts forward a personal electronic access permission (Figure B, 31) that can both check on the customer's identity (Figure A, step 2) and right to access an event/venue in one scanning event, and address the unwanted secondary market, still enabling a customer (Figure D, 5) to sell back an electronic access permission to the system (Figure D, I) in case the customer is not able to attend the event.

The invention relates generally to the provisioning of payment instruments onto electronic devices such as a mobile telephone, tablet, laptop or wearable, and in particular to securely provisioning payment instrument for which authorisation for the provisioning must be provided by a payment instrument issuer. A first embodiment is provided in which data that is generated during a transaction is received by an electronic device and transmitted from the electronic device to a server associated with an acquirer. The data received from the electronic device is compared to the data generated during the transaction and, if these match, provisioning is authorised. A second embodiment is provided in which a server associated with an acquirer generates an identification message that is separate from but based on a response message associated with a transaction, and provisioning is authorised or declined based on the identification message.

A system, mobile device, and method for managing security policies for data items stored in an electronic identification (eID) wallet on the mobile device. Security policies are associated with each of a plurality of supported namespaces on a mobile device and a verifier terminal operates to select a namespace to access a data item stored on the mobile device based on the security policies associated with the plurality of supported namespaces on the mobile device.

A system for authenticating an electronic device by means of an authentication server in order to authenticate a user of said electronic device. The system is adapted to perform an authentication based on a fictive payment transaction and includes the authentication server which is adapted to execute a fictive payment transaction with a predetermined transaction amount with said electronic device and during said execution to receive a first cryptogram from said electronic device; send said first cryptogram to a banking server; and receive from said banking server an acknowledgment if said first cryptogram is valid; when said fictive payment transaction has been executed, compute an authentication identification based on said electronic device's data; said electronic device which is a payment electronic device and which is adapted to execute said fictive payment transaction with said authentication server and during said execution to send said first cryptogram to said authentication server.

Techniques are disclosed relating to authentication using public key encryption. In one embodiment, a computing device includes a secure circuit, a processor, and memory. The secure circuit is configured to generate a public key pair usable to authenticate a user of the computing device. The memory has program instructions stored therein that are executable by the processor to cause the computing device to perform operations including authenticating the user with a server system by sending authentication information supplied by the user. The operations further include, in response to the server system verifying the authentication information, receiving a first token usable to register the public key pair with the server system and sending, to the server system, a request to register the public key pair for authenticating the user. In such an embodiment, the request includes the first token and identifies a public key of the public key pair.

Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.

Provided is a method including receiving, by a user device, a request from an identity service to approve communicating a user proof-of-identity to a relying party. A user of the user device is prompted to request a one-time transaction identifier based on the request. Based on a first input from the user, the user device requests the one one-time transaction identifier from the identity service. In response to the request for the one-time transaction identifier, the user device receives the one-time transaction identifier from the identity server and displays the one-time transaction identifier on a first user device screen. The user inputs the one-time transaction identifier on a second user device screen and the user device communicates the one-time transaction identifier to the identity service. In response to receiving the at least one inputted one-time transaction identifier, the relying party determines whether to approve or deny a transaction.

A method for validating user credentials in a transaction initiated with a portable payment device associated with a biometric verification process including establishing a communication protocol between the portable payment device and the point-of-sale system, determining at least one result corresponding to a verification requirement of the biometric verification process, in response to determining an absence result or a failure result of the verification requirement of the biometric verification process, determining an alternate verification process associated with the portable payment device, determining a verification requirement of the alternate verification process, and transmitting the verification requirement of the alternate verification process to the point-of-sale system. A system and computer program product for validating user credentials in a transaction are also disclosed.

Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.