Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

US 10,003,591 B2
Filed: 09/07/2016
Issued: 06/19/2018
Est. Priority Date: 09/08/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first computing device associated with a user;

a second computing device associated with an institution; and

a third computing device associated with a permissions manager,wherein;

the third computing device is in communication with a fourth computing device associated with an external application;

the first computing device is configured to;

execute a plug-in comprising javascript code provided by the second computing device or the third computing device;

receive, from the user and via the plug-in, account credentials associated with an account of the user held by the institution;

communicate the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and

not store the account credentials;

the second computing device is configured to;

receive, from the first computing device, information associated with an authorization request, the information including at least;

the account credentials,an indication of the account of the user held by the institution, andan indication of the external application as being associated with the authorization request;

generate at least;

an electronic record of the information including the account credentials, anda token associated with the electronic record; and

provide the token to the first computing device via the plug-in executing on the first computing device;

the first computing device is further configured to;

via the plug-in, receive the token and communicate the token to the third computing device;

the third computing device is configured to;

receive the token, wherein the token is associated with the institution, the external application, and the account of the user;

receive, from the fourth computing device, a request for account data associated with the account of the user; and

in response to receiving the request for account data from the fourth computing device;

identify the token as being associated with the external application and the account of the user; and

communicate, to the second computing device associated with the institution, the token and the request for account data;

the second computing device is further configured to;

receive, from the third computing device, the token and the request for account data;

verify, using the token, authorization of the external application to receive the account data;

access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and

communicate, to the third computing device, the account data associated with the account of the user; and

the third computing device is further configured to;

receive, from the second computing device, the account data; and

communicate the account data to the fourth computing device, andwherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user'"'"'s account.

249 Citations

14 Claims

1. A system comprising:
- a first computing device associated with a user;
  
  a second computing device associated with an institution; and
  
  a third computing device associated with a permissions manager,wherein;
  
  the third computing device is in communication with a fourth computing device associated with an external application;
  
  the first computing device is configured to;
  
  execute a plug-in comprising javascript code provided by the second computing device or the third computing device;
  
  receive, from the user and via the plug-in, account credentials associated with an account of the user held by the institution;
  
  communicate the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and
  
  not store the account credentials;
  
  the second computing device is configured to;
  
  receive, from the first computing device, information associated with an authorization request, the information including at least;
  
  the account credentials,an indication of the account of the user held by the institution, andan indication of the external application as being associated with the authorization request;
  
  generate at least;
  
  an electronic record of the information including the account credentials, anda token associated with the electronic record; and
  
  provide the token to the first computing device via the plug-in executing on the first computing device;
  
  the first computing device is further configured to;
  
  via the plug-in, receive the token and communicate the token to the third computing device;
  
  the third computing device is configured to;
  
  receive the token, wherein the token is associated with the institution, the external application, and the account of the user;
  
  receive, from the fourth computing device, a request for account data associated with the account of the user; and
  
  in response to receiving the request for account data from the fourth computing device;
  
  identify the token as being associated with the external application and the account of the user; and
  
  communicate, to the second computing device associated with the institution, the token and the request for account data;
  
  the second computing device is further configured to;
  
  receive, from the third computing device, the token and the request for account data;
  
  verify, using the token, authorization of the external application to receive the account data;
  
  access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and
  
  communicate, to the third computing device, the account data associated with the account of the user; and
  
  the third computing device is further configured to;
  
  receive, from the second computing device, the account data; and
  
  communicate the account data to the fourth computing device, andwherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - the second computing device is further configured to;
      
      receive, from the first computing device or another computing device associated with the user, a request to deauthorize access to the account data by the external application; and
      
      in response to the request to deauthorize access, update the electronic record to indicate a revocation of the token or a revocation of access to the user account associated with the token.
  - 3. The system of claim 2, wherein:
    - the information further includes one or more permissions that indicate constraints on authorization of the external application to access the account data; and
      
      the second computing device is further configured to;
      
      store the one or more permissions in the electronic record; and
      
      determine, based on the one or more permissions, whether the request for account data exceeds the constraints on the authorization of the external application to access the account data.
  - 4. The system of claim 3, wherein:
    - the second computing device is further configured to;
      
      in response to receiving the information associated with the authorization request, provide, to the first computing device, a request for additional information, wherein the authentication information includes at least one of;
      
      multi-factor authentication information, a selection of the user account of the one or more user accounts, or an indication of agreement to a document.
  - 5. The system of claim 4, wherein:
    - the second computing device is further configured to;
      
      receive, from the first computing device, a response to the request for additional information, wherein the token is not provided to the first computing device until after the response is received.
  - 6. The system of claim 3, wherein:
    - the third computing device is further configured to;
      
      provide a unique identifier associated with the token, but not the token, to the fourth computing device, wherein the request for user account data includes the unique identifier.
  - 7. The system of claim 6, wherein:
    - the third computing device is further configured to;
      
      provide a public token or key to the fourth computing device;
      
      receive, from the fourth computing device, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and
      
      verify the validity of the authentication information based at least in part on information associated with the secret key and the identifier associated with the external application.

