[0001 ] Electronic devices can access services over networks. For example, an electronic device can seek access to a network connectivity service by which the electronic device can establish a connection with a network and communicates with other devices over the network. The electronic device can be charged for use of the network connectivity service. In other examples, electronic devices can access other types of services.

Brief Description of the Drawings

[0002] Some implementations of the present disclosure are described with respect to the following figures.

[0003] Fig. 1 is a block diagram of an arrangement according to some examples.

[0004] Fig. 2 is a message flow diagram of a process according to some examples.

[0005] Fig. 3 is a block diagram of a storage medium storing machine-readable instructions according to some further examples.

[0006] Fig. 4 is a block diagram of a client device according to additional examples.

[0007] Fig. 5 is a block diagram of a server according to other examples.

[0008] Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements. The figures are not necessarily to scale, and the size of some parts may be exaggerated to more clearly illustrate the example shown. Moreover, the drawings provide examples and/or implementations

consistent with the description; however, the description is not limited to the examples and/or implementations provided in the drawings. Detailed Description

[0009] In the present disclosure, use of the term "a," "an", or "the" is intended to include the plural forms as well, unless the context clearly indicates otherwise. Also, the term "includes," "including," "comprises," "comprising," "have," or "having" when used in this disclosure specifies the presence of the stated elements, but do not preclude the presence or addition of other elements.

[0010] When an entity using a client device requests network access and purchases a service, both an authentication process and a payment process are performed. Performing separate authentication and payment processes, potentially with different servers, is complex and inefficient because of added auditing, latency, processing, configuration, update processes, support processes, energy

consumption, and network utilization. In accordance with some implementations of the present disclosure, an integrated authentication and payment process is implemented that makes use of a blockchain as a database for both authenticating an entity using a client device and effecting payment for a service.

[001 1 ] A "client device" can refer to any machine or program that is able to communicate over a network or with a server or application. A machine can refer to an electronic device, which can refer to any or some combination of the following: a processor, a smartphone, a tablet computer, a notebook computer, a desktop computer, a game appliance, or any other electronic device that is able to

communicate over a network. A program can refer to any or some combination of the following: an application, an operating system, a boot program, or other machine-readable instructions.

[0012] An "authentication process" confirms the truth of an attribute of data (e.g., an identity of an entity, a credential, etc.). An "entity" using a client device and requesting access and service can refer to the client device itself, a user of the client device, an application, a component in the client device, or any other attribute associated with the client device. Such an entity can also be referred to as an entity associated with a client device. A "network" can refer to a system of client devices that are joined together, temporarily or continuously, so that they can exchange information and/or share resources, e.g., a client device may attempt to obtain network access by radio, wired, fiber optic, power line carrier, ultrasonic, and/or infrared network.

[0013] In addition to accessing a network connectivity service to establish a connection with a network, a client device can access other types of services, including, for example, a service to execute an application, a data storage service, a communication service over a network, and so forth.

[0014] A "payment process" can refer to a process by which the entity associated with the client device can make payment for accessing the service. In some example cases, an authentication process and a payment process are mutually exclusive processes, which is highly inefficient. For example, an authentication session can be established to allow a client device to obtain authentication while the payment process is performed in another session that is separate from the authentication session. Performing authentication and payment processes as separate processes that employ different servers can result inefficient use of resources, including machine resources, network resources, program resources, and/or storage resources.

[0015] Fig. 1 is a block diagram of an example arrangement that includes a client device 102, a network 104, and an authentication/payment server 106. The network 104 can include a wireless network with which the client device 102 can

communicate wirelessly. Alternately, the network 104 can include a wired network, or a combination of a wireless and wired network. The network 104 includes an access point (AP) 108, which is the network node with which the client device 102 can establish a connection for communication through the network 104 with another entity, such as the authentication/payment server 106.

