Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts
First Claim
1. A system comprising:
- a first computing device associated with a user;
a second computing device associated with an institution; and
a third computing device associated with a permissions manager,wherein;
the third computing device is in communication with a fourth computing device associated with an external application;
the first computing device is configured to;
execute a plug-in comprising javascript code provided by the second computing device or the third computing device;
receive, from the user and via the plug-in, account credentials associated with an account of the user held by the institution;
communicate the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and
not store the account credentials;
the second computing device is configured to;
receive, from the first computing device, information associated with an authorization request, the information including at least;
the account credentials,an indication of the account of the user held by the institution, andan indication of the external application as being associated with the authorization request;
generate at least;
an electronic record of the information including the account credentials, anda token associated with the electronic record; and
provide the token to the first computing device via the plug-in executing on the first computing device;
the first computing device is further configured to;
via the plug-in, receive the token and communicate the token to the third computing device;
the third computing device is configured to;
receive the token, wherein the token is associated with the institution, the external application, and the account of the user;
receive, from the fourth computing device, a request for account data associated with the account of the user; and
in response to receiving the request for account data from the fourth computing device;
identify the token as being associated with the external application and the account of the user; and
communicate, to the second computing device associated with the institution, the token and the request for account data;
the second computing device is further configured to;
receive, from the third computing device, the token and the request for account data;
verify, using the token, authorization of the external application to receive the account data;
access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and
communicate, to the third computing device, the account data associated with the account of the user; and
the third computing device is further configured to;
receive, from the second computing device, the account data; and
communicate the account data to the fourth computing device, andwherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application.
3 Assignments
0 Petitions
Accused Products
Abstract
A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user'"'"'s account.
249 Citations
14 Claims
-
1. A system comprising:
-
a first computing device associated with a user; a second computing device associated with an institution; and a third computing device associated with a permissions manager, wherein; the third computing device is in communication with a fourth computing device associated with an external application; the first computing device is configured to; execute a plug-in comprising javascript code provided by the second computing device or the third computing device; receive, from the user and via the plug-in, account credentials associated with an account of the user held by the institution; communicate the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and not store the account credentials; the second computing device is configured to; receive, from the first computing device, information associated with an authorization request, the information including at least; the account credentials, an indication of the account of the user held by the institution, and an indication of the external application as being associated with the authorization request; generate at least; an electronic record of the information including the account credentials, and a token associated with the electronic record; and provide the token to the first computing device via the plug-in executing on the first computing device; the first computing device is further configured to; via the plug-in, receive the token and communicate the token to the third computing device; the third computing device is configured to; receive the token, wherein the token is associated with the institution, the external application, and the account of the user; receive, from the fourth computing device, a request for account data associated with the account of the user; and in response to receiving the request for account data from the fourth computing device; identify the token as being associated with the external application and the account of the user; and communicate, to the second computing device associated with the institution, the token and the request for account data; the second computing device is further configured to; receive, from the third computing device, the token and the request for account data; verify, using the token, authorization of the external application to receive the account data; access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and communicate, to the third computing device, the account data associated with the account of the user; and the third computing device is further configured to; receive, from the second computing device, the account data; and communicate the account data to the fourth computing device, and wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method comprising:
-
by a first computing device comprising one or more processors executing program instructions, the first computing device being associated with a user; executing a plug-in comprising javascript code provided by a second computing device or the third computing device; receiving, from the user and via the plug-in, account credentials associated with an account of the user held by the institution; communicating the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and not storing the account credentials; by the second computing device comprising one or more processors executing program instructions, the second computing device being associated with an institution; receiving, from the first computing device, information associated with an authorization request, the information including at least; the account credentials, an indication of the account of the user held by the institution, and an indication of the external application as being associated with the authorization request; generating at least; an electronic record of the information including the account credentials, and a token associated with the electronic record; and providing the token to the first computing device via the plug-in executing on the first computing device; further by the first computing device; via the plug-in, receiving the token and communicate the token to a third computing device; by the third computing device comprising one or more processors executing program instructions, the third computing device being associated with a permissions manager; receiving the token, wherein the token is associated with the institution, the external application, and the account of the user; receiving, from a fourth computing device, a request for account data associated with the account of the user, the fourth computing device being associated with an external application; and in response to receiving the request for account data from the fourth computing device; identifying the token as being associated with the external application and the account of the user; and communicating, to the second computing device associated with the institution, the token and the request for account data; further by the second computing device; receiving, from the third computing device, the token and the request for account data; verifying, using the token, authorization of the external application to receive the account data; accessing the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and communicating, to the third computing device, the account data associated with the account of the user; and further by the third computing device; receiving, from the second computing device, the account data; and communicating the account data to the fourth computing device, and wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification