Delegated administration of permissions using a contactless card

US 10,970,712 B2
Filed: 03/21/2019
Issued: 04/06/2021
Est. Priority Date: 03/21/2019
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor circuit; and

a memory storing an application and instructions which when executed by the processor circuit, cause the processor circuit to perform the steps of;

receiving a first request comprising a first account, a second account, and a computing resource, the computing resource comprising one or more of;

(i) the application, (ii) a data, and (iii) an operation;

receiving, from a first contactless card, permissions data of the first account and encrypted data;

transmitting the permissions data and the encrypted data to an authentication server;

receiving, from the authentication server, a result that the authentication server decrypted the encrypted data;

receiving, from the authentication server, a permissions vector of the second account, the permissions vector comprising a plurality of entries;

determining, based on the permissions vector of the second account, that the second account was granted access to the computing resource;

receiving a second request comprising the second account and the computing resource;

granting the second account access to the computing resource based on the permissions vector of the second account;

disabling a first feature of the computing resource based on a first entry of the plurality of entries of the permissions vector for the second account; and

providing a second feature of the computing resource based on a second entry of the plurality of entries of the permissions vector for the second account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Delegated administration of permissions using a contactless card. In one example, a permissions module may receive a request from a first account to grant a second account access to a computing resource. The permissions module may receive permissions data of the first account from a contactless card and encrypted data generated by the contactless card. The permissions module may transmit the permissions data and the encrypted data to an authentication server, which may verify the encrypted data based at least in part on the private key, and determine, based on the permissions data, that the first account has permissions to grant access to the computing resource. The permissions module may receive, from the authentication server, an indication of the verification of the encrypted data and a permissions vector associated with the second account, the permissions vector reflecting the grant of access to the computing resource to the second account.

549 Citations

20 Claims

1. A system, comprising:
- a processor circuit; and
  
  a memory storing an application and instructions which when executed by the processor circuit, cause the processor circuit to perform the steps of;
  
  receiving a first request comprising a first account, a second account, and a computing resource, the computing resource comprising one or more of;
  
  (i) the application, (ii) a data, and (iii) an operation;
  
  receiving, from a first contactless card, permissions data of the first account and encrypted data;
  
  transmitting the permissions data and the encrypted data to an authentication server;
  
  receiving, from the authentication server, a result that the authentication server decrypted the encrypted data;
  
  receiving, from the authentication server, a permissions vector of the second account, the permissions vector comprising a plurality of entries;
  
  determining, based on the permissions vector of the second account, that the second account was granted access to the computing resource;
  
  receiving a second request comprising the second account and the computing resource;
  
  granting the second account access to the computing resource based on the permissions vector of the second account;
  
  disabling a first feature of the computing resource based on a first entry of the plurality of entries of the permissions vector for the second account; and
  
  providing a second feature of the computing resource based on a second entry of the plurality of entries of the permissions vector for the second account.
- View Dependent Claims (2, 3, 4, 5, 20)
- - 2. The system of claim 1, the memory storing instructions which when executed by the processor circuit, cause the processor circuit to perform the steps of:
    - determining, based on the permissions vector of the second account, that the second account is authorized to access the computing resource.
  - 3. The system of claim 2, wherein the computing resource comprises the application, wherein the second request comprises the application, the memory storing instructions which when executed by the processor circuit, cause the processor circuit to perform the steps of:
    - receiving a third request comprising the second account and the operation, the operation comprising one or more of;
      
      (i) a purchase request, (ii) a credit request, and (iii) a request to transfer funds; and
      
      determining, based on the permissions vector of the second account, that the second account is not authorized to perform the operation based on at least in part on an amount specified by the third request exceeds a maximum amount specified by the permissions vector.
  - 4. The system of claim 1, the memory storing instructions which when executed by the processor circuit, cause the processor circuit to perform the steps of, prior to receiving the first request:
    - receiving a third request comprising the second account and the computing resource;
      
      receiving, from a second contactless card of the second account, encrypted data and a digital signature;
      
      transmitting the encrypted data and the digital signature received from the second contactless card to the authentication server;
      
      receiving, from the authentication server, a second result that the authentication server decrypted the encrypted data received from the second contactless card; and
      
      receiving, from the authentication server, a third result that the authentication server decrypted the digital signature was based on a public key.
  - 5. The system of claim 1, wherein the permissions data is received from the contactless card according to at least one of near field communication (NFC), Bluetooth, and Wi-Fi, wherein the computing resource comprises the application, wherein the first and second features comprise a first interface and a second interface of the application, respectively.
  - 20. The system of claim 1, the memory storing instructions which when executed by the processor circuit, cause the processor circuit to perform the steps of:
    - receiving a third request comprising the second account and the computing resource;
      
      receiving, from a second contactless card of the second account, encrypted data and a digital signature;
      
      transmitting the encrypted data and the digital signature received from the second contactless card to the authentication server;
      
      receiving, from the authentication server, a second result that the authentication server did not decrypt the encrypted data received from the second contactless card; and
      
      rejecting the third request based on the second result.