[0016] Although just one client device 102, one AP 108, and one

authentication/payment server 106 are shown in Fig. 1 , it is noted that in other examples, multiple client devices 102, and/or multiple APs 108, and/or a multiple authentication/payment servers 106 can be provided. [0017] In some examples, the AP 108 can be part of a wireless network (e.g., a Wi-Fi network). In other examples, the AP 108 can refer to a (Wide Area Network) WAN or Low power wide area network (LPWAN) base station or transmission system base station, another low power long range access network (e.g., Lora) node, or an access node of a cellular network.

[0018] The authentication/payment server 106 includes a computing node (or a distributed arrangement of computing nodes) to interact with a blockchain network 1 10, which can be used for both authenticating an entity using the client device 102 and effecting payment for a service that is being accessed by the client device 102.

[0019] Blockchain information is used in the context of blockchain technology. A blockchain refers to a distributed collection of records (referred to as "blocks") that are linked and secured cryptographically in a distributed manner. A blockchain can also refer to a continuous and unbroken ledger of blocks. The blocks of the blockchain can be distributed across a large number of computing devices. Each block can include various information, including transaction data for a transaction represented by the block, a timestamp, and a reference to a previous block in the blockchain. As new transactions occur, new blocks are created for the new transactions and added to the blockchain. A blockchain (which forms a distributed transaction ledger) records transactions among multiple entities in a verifiable and permanent way. Once a block is created and the data of the block recorded, the block cannot be altered without alteration of subsequent blocks.

[0020] Multiple entities can see the transaction ledger, but because of the decentralized nature of the distributed collection of blocks, records are protected against hacking or corruption by a malicious entity. Validation of each block that gets added to the blockchain is done by every node by validating its hash by applying a hashing function. If the validation fails, then that node drops the block from the blockchain.

[0021 ] A blockchain address can be assigned to an entity associated with the client device 102. A blockchain address refers to an identifier that is used in the blockchain. In some examples, a blockchain address is analogous to an account number. An entity (such as a user or a device) can include one blockchain address, or can have multiple blockchain addresses. In some examples, a blockchain address can be generated based on use of a pair of a public key and a private key associated with an entity.

[0022] More generally, a blockchain information can refer to any information that can be used in a blockchain process. A blockchain process can refer to a process that uses a blockchain to store transactions in blocks of the blockchain. A

transaction can refer to any event (e.g., an activity, data storage, program execution, etc.).

[0023] The client device 102 includes an application-level authentication program 1 12 and a network-level authentication program 1 13. Generally, an authentication program can refer to machine-readable instructions that upon execution perform authentication on behalf of an entity associated with the client device 102. The network-level authentication program 1 13 exchanges messaging with an

authenticator 1 16 (implemented as machine-readable instructions executable) in the AP 108 of the network 104 to initiate network-level authentication. The application- level authentication program 1 12 exchanges messaging with an authentication service 1 18 in the authentication/payment server 106 to perform an authentication process.

[0024] Although the authenticator 1 16 is depicted as being part of the AP 108 in Fig. 1 , it is noted that in other examples, the authenticator 1 16 can be on a separate node, such as on the authentication/payment server 106 or on another network node.

[0025] The network-level authentication program 1 13 can initiate an

authentication process by sending an authentication initiation message (e.g., an EAP message) to the authenticator 1 13 in the AP 108, and the authentication process can proceed based on further exchanges of messaging between the application-level authentication program 1 12 and the authentication service 1 18 of the

authentication/payment server 106.

[0026] In alternate examples, of the network-level authentication program 1 13 and the application-level authentication program 1 12 being separate programs, the network-level authentication program 1 13 and the application-level authentication program 1 12 can be integrated into one authentication program.

