Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

US 10,104,059 B2
Filed: 09/07/2016
Issued: 10/16/2018
Est. Priority Date: 09/08/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of facilitating transactions while minimizing sharing of sensitive account information, the computer-implemented method comprising:

determining a plurality of computing devices including at least;

a first computing device;

a second computing device associated with an external application;

a third computing device associated with an institution; and

a fourth computing device,wherein;

the first computing device is in two-way communication with all of the second, third, and fourth computing devices, andthe fourth computing device is in two-way communication with all of the first, third, and fourth computing devices;

by the first computing device executing program instructions;

receiving, from the second computing device, an authorization request including an indication of a user account;

retrieving, from the third computing device associated with the institution, information associated with the user account held by the institution; and

providing, to the fourth computing device, at least a portion of the information associated with the user account; and

by the fourth computing device executing program instructions;

receiving, from the first computing device, the information associated with the user account, wherein the information includes at least;

account information associated with the user account that is associated with the institution, andan identifier associated with an external application;

generating at least;

an electronic record of the information, anda token associated with the electronic record;

causing at least one of a unique identifier associated with the token or the token to be provided to the second computing device;

receiving, from the second computing device, at least;

the at least one of the unique identifier associated with the token or the token, anda request to cause a transaction related to the user account to be executed;

verifying, based at least in part on the at least one of the unique identifier associated with the token or the token, authorization of the second computing device to cause the transaction to be executed;

initiating the transaction via communication with the third computing device or another institution or transaction processor;

receiving a request to deauthorize the second computing device from causing execution of transactions related to the user account; and

in response to the request to deauthorize the second computing device, revoking the at least one of the unique identifier associated with the token or the token,whereby the second computing device is enabled to cause transactions related to the user account to be executed without sharing account information with the second computing device, andwhereby deauthorization of the second computing device from causing transactions to be executed is efficiently enabled by revocation of the at least one of the unique identifier associated with the token or the token.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user'"'"'s account.

Citations

30 Claims

1. A computer-implemented method of facilitating transactions while minimizing sharing of sensitive account information, the computer-implemented method comprising:
- determining a plurality of computing devices including at least;
  
  a first computing device;
  
  a second computing device associated with an external application;
  
  a third computing device associated with an institution; and
  
  a fourth computing device,wherein;
  
  the first computing device is in two-way communication with all of the second, third, and fourth computing devices, andthe fourth computing device is in two-way communication with all of the first, third, and fourth computing devices;
  
  by the first computing device executing program instructions;
  
  receiving, from the second computing device, an authorization request including an indication of a user account;
  
  retrieving, from the third computing device associated with the institution, information associated with the user account held by the institution; and
  
  providing, to the fourth computing device, at least a portion of the information associated with the user account; and
  
  by the fourth computing device executing program instructions;
  
  receiving, from the first computing device, the information associated with the user account, wherein the information includes at least;
  
  account information associated with the user account that is associated with the institution, andan identifier associated with an external application;
  
  generating at least;
  
  an electronic record of the information, anda token associated with the electronic record;
  
  causing at least one of a unique identifier associated with the token or the token to be provided to the second computing device;
  
  receiving, from the second computing device, at least;
  
  the at least one of the unique identifier associated with the token or the token, anda request to cause a transaction related to the user account to be executed;
  
  verifying, based at least in part on the at least one of the unique identifier associated with the token or the token, authorization of the second computing device to cause the transaction to be executed;
  
  initiating the transaction via communication with the third computing device or another institution or transaction processor;
  
  receiving a request to deauthorize the second computing device from causing execution of transactions related to the user account; and
  
  in response to the request to deauthorize the second computing device, revoking the at least one of the unique identifier associated with the token or the token,whereby the second computing device is enabled to cause transactions related to the user account to be executed without sharing account information with the second computing device, andwhereby deauthorization of the second computing device from causing transactions to be executed is efficiently enabled by revocation of the at least one of the unique identifier associated with the token or the token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the at least one of the unique identifier associated with the token or the token is provided to the second computing device via the first computing device.
  - 3. The computer-implemented method of claim 1, wherein the at least one of the unique identifier associated with the token or the token is provided to the second computing device directly.
  - 4. The computer-implemented method of claim 1 further comprising:
    - by the first computing device;
      
      providing, to the fourth computing device, one or more permissions along with the information associated with the user account; and
      
      by the fourth computing device;
      
