Provided is a process that establishes user identities within a decentralized data store, like a blockchain. A user's mobile device may establish credential values within a trusted execution environment of the mobile device. Representations of those credentials may be generated on the mobile device and transmitted for storage in association with an identity of the user established on the blockchain. Similarly, one or more key-pairs may be generated or otherwise used by the mobile device for signatures and signature verification. Private keys may remain resident on the device (or known and input by the user) while corresponding public keys may be stored in associated with the user identity on the blockchain. A private key is used to sign representations of credentials and other values as a proof of knowledge of the private key and credential values for authentication of the user to the user identity on the blockchain.

Embodiments for a computer readable medium including a software module are provided. The software module causes one or more processing devices to obtain a biometric identifier from a user. Access to a resource is requested by providing a software credential token and the biometric identifier. The software credential token corresponds to a hardware credential token, and the hardware credential token is one of a set of hardware credential tokens that are used to access the resource. An indication that access to the resource has been granted is received and after receiving the indication an indication that the access to the resource has been revoked is received. After receiving the indication that access to the resource has been revoked, a biometric identifier is re-obtained from a user and access to the resource is re-requested by providing a software credential token and the re-obtained biometric identifier.

A method including determining, by a first device, unavailability of a first biometric unit associated with the first device for verification of first biometric information; selecting, by the first device based on determining unavailability of the first biometric unit, a second biometric unit associated with a second device for verification of second biometric information; receiving, by the first device from the second device based on a first verification of the second biometric information, a first factor associated with authentication of the first device by a service provider; receiving, by the first device from the second device based on successful authentication of the first factor and on a second verification of the second biometric information, a second factor associated with authentication of the first device by the service provider; and receiving, by the first device from the service provider, a service based on successful authentication of the second factor.

A computer-implemented method for protecting identity metrics may include (i) receiving, by a computing device and from an originating device, an identity metric encrypted by an identity metric protection module on the originating device, where the identity metric includes biometric data about an operator of the originating device, (ii) requesting, by an identity metric protection module on the computing device, a decryption key from an identity metric protection server, (iii) receiving, by the identity metric protection module, the decryption key from the identity metric protection server, (iv) decrypting, by the identity metric protection module, the identity metric with the decryption key received from the identity metric protection server, and (v) providing the decrypted identity metric to an application on the computing device that uses the identity metric to convey a communication from the operator of the originating device. Various other methods, systems, and computer-readable media are also disclosed.

A method may include receiving a consent-processing request at a consent management platform from a content-presentation device, and using an identifier string in the request to establish a secure interactive session configured for user selection of consent options associated with a particular consent package of the platform, where the package may include identifiers of consent features of a media distribution system that require user consent in order to be activated for the device. The platform may then receive, via the interactive session, user consent data including a respective consent choice for each of one or more consent options, where each respective consent choice indicates acceptance or rejection of consent to activating an associated consent feature identified with the particular consent package. The received respective consent choices may be stored in a database of the consent management platform. Corresponding data may be stored in a whitelist on the content-presentation device.

Cross-session acquisition of a verifiable credential. The first session includes generating a user secret known to the first session and to the user, and the generation of an encrypted identity token that includes claims about authentication of the user and the user secrete. In the second session, a second computing system uses the acquired identity token to get a verifiable credential. The user is prompted to prove knowledge of the user secret within the identity token. In response to successful proof of this knowledge and validation of the identity token, the issuer system issues a verifiable credential that relies upon one or more claims that were included within the identity token, and then provides the verifiable credential to the user.

The invention concerns a method for transmitting to a physical or virtual element of a telecommunications network, an encrypted subscription identifier stored in a security element, or an encrypted identifier of the security element or an encrypted identifier of a terminal cooperating with the security element. The method includes pre-calculating proactively, at the occurrence of an event, the encrypted identifier using a key and storing it in a file or memory of the security element with a parameter enabling the key to be calculated by the element of the telecommunications network, in order to be able to transmit to the element of the telecommunications network the encrypted identifier and the parameter, without having to compute the encrypted identifier when the terminal is asking for it.

One or more embodiments described herein disclose methods and systems that are directed at providing enhanced privacy, efficiency and security to distributed ledger-based networks (DLNs) via the implementation of zero-knowledge proofs (ZKPs) in the DLNs. ZKPs allow participants of DLNs to make statements on the DLNs about some private information and to prove the truth of the information without having to necessarily reveal the private information publicly. As such, the disclosed methods and systems directed at the ZKP-enabled DLNs provide privacy and efficiency to participants of the DLNs while still allowing the DLNs to remain as consensus-based networks.

Some examples relate generally to computer architecture software for data classification and information security and, in some more particular aspects, to verifying audit events in a file system.

Methods and systems for device authentication based on generating and displaying an optically scannable visual representation of a public portion of a hardware secured encryption key (EK) are described herein. A client certificate is encrypted with the public portion of the EK based on a scan of the displayed visual representation. A connection may be established between a computing device and a server using the encrypted client certificate and a private portion of the EK to authenticate the computing device. In some implementations, a request is received from a second computing device to access a first computing device, and includes data encrypted using a public portion of an EK acquired from a displayed optically scannable visual representation of the public portion of the EK. The second computing device is provided access to the first computing device based on decryption of the encrypted data using a private portion of the EK.