[0027] In some examples, the network-level authentication performed by the network-level authentication program 1 13 includes a layer 2 (L2) authentication. For example, the L2 authentication can be according to the Extensible Authentication Protocol (EAP), which provides an authentication framework for transporting and usage of keying material and parameters (including keys for encryption and digital signatures). Although reference is made to EAP in some examples, it is noted that in other examples, other authentication protocols can be employed, such as Media Access Control (MAC) authentication, pre-shared key (PSK), MAC authentication with 802.1x authentication, Point-to-Point Protocol (PPP), HotSpot 2.0

authentication, among other examples. Also, although reference is made to performing an L2 authentication process between the authentication program 1 13 and the authenticator 1 16, it is noted that in other examples, other types of authentication processes can be used, including layer 3 (L3) authentication, layer 2 and 3 authentication, layer 1 (L1 ) authentication, or authentication at other layers. A layer n (n = 1 , 2, ... ) authentication process refers to an authentication process that is performed by a particular layer within a protocol stack in respective nodes, which in the case of Fig. 1 includes the client device 102 and the AP 108.

[0028] The client device 102 further includes a payment program 1 14 to effect payment for a service that is being accessed by the client device 102. For example, the payment program 1 14 can be a cryptographic currency wallet application 1 13, which can be used to make payment for a transaction or to make payment for accessing data or to make payment for any other purpose [0029] Although Fig. 1 shows the authentication program 1 12 and the payment program 1 14 as being separate programs, it is noted that in other examples, the authentication program 1 12 and payment program 1 14 can be program, or alternately, the authentication programs 1 12, 1 13 and the payment program 1 14 can be integrated into one program. More generally, the authentication program(s) and payment program can include machine-readable instructions to perform

authentication and payment.

[0030] The authenticator 1 16 in the AP 108 can interact with the network-level authentication program 1 13 to establish an authentication session to authenticate an entity associated with the client device 102 and to effect payment for access of a service by the client device 102.

[0031 ] Once an authentication session is established between the network-level authentication program 1 13 and the client device 102 and the authenticator 1 16 in the AP 108, the application-level authentication program 1 12 and the payment program 1 14 in the client device 102 can interact with the authentication service 1 18 and a payment service 120, respectively, in the authentication/payment server 106.

[0032] The authentication service 1 16 and the payment service 120 can be separate services or can be part of an integrated service. The authentication service 1 18 and payment service 120 can be implemented using machine-readable instructions executable in the authentication/payment server 106.

[0033] The application-level authentication program 1 12 can interact with the authentication service 1 18 in an authentication session to perform authentication of an entity associated with the client device 102. The payment program 1 14 can interact with the payment service 120 in the same authentication session to effect payment for a service that is being accessed by the client device 102. In accordance with some implementations of the present disclosure, both the authentication service 1 18 and the payment service 120 can access the blockchain network 1 10 to perform the authentication and payment. [0034] In some examples, the authentication service 1 18 and payment service 120 of the authentication/payment server 106 can provide authentication and payment processes according to a Remote Authentication Dial-In User Service (RADIUS) protocol, which provides Authentication, Authorization, and Accounting (AAA) services. In other examples, the authentication/payment server 106 can implement other authentication and accounting protocols, such as Terminal Access Controller Access Control System (TACACS), Extended TACACS (XTACACS), TACACS+, and DIAMETER, among others.

[0035] The blockchain network 1 10 can include blockchain nodes 122 (also referred to as "full nodes"), which are distributed nodes that perform processing relating to the blockchain. The blockchain nodes 122 in some examples can be part of the authentication/payment server 106, such that at least a portion of the authentication/payment server 106 is considered to be part of the blockchain network 1 10.

[0036] In some examples, rather than store an actual data, a block of a blockchain may include a pointer to a storage location in a distributed storage system 124 (including a distributed arrangement of storage nodes, which can be referred to as a swarm in some examples) that stores the actual data corresponding to the block. The blocks of the blockchain can refer to multiple distributed storage systems 124 (multiple swarms) in other examples.

[0037] Blocks in the blockchain have some amount of information about each transaction, such as which accounts are involved, how much currency was transferred, some detail about the transaction, a timestamp representing a time of the transaction, some data and a reference to the external distributed storage system that contains additional data. A full node that is part of the blockchain network 1 10 can retrieve and share the additional data from the distributed storage system 124. The full node can send a retrieve request to the appropriate distributed storage system (e.g., 124) based on a blockchain address. The retrieve request is validated, and any charges for requesting and obtaining the requested data can be applied. Once validated and any charges collected, the requested data can be returned from the distributed storage system 124 to the full node, which sends the requested data to the authentication/payment server 106.

[0038] The client device 102 also includes a storage medium 126 that stores an authentication/payment server public key 128 (which is the public key of the authentication/payment server 106). The storage medium 126 can also store the private and public keys 130 of the client device 102. The authentication/payment server public key 124 and the private/public keys 130 can be pre-configured in the storage medium 126 of the client device 102 or can be obtained by the client device 102 from the authentication/payment server 106 or another entity.

[0039] Uses of the authentication/payment server public key 128 and the private/public keys 130 are discussed further below.

[0040] The client device 102 can also include a cryptographic currency wallet application 131 , which can be used to make payment for a transaction or to make payment for accessing data or to make payment for any other purpose.

[0041 ] The authentication/payment server 106 can include a smart contract manager 132 (including machine-readable instructions) to manage smart contracts. In other examples, the smart contract manager 132 can be implemented in a computing node (or computing nodes) separate from the authentication/payment server 106.

[0042] The smart contract manager 1 18 implements enforcement of smart contracts, such as those stored in a smart contract database 134. A smart contract provides logic and rules executed by computing device(s) for a blockchain to automate terms of a contract among multiple entities. A smart contract can include blockchain addresses of the parties of the smart contract, information relating to terms of the smart contract, and other information.

[0043] In some examples, a smart contract can be established among the multiple entities, such as an entity associated with the client device 102 and an entity (e.g., a service provider) that provides a service that can be accessed by client devices. For example, the service provider can be a network service provider to provide a network connectivity service. In other examples, a smart contract can be established between an entity associated with the client device 102 and other service provider entities.

[0044] In further examples, an entity that requests access of a service can be part of a Distributed Autonomous Organization (DAO) with privileges, as specified according to rules of smart contracts, to obtain access to the service. The DAO groups entities granted access to a service. In such examples, the authentication of an entity associated with the client device 102 can be based on a combination tasks performed by the authentication service 1 18 and the smart contract manager 132. The smart contract manager 132 can consult a smart contract in the smart contract database 134 to ensure that the entity requesting access of the service is part of the DAO. The smart contract manager 132 can include contracts maintained for an organization for granting access and agreements for charges and options for various services offered. In such examples, techniques or mechanisms are provided where an entity requesting a service can make an advance payment for the service, and a refund can be issued to the entity if the service is partially used.

[0045] In other examples, instead of paying in advance for a service, an entity can pay for the service as the entity uses the service or after the entity has consumed the service. For example, an escrow account can be established where the parties to the escrow account can agree upon the amount (in the form of a cryptographic currency) to be deposited and a service provider withdraws money (in the form of a cryptographic currency) as services are consumed as per a smart contract. The foregoing functionalities can be achieved through a combination of authentication and blockchain-based processes.

[0046] Fig. 2 is a message flow diagram of an example process that can be performed among the client device 102, the authenticator 1 16, the

authentication/payment server 106, and the blockchain network 1 10. [0047] The client device 102 (more specifically, the network-level authentication program 1 13) exchanges (at 202) messages with the authenticator 1 16 to establish an authentication session. As noted above, the authentication session can include an L2 authentication session, such as one established according to EAP. In such examples, the messages that are exchanged at 202 include EAP messages. In other examples, messages according to other protocols can be exchanged between the client device 102 and the authenticator 1 16 to establish an authentication session.

[0048] The following describes messages exchanged between the client device 102 and the authenticator 1 16 in examples where EAP is used. The client device 102 sends (at 204) an EAPOL-Start request to the authenticator 1 16, which is sent to a special group multicast Medium Access Control (MAC) address reserved for Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication, to allow the client device 102 to determine whether an authenticator (e.g., 1 16) is present, and if present, to let the authenticator know that the client device 102 is ready to perform an authentication process.