      in response to receiving the request to cause the transaction related to the user account to be executed, determining, based on the one or more permissions, an authorization of the external application to cause the transaction related to the user account to be executed.
  - 5. The computer-implemented method of claim 4 further comprising:
    - by the fourth computing device;
      
      providing an indication to the second computing device whether or not there is an authorization of the external application to cause the transaction related to the user account to be executed.
  - 6. The computer-implemented method of claim 1, wherein the information associated with the user account further includes at least one of:
    - an indication of the external application, or an indication of the institution.
  - 7. The computer-implemented method of claim 1 further comprising:
    - by the fourth computing device;
      
      providing an indication to the second computing device whether or not execution of the transaction is successful.
  - 8. The computer-implemented method of claim 1, wherein the account information associated with a user account includes at least one of:
    - an account number, or a routing number.
  - 9. The computer-implemented method of claim 1, wherein the generating is performed in response to a request received from a computing device associated with the external application.
  - 10. The computer-implemented method of claim 1, wherein the method does not include direct communications between the second and third computing devices.

11. A system configured to facilitate transactions while minimizing sharing of sensitive account information, the system comprising:
- a plurality of computing devices including at least;
  
  a first computing device;
  
  a second computing device associated with an external application;
  
  a third computing device associated with an institution; and
  
  a fourth computing device,wherein;
  
  the first computing device is in two-way communication with all of the second, third, and fourth computing devices,the fourth computing device is in two-way communication with all of the first, third, and fourth computing devices,the first computing device is configured to execute program instructions to cause the first computing device to;
  
  receive, from the second computing device, an authorization request including an indication of a user account;
  
  retrieve, from the third computing device associated with the institution, information associated with the user account held by the institution; and
  
  provide, to the fourth computing device, at least a portion of the information associated with the user account, andthe fourth computing device is configured to execute program instructions to cause the fourth computing device to;
  
  receive, from the first computing device, the information associated with the user account, wherein the information includes at least;
  
  account information associated with the user account that is associated with the institution, andan identifier associated with an external application;
  
  generating at least;
  
  an electronic record of the information, anda token associated with the electronic record;
  
  cause at least one of a unique identifier associated with the token or the token to be provided to the second computing device;
  
  receive, from the second computing device, at least;
  
  the at least one of the unique identifier associated with the token or the token, anda request to cause a transaction related to the user account to be executed;
  
  verify, based at least in part on the at least one of the unique identifier associated with the token or the token, authorization of the second computing device to cause the transaction to be executed;
  
  initiate the transaction via communication with the third computing device or another institution or transaction processor;
  
  receive a request to deauthorize the second computing device from causing execution of transactions related to the user account; and
  
  in response to the request to deauthorize the second computing device, revoke the at least one of the unique identifier associated with the token or the token,whereby the second computing device is enabled to cause transactions related to the user account to be executed without sharing account information with the second computing device, andwhereby deauthorization of the second computing device from causing transactions to be executed is efficiently enabled by revocation of the at least one of the unique identifier associated with the token or the token.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the at least one of the unique identifier associated with the token or the token is provided to the second computing device via the first computing device.
  - 13. The system of claim 11, wherein the at least one of the unique identifier associated with the token or the token is provided to the second computing device directly.
  - 14. The system of claim 11, wherein:
    - the first computing device is further configured to execute program instructions to cause the first computing device to;
      
      provide, to the fourth computing device, one or more permissions along with the information associated with the user account, andthe fourth computing device is further configured to execute program instructions to cause the fourth computing device to;
      
      in response to receiving the request to cause the transaction related to the user account to be executed, determine, based on the one or more permissions, an authorization of the external application to cause the transaction related to the user account to be executed.
  - 15. The system of claim 14, wherein:
    - the fourth computing device is further configured to execute program instructions to cause the fourth computing device to;
      
      provide an indication to the second computing device whether or not there is an authorization of the external application to cause the transaction related to the user account to be executed.
  - 16. The system of claim 11, wherein the information associated with the user account further includes at least one of:
    - an indication of the external application, or an indication of the institution.
  - 17. The system of claim 11, wherein:
    - the fourth computing device is further configured to execute program instructions to cause the fourth computing device to;
      
      provide an indication to the second computing device whether or not execution of the transaction is successful.
  - 18. The system of claim 11, wherein the account information associated with a user account includes at least one of:
    - an account number, or a routing number.
  - 19. The system of claim 11, wherein the generating is performed in response to a request received from a computing device associated with the external application.
  - 20. The system of claim 11, wherein the method does not include direct communications between the second and third computing devices.

