A key master service capable of operating on a service provider in a network enables is disclosed. The key master enables authorized parties to securely exchange client information without compromising client security. One feature of the key master service is the generation of a unique key for each client. All parties in an authorized universe access, exchange and modify client information by referencing the universal key, rather than using known client identifiers. Client information is further secured by advantageously applying an obfuscation function to the data. Obfuscated client information is stored together with the universal key as keyed client data at the client and/or server, where it may be directly accessed by the service provider or third parties. Because client information is stored and exchanged without the ability to discern either the client identity or the nature of the information, such information is secured against malicious third-party interception.

Described herein are systems and methods for securely obtaining payment information from a recipient on a payer's mobile device within an application on the payer's mobile device. The securely obtained information can be decrypted in the application, and the recipient information can be extracted. The extracted recipient information can be validated and used by the application to initiate a fund transfer to the recipient's account from the payer's account. The application can include a user interface that can allow the payer to anonymize the payment, securing the privacy of the payer.

Disclosed are various approaches for relaying and caching authentication credentials. A single sign-on (SSO) token is received, the SSO token representing a user account authenticated with an identity manager. An authentication request is then sent to a service that is federated with the identity manager in response to receipt of the SSO token, the authentication request including the SSO token. An access token is received in response to the authentication request, the access token providing access to the service for the user account authenticated with the identity manager for a predefined period of time. The access token and a link between the access token and the SSO token are then cached.

Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key K.sub.FB or trusted asymmetric fallback public key PK.sub.FB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCI.sub.FB for communication of messages with the unauthenticated network entity.

An operating system with automatic login mechanism and an automatic login method are provided. The operating system includes a first electronic device, a second electronic device and a server device. The second electronic device includes a biometric sensor. When a login event of the first electronic is triggered, the first electronic device sends a login request to the second electronic device directly or via the server device, so that the second electronic device performs a biometric verification by the biometric sensor according to the login request. When the biometric verification is passed, the second electronic device sends a first login credential to the first electronic device directly or via the server device, so that the first electronic device performs an automatic login operation of the first electronic device according to the first login credential.

A device may receive, from a client device, a request with a single packet authorization (SPA) packet that includes data identifying a universal client device identifier. The device may generate a shared key associated with the universal client device identifier, and may determine that the SPA packet matches a comparison message authentication code (MAC) generated based on the shared key. The device may provide, based on the SPA packet matching the comparison MAC, a MAC associated with the SPA packet to the client device to enable the client device to validate the device.

In one example, a home network associated with a user equipment obtains an authentication request to authenticate the user equipment to a serving network. The home network generates an authentication vector of a mobile security protocol. The authentication vector includes an indication that the user equipment is to be authenticated using a multi-factor authentication process. The home network provides the authentication vector to the serving network to prompt a response from the user equipment that is in accordance with the multi-factor authentication process. The home network authenticates the user equipment to the serving network based on the response.

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user's account.

Example embodiments of systems and methods for data transmission system between transmitting and receiving devices are provided. In an embodiment, each of the transmitting and receiving devices can contain a master key. The transmitting device can generate a diversified key using the master key, protect a counter value and encrypt data prior to transmitting to the receiving device, which can generate the diversified key based on the master key and can decrypt the data and validate the protected counter value using the diversified key.

A system for tracking an asset including one or more processing devices that identify a spatial region in a complex number space, the spatial region being associated with the asset, receive a user defined password, identify a plurality of key locations within the spatial region at least in part using the user defined password, calculate key numerical values at each of the plurality of key locations using a defined complex number formula and use the key numerical values to generate an encryption key. The asset can be associated with a user by storing an asset record in a database which is indicative of an asset identifier, the spatial region and an encrypted payload derived using the encryption key.