[0049] In response to the EAPOL-Start request, the authenticator 1 16 sends (at 206) an EAP Request to the client device 102, where the EAP Request specifies a specific EAP Method (a type of EAP-based authentication) the authenticator 1 16 wishes the client device 102 to perform.

[0050] If the client device 102 agrees to the EAP Method indicated in the EAP Request, the client device 102 sends (at 208) an EAP Response to the authenticator 1 16. The authenticator 1 16 then sends (at 210) an EAP Request (or other EAP message) that includes an EAP Type information element set to an "EAP

Blockchain" value. "EAT Type = EAP Blockchain" is an example of an indication that blockchain is to be used for performing authentication and payment. In other examples, other indications for using a blockchain for authenticating and payment can be sent by the authenticator 1 16 to the client device 102. [0051 ] Although a specific exchange of messages according to some examples is shown in Fig. 2 for establishing an authentication session, it is noted that in other examples, other techniques for establishing an authentication session can be used in which the authenticator 1 16 sends an indication that blockchain is to be used for authentication and payment is sent to the client device 102.

[0052] In response to the indication received at 210, the client device 102 sends (at 212) credential information in an authentication request to the

authentication/payment server 106. In examples according to Fig. 2, the credential information of the client device 102 includes a blockchain address of the client device 102 and a public key of the client device 102. As used here, a "blockchain address of a client device" can refer to the blockchain address of an entity

associated with the client device, which can be the client device itself or a user of the client device, a program in the client device, a component in the client device, or any other attribute associated with the client device. More generally, the credential information can include identification information associated with the client device, where an example of the identification information includes a blockchain address.

[0053] In examples where the authentication/payment server 106 is a RADIUS server, then the credential information of the client device 102 can first be sent in an authentication request to a network access server, such as the AP 108, which forwards a RADIUS Access Request to the authentication/payment server 106. The RADIUS Access Request contains the credential information received from the client device 102. In other examples, the client device 102 can send the credential information directly from the client device 102 to the authentication/payment server 106 in a message.

[0054] In response to receiving the credential information, the

authentication/payment server 106 accesses (at 214) the blockchain network 1 10 to confirm that the blockchain address in the received credential information is present in the corresponding blockchain, and to validate the public key in the credential information received from the client device 102. The blockchain address and the public key are sent by the authentication service 1 18 to the blockchain network 1 10. In response, a blockchain node 122 (full node) accesses the blocks of the corresponding blockchain to determine whether the blockchain address is present. If so, then that indicates that the blockchain address is valid. The blockchain node 122 also validates in the blockchain network 1 10 if the public key is valid for the blockchain address of the client device 102.

[0055] The authentication service 1 18 in the authentication/payment server 106 receives a response from the blockchain network 1 10, where the response can indicate whether or not the blockchain address in the received credential information is present in the blockchain. If present, then the authentication/payment server 106 can proceed with the remaining process shown in Fig. 2. However, if the blockchain address is not present in the blockchain database 1 10, then authentication is rejected and the authentication service 1 18 can send a failure indication back to the client device 102, such as in a RADIUS Access-Reject message.

[0056] Assuming that the blockchain network 1 10 confirms that the blockchain address of the entity associated with the wireless device 102 is in the blockchain, the authentication/payment server 106 sends (at 216) to the client device 102 an encrypted authentication challenge to the client device 102. The sending of an authentication challenge is part of a challenge-response authentication procedure in which a first entity (in this case the authentication/payment server 106) presents a question (challenge) and the second entity (in this case the client device 102) provides a valid answer (response) to be authenticated.

[0057] The encrypted authentication challenge sent by the

authentication/payment server 106 is encrypted with a private key (KsPriv) of the authentication/payment server 106 and the public key (KsPub) of the client device 102 (which was included in the credential information sent by the client device 102 to the authentication/payment server 106).

