Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

US 10,523,653 B2
Filed: 06/08/2018
Issued: 12/31/2019
Est. Priority Date: 09/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first computing device associated with an institution; and

a second computing device associated with a permissions manager,wherein;

the first computing device and second computing device are configured to communicate with a third computing device associated with a user;

the second computing device is configured to communicate with a fourth computing device associated with an external application;

the first computing device is further configured to;

receive an authorization request via a plug-in executing on the third computing device, the authorization request including information including at least;

account credentials associated with an account of the user held by the institution, andan indication of the account of the user held by the institution,wherein the plug-in is configured to provide the account credentials to the first computing device without storing the account credentials on the third computing device;

generate at least;

an electronic record of the information including the account credentials, anda token associated with the electronic record; and

provide the token to the second computing device;

the second computing device is further configured to;

receive the token and associate the token with the institution, the external application, and the account of the user;

receive, from the fourth computing device, a request for account data associated with the account of the user; and

in response to receiving the request for account data from the fourth computing device;

identify the token as being associated with the external application and the account of the user; and

communicate, to the first computing device associated with the institution, the token and the request for account data;

the first computing device is further configured to;

receive, from the second computing device, the token and the request for account data;

verify, using the token, authorization to provide the account data;

access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and

communicate, to the second computing device, the account data associated with the account of the user; and

the second computing device is further configured to;

receive, from the first computing device, the account data; and

communicate the account data to the fourth computing device,wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user'"'"'s account.

256 Citations

15 Claims

1. A system comprising:
- a first computing device associated with an institution; and
  
  a second computing device associated with a permissions manager,wherein;
  
  the first computing device and second computing device are configured to communicate with a third computing device associated with a user;
  
  the second computing device is configured to communicate with a fourth computing device associated with an external application;
  
  the first computing device is further configured to;
  
  receive an authorization request via a plug-in executing on the third computing device, the authorization request including information including at least;
  
  account credentials associated with an account of the user held by the institution, andan indication of the account of the user held by the institution,wherein the plug-in is configured to provide the account credentials to the first computing device without storing the account credentials on the third computing device;
  
  generate at least;
  
  an electronic record of the information including the account credentials, anda token associated with the electronic record; and
  
  provide the token to the second computing device;
  
  the second computing device is further configured to;
  
  receive the token and associate the token with the institution, the external application, and the account of the user;
  
  receive, from the fourth computing device, a request for account data associated with the account of the user; and
  
  in response to receiving the request for account data from the fourth computing device;
  
  identify the token as being associated with the external application and the account of the user; and
  
  communicate, to the first computing device associated with the institution, the token and the request for account data;
  
  the first computing device is further configured to;
  
  receive, from the second computing device, the token and the request for account data;
  
  verify, using the token, authorization to provide the account data;
  
  access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and
  
  communicate, to the second computing device, the account data associated with the account of the user; and
  
  the second computing device is further configured to;
  
  receive, from the first computing device, the account data; and
  
  communicate the account data to the fourth computing device,wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the second computing device is further configured to:
    - receive, from the third computing device or another computing device associated with the user, a request to deauthorize access to the account data by the external application; and
      
      in response to the request to deauthorize access, revoke the token or revoke access to the user account associated with the token.
  - 3. The system of claim 2, wherein the second computing device is further configured to:
    - receive one or more permissions that indicate constraints on authorization of the external application to access the account data;
      
      store the one or more permissions; and
      
      determine, based on the one or more permissions, whether the request for account data exceeds the constraints on the authorization of the external application to access the account data.
  - 4. The system of claim 3, wherein the second computing device is further configured to:
    - communicate the account data to the fourth computing device in response to determining the external application is authorized to access the account data.
  - 5. The system of claim 4, wherein the first computing device is further configured to:
    - in response to receiving the information associated with the authorization request, provide, to the third computing device, a request for additional information, wherein the authentication information includes at least one of;
      
      multi-factor authentication information, a selection of the user account of the one or more user accounts, or an indication of agreement to a document.
  - 6. The system of claim 5, wherein the first computing device is further configured to:
    - provide the token to the second computing device via the plug-in executing on the third computing device.
  - 7. The system of claim 5, wherein the first computing device is further configured to:
    - receive, from the third computing device, a response to the request for additional information, wherein the token is not provided to the third computing device until after the response is received.
  - 8. The system of claim 7, wherein the second computing device is further configured to:
    - provide a unique identifier associated with the token, but not the token, to the fourth computing device, wherein the request for user account data includes the unique identifier.
  - 9. The system of claim 8, wherein the second computing device is further configured to:
    - provide a public token or key to the fourth computing device;
      
      receive, from the fourth computing device, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and
      
      verify the validity of the authentication information based at least in part on information associated with the secret key and the identifier associated with the external application.

10. A system comprising:
- a second computing device associated with a permissions manager, the second computing device in communication with a first computing device associated an institution, a third computing device associated with a user, and a fourth computing device associated with an external application, the second computing device configured to;
  
  receive from the first computing device a token associated with an account of a user held by the institution, the token generated by the first computing device after the first computing device has validated account credentials provided by the user of the third computing device on a plug-in executing on the third computing device, wherein the plug-in is configured to provide the account credentials to the first computing device without storing the account credentials on the third computing device;
  
  associate the token with the institution and the account of the user;
  
  receive, from the fourth computing device, a request for account data associated with the account of the user;
  
  in response to receiving the request for account data from the fourth computing device, communicate to the first computing device associated with the institution, the token and the request for account data;
  
  receive, from the first computing device, the account data after the first computing device has verified authorization to provide the account data using the token and accessed the account data from the account of the user at the institution; and
  
  communicate the account data to the fourth computing device,wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the second computing device is further configured to:
    - receive, from the third computing device or another computing device associated with the user, a request to deauthorize access to the account data by the external application; and
      
      in response to the request to deauthorize access, revoke the token or revoke access to the account of the user.
  - 12. The system of claim 11, wherein the second computing device is further configured to:
    - receive one or more permissions that indicate constraints on authorization of the external application to access the account data;
      
      store the one or more permissions; and
      
      determine, based on the one or more permissions, whether the request for account data exceeds the constraints on the authorization of the external application to access the account data.
  - 13. The system of claim 12, wherein the second computing device is further configured to:
    - communicate the account data to the fourth computing device after determining the external application is authorized to access the account data.
  - 14. The system of claim 13, wherein the second computing device is further configured to:
    - provide a unique identifier associated with the token, but not the token, to the fourth computing device, wherein the request for user account data includes the unique identifier.
  - 15. The system of claim 14, wherein the second computing device is further configured to:
    - provide a public token or key to the fourth computing device;
      
      receive, from the fourth computing device, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and
      
      verify the validity of the authentication information based at least in part on information associated with the secret key and the identifier associated with the external application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Plaid Inc.
Original Assignee
Plaid Technologies Incorporated (Plaid Inc.)
Inventors
Hockey, William, Kelly, Michael
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US16/003,640
Publication Number

US 20190014101A1
Time in Patent Office

571 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 20/385   using an alias or single-us...

H04L 2463/102   applying security measure f...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0892   by using authentication-aut...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

256 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

256 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others