21. A computer program product for facilitating transactions while minimizing sharing of sensitive account information, the computer program product comprising one or more non-transitory computer readable storage mediums having program instructions embodied therewith, the program instructions executable by one or more computing devices to:
- determine a plurality of computing devices including at least;
  
  a first computing device;
  
  a second computing device associated with an external application;
  
  a third computing device associated with an institution; and
  
  a fourth computing device,wherein;
  
  the first computing device is in two-way communication with all of the second, third, and fourth computing devices, andthe fourth computing device is in two-way communication with all of the first, third, and fourth computing devices;
  
  by the first computing device executing program instructions;
  
  receive, from the second computing device, an authorization request including an indication of a user account;
  
  retrieve, from the third computing device associated with the institution, information associated with the user account held by the institution; and
  
  provide, to the fourth computing device, at least a portion of the information associated with the user account; and
  
  by the fourth computing device executing program instructions ;
  
  receive, from the first computing device, the information associated with the user account, wherein the information includes at least;
  
  account information associated with the user account that is associated with the institution, andan identifier associated with an external application;
  
  generating at least;
  
  an electronic record of the information, anda token associated with the electronic record;
  
  cause at least one of a unique identifier associated with the token or the token to be provided to the second computing device;
  
  receive, from the second computing device, at least;
  
  the at least one of the unique identifier associated with the token or the token, anda request to cause a transaction related to the user account to be executed;
  
  verify, based at least in part on the at least one of the unique identifier associated with the token or the token, authorization of the second computing device to cause the transaction to be executed;
  
  initiate the transaction via communication with the third computing device or another institution or transaction processor;
  
  receive a request to deauthorize the second computing device from causing execution of transactions related to the user account; and
  
  in response to the request to deauthorize the second computing device, revoke the at least one of the unique identifier associated with the token or the token,whereby the second computing device is enabled to cause transactions related to the user account to be executed without sharing account information with the second computing device, andwhereby deauthorization of the second computing device from causing transactions to be executed is efficiently enabled by revocation of the at least one of the unique identifier associated with the token or the token.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21, wherein the at least one of the unique identifier associated with the token or the token is provided to the second computing device via the first computing device.
  - 23. The computer program product of claim 21, wherein the at least one of the unique identifier associated with the token or the token is provided to the second computing device directly.
  - 24. The computer program product of claim 21, wherein the program instructions are executable by one or more computing devices to further:
    - by the first computing device;
      
      provide, to the fourth computing device, one or more permissions along with the information associated with the user account; and
      
      by fourth computing device;
      
      in response to receiving the request to cause the transaction related to the user account to be executed, determine, based on the one or more permissions, an authorization of the external application to cause the transaction related to the user account to be executed.
  - 25. The computer program product of claim 24, wherein the program instructions are executable by one or more computing devices to further:
    - by the fourth computing device;
      
      provide an indication to the second computing device whether or not there is an authorization of the external application to cause the transaction related to the user account to be executed.
  - 26. The computer program product of claim 21, wherein the information associated with the user account further includes at least one of:
    - an indication of the external application, or an indication of the institution.
  - 27. The computer program product of claim 21, wherein the program instructions are executable by one or more computing devices to further:
    - by the fourth computing device;
      
      provide an indication to the second computing device whether or not execution of the transaction is successful.
  - 28. The computer program product of claim 21, wherein the account information associated with a user account includes at least one of:
    - an account number, or a routing number.
  - 29. The computer program product of claim 21, wherein the generating is performed in response to a request received from a computing device associated with the external application.
  - 30. The computer program product of claim 21, wherein the method does not include direct communications between the second and third computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Plaid Inc.
Original Assignee
Plaid Technologies Incorporated (Plaid Inc.)
Inventors
Hockey, William, Kelly, Michael
Primary Examiner(s)
Nguyen, Tien C

Application Number

US15/258,262
Publication Number

US 20170068954A1
Time in Patent Office

769 Days
Field of Search

705 44, 705 39, 705 64, 705 261, 705 37, 705 40, 705 38, 705 42, 235378, 235380, 235379
US Class Current
CPC Class Codes

G06Q 20/385   using an alias or single-us...

H04L 2463/102   applying security measure f...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0892   by using authentication-aut...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links