[0058] The application-level authentication program 1 12 in the client device 102 receives the encrypted authentication challenge from the authentication/payment server 106, and decrypts (at 218) the received encrypted authentication challenge. The decryption of the encrypted authentication challenge is performed by the application-level authentication program 1 12 using a private key (KcPriv) of the client device 102 and the public key (KsPub) of the authentication/payment server 106. The public key (KsPub) of the authentication/payment server 106 is stored as 130 in the storage medium 126 of the client device 102 (as shown in Fig. 1 ).

[0059] The application-level authentication program 1 12 in the client device 102 then encrypts (at 220) the decrypted authentication challenge with the public key (KsPub) of the authentication/payment server 106 and the private key (KcPriv) of the client device 102. The encrypted authentication challenge (which forms the response to the challenge received from the authentication/payment server 106) is sent (at 222) from the client device 102 to the authentication/payment server 106. Upon receipt of the response from the client device 102, the authentication/payment server 106 validates (at 224) that the authentication challenge was successfully received by the client device 102 and then successfully decrypted and re-encrypted by the client device 102.

[0060] The validation includes the authentication service 1 18 of the

authentication/payment server 106 decrypting the encrypted authentication challenge in the response received from the client device 102, where the decrypting uses the private key (KsPriv) of the authentication/payment server 106 and the public key (KcPub) of the client device 102. Once decrypted, the authentication service 1 18 compares the decrypted version of the authentication challenge from the client device 102 with the authentication challenge sent by the authentication service 1 18 to the client device 102. If the comparison yields a match, then successful validation has been performed.

[0061 ] Assuming that validation is successful, the application-level authentication program 1 12 in the client device 102 derives (at 226) a master key, and similarly, the authentication service 1 18 in the authentication/payment server 106 derives (at 228) the master key. The master key is a shared secret between the client device 102 and the authentication/payment server 106, and can be used for encrypting further communications between the client device 102 and the authentication/payment server 106. Both the client device 102 and the authentication/payment server 106 can derive the master key using the authentication challenge as a seed. For example, the authentication challenge can be provided as a seed into a

cryptographic function, which outputs the master key.

[0062] In accordance with some implementations of the present disclosure, before the authentication session terminates, a payment process can be performed. The payment process includes the payment service 120 in the

authentication/payment server 106 sending (at 230) payment information to the client device 102. For example, the payment information can specify payment rates for access of a given service. For example, if the given service is a network access service, then the payment information can specify the rate to charge per unit amount of data transferred in a network connection. For example, the service contract of the network service provider for access to the network along with rate contract can be in the form of smart contract that can be presented to the client device 102. The payment information can be encrypted using the public key (KcPub) of the wireless device 102.

[0063] The payment program 1 14 in the client device 102 receives the payment information, and decrypts the payment information using the private key (KcPriv) of the client device 102. The payment program 1 14 in the client device 102 then sends a token (at 232) as payment to the authentication/payment server 106. The token can be signed using the private key (KcPriv) of the client device 102, and the signed token can be encrypted using the public key (KsPub) of the authentication/payment server 106. In some examples, the token can be referred to as an ether or cryptographic currency, which is a medium of payment that is cryptographically protected (e.g., signed with or encrypted by an encryption key). Signing the token with the private key (KcPriv) of the client device 102 allows the

authentication/payment server 106 to verify that the token is actually sent by the client device 102.

[0064] The payment service 120 in the authentication/payment server 106 decrypts the token, and accesses (at 234) the blockchain network 1 10 to validate the token. The payment service 120 in the authentication/payment server 106 publishes the token to the blockchain network 1 10, which responds with an indication of whether or not the token is valid. Validating the token can include a blockchain node 122 (full node) in the blockchain network 1 10 publishing the token to the blockchain, which can respond with an indication of whether the token constitutes valid payment. For example, based on the transaction data of transactions maintained by the blockchain, the blockchain node 122 can determine whether or not the token was previously used. If so, then the token is not valid.