8. A computer-implemented method comprising:
- by a first computing device comprising one or more processors executing program instructions, the first computing device being associated with a user;
  
  executing a plug-in comprising javascript code provided by a second computing device or the third computing device;
  
  receiving, from the user and via the plug-in, account credentials associated with an account of the user held by the institution;
  
  communicating the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and
  
  not storing the account credentials;
  
  by the second computing device comprising one or more processors executing program instructions, the second computing device being associated with an institution;
  
  receiving, from the first computing device, information associated with an authorization request, the information including at least;
  
  the account credentials,an indication of the account of the user held by the institution, andan indication of the external application as being associated with the authorization request;
  
  generating at least;
  
  an electronic record of the information including the account credentials, anda token associated with the electronic record; and
  
  providing the token to the first computing device via the plug-in executing on the first computing device;
  
  further by the first computing device;
  
  via the plug-in, receiving the token and communicate the token to a third computing device;
  
  by the third computing device comprising one or more processors executing program instructions, the third computing device being associated with a permissions manager;
  
  receiving the token, wherein the token is associated with the institution, the external application, and the account of the user;
  
  receiving, from a fourth computing device, a request for account data associated with the account of the user, the fourth computing device being associated with an external application; and
  
  in response to receiving the request for account data from the fourth computing device;
  
  identifying the token as being associated with the external application and the account of the user; and
  
  communicating, to the second computing device associated with the institution, the token and the request for account data;
  
  further by the second computing device;
  
  receiving, from the third computing device, the token and the request for account data;
  
  verifying, using the token, authorization of the external application to receive the account data;
  
  accessing the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and
  
  communicating, to the third computing device, the account data associated with the account of the user; and
  
  further by the third computing device;
  
  receiving, from the second computing device, the account data; and
  
  communicating the account data to the fourth computing device, andwherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8 further comprising:
    - further by the second computing device;
      
      receive, from the first computing device or another computing device associated with the user, a request to deauthorize access to the account data by the external application; and
      
      in response to the request to deauthorize access, update the electronic record to indicate a revocation of the token or a revocation of access to the user account associated with the token.
  - 10. The computer-implemented method of claim 9, wherein:
    - the information further includes one or more permissions that indicate constraints on authorization of the external application to access the account data; and
      
      the computer-implemented method further comprises;
      
      further by the second computing device;
      
      storing the one or more permissions in the electronic record; and
      
      determining, based on the one or more permissions, whether the request for account data exceeds the constraints on the authorization of the external application to access the account data.
  - 11. The computer-implemented method of claim 10 further comprising:
    - further by the second computing device;
      
      in response to receiving the information associated with the authorization request, providing, to the first computing device, a request for additional information, wherein the authentication information includes at least one of;
      
      multi-factor authentication information, a selection of the user account of the one or more user accounts, or an indication of agreement to a document.
  - 12. The computer-implemented method of claim 11 further comprising:
    - further by the second computing device;
      
      receiving, from the first computing device, a response to the request for additional information, wherein the token is not provided to the first computing device until after the response is received.
  - 13. The computer-implemented method of claim 8 further comprising:
    - further by the third computing device;
      
      providing a unique identifier associated with the token, but not the token, to the fourth computing device, wherein the request for user account data includes the unique identifier.
  - 14. The computer-implemented method of claim 13 further comprising:
    - further by the third computing device;
      
      providing a public token or key to the fourth computing device;
      
      receiving, from the fourth computing device, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and
      
      verifying the validity of the authentication information based at least in part on information associated with the secret key and the identifier associated with the external application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Plaid Inc.
Original Assignee
Plaid Technologies Incorporated (Plaid Inc.)
Inventors
Hockey, William, Kelly, Michael
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US15/258,256
Publication Number

US 20170070500A1
Time in Patent Office

650 Days
Field of Search

None
US Class Current
CPC Class Codes

G06Q 20/385   using an alias or single-us...

H04L 2463/102   applying security measure f...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0892   by using authentication-aut...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

249 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

249 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others