US Patent 9703965 Secure containers for flexible credential protection in devices

Techniques are provided for protecting encryption key(s) and other protected material on devices, such as mobile devices. A device stores an encrypted container received from an online authentication service, wherein the encrypted container is encrypted using a first key stored by the online authentication service, wherein the encrypted container comprises a data item stored on the device. The device transmits the encrypted container using an online connection to the online authentication service to decrypt the encrypted container using the first key, wherein the encrypted container is decrypted by the online authentication service to provide a decrypted container only if the online connection satisfies one or more predefined online connection criteria. The device then receives the decrypted container from the online authentication service and obtains the data item from the decrypted container. Online secure containers are also disclosed that are optionally protected using a multi-layer encryption scheme.