[0065] If the token is invalid, then the payment service 120 can reject the authentication request (sent at 212) from the client device 102.

[0066] Publishing a valid token for a current transaction to the blockchain also prevents the token from being reused again in the future. The token can be stored in a block of the blockchain as part of transaction data for the current transaction.

[0067] Assuming that the token is valid, the authentication service 1 18 in the authentication/payment server 106 sends an authentication success (at 236) to the client device 102. In examples where RADIUS and EAP are used, the authentication service 1 18 sends a RADIUS Authentication Success to the authenticator 1 16, which in turn sends an EAP success to the client device 102. In other examples, authentication success can be indicated using other messages, which can either pass through the authenticator 1 16 or can be sent directly from the

authentication/payment server 106 to the client device 102.

[0068] In response to receiving the authentication success, the client device 102 sends a response to the authentication/payment server 106 that causes termination of the authentication session (at 238).

[0069] At a later time, the smart contract manager 132 (Fig. 1 ) can receive an indication from a service provider (of the service that is being accessed by the client device 102) of the amount of actual usage of the service. If the service is a network connectivity service, then the amount of actual usage can be indicated as the number of bytes communicated. The smart contract manager 132 determines (at 240) based on the received indication any refund to issue to the client device 102. For example, the token sent at 232 may be a payment for 10 gigabytes (GB) of usage. However, the actual usage may be 6 GB. In this case, the smart contract manager 132 can determine, by accessing a smart contract in the smart contract database 134, that the client device is to be refunded an amount corresponding to the 4 GB of unused bandwidth.

[0070] The smart contract manager 132 sends (at 242) the refund amount to the blockchain network 1 10. A blockchain node 122 in the blockchain network 1 10 publishes the refund amount (represented by a refund token) to the blockchain.

Once confirmation is received from the blockchain network 1 10 that the refund amount has been successfully added to the blockchain network, then the smart contract manager 132 sends (at 244) the refund token to the client device 102. The client device 102 can use the refund token for future access of a service.

[0071 ] Thus, in accordance with some implementations of the present disclosure, if a user does not use the entirety of a service for which payment was made (e.g., the user partially uses the service), the authentication/payment server 106 can issue a refund to the user.

[0072] In alternate examples, instead of sending the payment information (at 230) in response to determining successful authentication of the client device 102, the authentication/payment server 106 can send, to the client device 102, a term of service that an entity associated with the client device 102 can choose to abide by. The term of service can be governed by a contract, such as a smart contract. If the entity chooses not to abide by the term of service, then the authentication/payment server 106 can deny access to the requested service.

[0073] In some examples, multiple terms of service along with respective qualities of service and corresponding monetary rates can be presented to the entity. For example, if the requested service is a network connectivity service, then the multiple terms of service can specify different network connection speeds, with higher monetary rates charged for higher connection speeds.

[0074] In response to the entity opting to accept a term of service (which can include selection of one of multiple terms of service), the authentication/payment server 106 can provide access to the requested service at the agreed to term of service. In examples where the term of service is included in a smart contract, the entity can accept the smart contract by digitally signing the smart contract. The smart contract can also include a payment term, and in response to the entity accepting the smart contract, the authentication/payment server 106 can implement the payment term of the smart contract for the access to the service. The

authentication/payment server 106 can obtain payment for using the service according to the payment information in the smart contract.

[0075] In some examples, an escrow account can also be maintained, in which the entity requesting service (or another entity) can deposit money. The escrow account can be maintained by a service provider or by a neutral third party.

Withdrawals can be made by the service provider from the escrow account as payment for usage of service, according to the agreed to term of service.

Maintenance of the escrow account and payments into and withdrawals from the escrow account can be managed by the smart contract manager 132 (Fig. 1 ) according to a smart contract.

[0076] Fig. 3 is a block diagram of a non-transitory machine-readable or computer-readable storage medium 300 storing machine-readable instructions that upon execution cause a server system to perform various tasks. The machine- readable instructions include the following instructions that are executable in an authentication session for authenticating an entity associated with a client device to access a service.

