Systems and methods for authenticating users in connection with mobile operations

What is claimed is: 1. A computer-implemented method for enabling multi-function authentication of a user, the method comprising: receiving, by a communication device, a request from a user to opt into multi-function authentication; in response to the request, generating, by the communication device, a primary key, wherein the primary key is an operation-based key, the operation-based key accessible based on authentication of the user and available for use after the authentication; importing, by an application of the communication device, the generated primary key into a secure key data structure of the communication device, such that the primary key is only accessible by the application; after generating the primary key, prompting, by the communication device, the user for biometric authentication; when the biometric authentication is successful, transmitting, by the communication device, to an account server, an indication that the user is eligible for multi-function authentication; and in response to the transmission: receiving, by the communication device from the account server, a secondary key, wherein the secondary key is a time-based key useable only during a defined interval; and linking, by the application of the communication device, the secondary key to the primary key and importing the secondary key into the secure key data structure of the communication device, such that the secondary key is only accessible via the primary key, whereby the user is opted into the multi-function authentication. 2. The method of claim 1 , further comprising: after the user is opted into the multi-function authentication, and in connection with funding a payment account transaction: authenticating, by the communication device, the user based on a received biometric; accessing, by the communication device, the primary key from the secure key data structure; initializing, by the communication device, a cipher object with the primary key; decrypting, by the communication device via the cipher object, a transaction PIN; generating, by the communication device, a cryptogram based on the decrypted transaction PIN and a payment token associated with a payment account; and passing, by the communication device, the cryptogram to a point-of-sale terminal, thereby enabling the payment account transaction to be processed. 3. The method of claim 1 , further comprising: after the user is opted into the multi-function authentication, and in connection with a payment account operation: authenticating, by the communication device, the user based on a received biometric; accessing, by the communication device, the primary key from the secure key data structure; initializing, by the communication device, a cipher object with the primary key; signing, by the communication device via the cipher object, a random number using the primary key; transmitting the signed random number to the account server; and in response to the transmission of the signed random number, receiving a response including a transaction PIN. 4. The method of claim 1 , further comprising: after the user is opted into the multi-function authentication, and in connection with a payment account operation: authenticating, by the communication device, the user based on a received biometric; accessing, by the communication device, the secondary key from the secure key data structure via the primary key; initializing, by the communication device, a cipher object with the secondary key; generating, by the communication device, a signature for a device token, the signature based on the cipher object and the secondary key, the device token unique to the communication device; and transmitting the signed device token to a third party server associated with an issuer, thereby enabling the third party server to verify the signature for the payment account operation. 5. The method of claim 1 , further comprising: after the user is opted into the multi-function authentication, and in connection with a payment account operation: authenticating, by the communication device, the user based on a received biometric; accessing, by the communication device, the secondary key from the secure key data structure via the primary key; initializing, by the communication device, a cipher object with the secondary key; encrypting, by the communication device via the cipher object, data including a device token; and transmitting the encrypted data to a third party server associated with an issuer, thereby enabling the third party server to decrypt the data and authenticate the communication device for the payment account operation. 6. The method of claim 1 , further comprising: deleting, by the communication device, the primary key from the secure key data structure; and based on the deletion of the primary key from the secure key data structure, deleting, by the communication device, the secondary key from the secure key data structure. 7. The method of claim 6 , wherein the primary key is deleted from the secure key data structure in response to an expiration or invalidation of the primary key. 8. The method of claim 7 , wherein the expiration or invalidation is based on at least one of the following: a new user being added to the communication device and a new biometric being registered to the communication device. 9. The method of claim 6 , wherein the primary key and the secondary key are deleted from the secure key data structure in response to the user requesting to opt out of the multi-function authentication. 10. The method of claim 1 , further comprising, in response to the transmission: receiving, by the communication device from the account server, signed and/or encrypted data and storing the signed and/or encrypted data in memory of the communication device, the encrypted data including an encrypted transaction PIN, wherein the transaction PIN is signed and/or encrypted with the primary key. 11. The method of claim 10 , further comprising, when the biometric authentication is successful, transmitting, by the communication device, to the account server, the primary key in connection with transmitting the indication that the user is eligible for multifunction authentication. 12. The method of claim 11 , wherein the primary key includes a primary key pair, the primary key pair including a private key and a public key; and wherein transmitting the primary key consists of transmitting the public key. 13. The method of claim 1 , further comprising storing an encrypted transaction PIN in a memory of the communication device prior to the transmission. 14. The method of claim 1 , wherein the indication that the user is eligible for multi-function authentication is based on at least one of an operating system of the communication device, a determination that the communication device includes a trusted execution environment, a determination that the communication device includes a biometric sensor, and a determination that the communication device includes an enrolled biometric reference. 15. The method of claim 1 , wherein the application of the communication device is a virtual wallet application. 16. The method of claim 1 , where the secondary key is generated by the account server in response to the transmission. 17. The method of claim 1 , wherein the primary key is available for use only once after the authentication of the user. 18. A system for enabling multi-function authentication of a user, the system comprising: a processor configured, by computer-executable instructions,