[0077] The machine-readable instructions include identification information receiving instructions 302 to receive, from the client device, identification information (e.g., a blockchain address) associated with the client device. The machine- readable instructions further include blockchain verifying instructions 304 to verify, using a blockchain network, an existence of the identification information. The machine-readable instructions also include payment sending instructions 306 to send, to the client device, payment information regarding payment for the service, and token receiving instructions 308 to receive, from the client device, a token as payment for the service.

[0078] Fig. 4 is a block diagram of a client device 400 according to further examples. The client device 400 can correspond to the client device 102 of Fig. 1 . The client device 400 includes a communication interface 402 to communicate over a network, and a processor 404 to perform various tasks. A processor performing a task can refer to a single processor performing the task, or multiple processors performing the task.

[0079] A processor can include a microprocessor, a core of a multi-core microprocessor, a microcontroller, a programmable integrated circuit, a

programmable gate array, or another hardware processing circuit.

[0080] The tasks include an authentication session initiating task 406 to initiate an authentication session with an authenticator to authenticate the client device for using a service. The tasks further include a blockchain indication receiving task 408 to receive, from the authenticator, an indication that a blockchain is to be used for authentication of the client device. The tasks additionally include a blockchain address sending task 410 to, in response to the indication, send, to an

authentication/payment server in the authentication session, a blockchain address of the client device. The tasks further include a cryptographic currency sending task 412 to send, to the authentication/payment server in the authentication session, a cryptographic currency as payment for the service.

[0081 ] Fig. 5 is a block diagram of a server 500 (implemented as a single computing node or a distributed arrangement of multiple computing nodes) including a processor 502 and a non-transitory storage medium 504 storing machine-readable instructions executable on the processor 502 to perform various tasks. Machine- readable instructions executable on a processor can refer to machine-readable instructions executable on one processor or on multiple processors.

[0082] The machine-readable instructions include authentication request receiving instructions 506 to receive, from a client device, an authentication request to initiate an authentication session for authenticating the client device. The machine-readable instructions further include blockchain indication sending instructions 508 to send, to the client device, an indication of use of a blockchain to authenticate the client device.

[0083] The machine-readable instructions further include validating instructions 510 to validate identification information of an entity associated with the client device using a blockchain network, the entity being part of a Distributed Autonomous Organization (DAO) that groups entities granted access to a service. The machine- readable instructions additionally include smart contract manager invoking instructions 512 to invoke a smart contract manager to propose a set of service contract options to the client device. The machine-readable instructions further include payment processing instructions 514 to process a payment and refund for use of the service by the client device using the blockchain network.

[0084] The storage medium 300 of Fig. 3 or the storage medium 504 of Fig. 5 can include any or some combination of the following: a semiconductor memory device such as a dynamic or static random access memory (a DRAM or SRAM), an erasable and programmable read-only memory (EPROM), an electrically erasable and programmable read-only memory (EEPROM) and flash memory; a magnetic disk such as a fixed, floppy and removable disk; another magnetic medium including tape; an optical medium such as a compact disk (CD) or a digital video disk (DVD); or another type of storage device. Storage can be located on premise, off premise, at a managed service provider, in a private or public cloud, or any combination thereof.

[0085] Note that the instructions discussed above can be provided on one computer-readable or machine-readable storage medium, or alternately, can be provided on multiple computer-readable or machine-readable storage media distributed in a large system having possibly plural nodes. Such computer-readable or machine-readable storage medium or media is (are) considered to be part of an article (or article of manufacture). An article or article of manufacture can refer to any manufactured single component or multiple components. The storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.

[0086] In the foregoing description, numerous details are set forth to provide an understanding of the subject disclosed herein. However, implementations may be practiced without some of these details. Other implementations may include modifications and variations from the details discussed above. It is intended that the appended claims cover such modifications and variations.