6. A method, comprising:
- receiving, by an application executing on a device, a first request comprising a first account, a second account, and a computing resource, the computing resource comprising one or more of;
  
  (i) the application, (ii) a data, and (iii) an operation;
  
  receiving, by the application from a first contactless card, permissions data of the first account and encrypted data;
  
  transmitting, by the application, the permissions data and the encrypted data to an authentication server;
  
  receiving, by the application from the authentication server, a result that the authentication server decrypted the encrypted data;
  
  receiving, by the application from the authentication server, a permissions vector of the second account, the permissions vector comprising a plurality of entries;
  
  determining, by the application based on the permissions vector of the second account, that the second account was granted access to the computing resource;
  
  receiving, by the application, a second request comprising the second account and the computing resource;
  
  granting, by the application, the second account access to the computing resource based on the permissions by of the second account;
  
  disabling, by the application, a first feature of the computing resource based on a first entry of the plurality of entries of the permissions vector for the second account; and
  
  providing, by the application, a second feature of the computing resource based on a second entry of the plurality of entries of the permissions vector for the second account.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The method of claim 6, further comprising:
    - determining, by the application based on the permissions vector of the second account, that the second account is authorized to access the computing resource.
  - 8. The method of claim 7, wherein the computing resource comprises the application, wherein the second request comprises the application, the method further comprising:
    - receiving, by the application, a third request comprising the second account and the operation, the operation comprising one or more of;
      
      (i) a purchase request, (ii) a credit request, and (iii) a request to transfer funds; and
      
      determining, by the application based on the permissions vector of the second account, that the second account is not authorized to perform the operation based on at least in part on an amount specified by the third request exceeds a maximum amount specified by the permissions vector.
  - 9. The method of claim 6, further comprising prior to receiving the first request:
    - receiving, by the application, a third request comprising the second account and the computing resource;
      
      receiving, by the application from a second contactless card of the second account, encrypted data and a digital signature;
      
      transmitting, by the application, the encrypted data and the digital signature received from the second contactless card to the authentication server;
      
      receiving, by the application from the authentication server, a second result that the authentication server decrypted the encrypted data received from the second contactless card; and
      
      receiving, by the application from the authentication server, a third result that the authentication server decrypted the digital signature was based on a public key.
  - 10. The method of claim 6, wherein the permissions data is received from the contactless card according to at least one of near field communication (NFC), Bluetooth, and Wi-Fi, wherein the computing resource comprises the application, wherein the first and second features comprise a first interface and a second interface of the application, respectively.
  - 11. The method of claim 6, further comprising:
    - receiving, by the application, a third request comprising the second account and the computing resource;
      
      receiving, by the application from a second contactless card of the second account, encrypted data and a digital signature;
      
      transmitting, by the application, the encrypted data and the digital signature received from the second contactless card to the authentication server;
      
      receiving, by the application from the authentication server, a second result that the authentication server did not decrypt the encrypted data received from the second contactless card; and
      
      rejecting, by the application, the third request based on the second result.
  - 12. The method of claim 6, further comprising:
    - receiving, by the application, a third request comprising the first account and a second computing resource;
      
      receiving, by the application from the first contactless card, a second encrypted data;
      
      transmitting, by the application, the second encrypted data to the authentication server;
      
      receiving, by the application from the authentication server, a second result that the authentication server did not decrypt the second encrypted data; and
      
      rejecting, by the application, the third request based on the second result.
  - 13. The method of claim 6, further comprising:
    - receiving, by the application, a third request comprising the first account, the second account, and a second computing resource;
      
      determining, by the application based on the permissions vector for the first account, that the first account does not have access to the second computing resource; and
      
      rejecting, by the application, the third request based on the determination that the first account does not have access to the second computing resource.

14. A non-transitory computer-readable storage medium storing computer-readable program code which when executed by a processor causes the processor to perform the steps of:
- receiving a first request comprising a first account, a second account, and a computing resource, the computing resource comprising one or more of;
  
  (i) an application, (ii) a data, and (iii) an operation;
  
  receiving, from a first contactless card, permissions data of the first account and encrypted data;
  
  transmitting the permissions data and the encrypted data to an authentication server;
  
  receiving, from the authentication server, a result that the authentication server decrypted the encrypted data;
  
  receiving, from the authentication server, a permissions vector of the second account, the permissions vector comprising a plurality of entries;
  
  determining, based on the permissions vector of the second account, that the second account was granted access to the computing resource;
  
  receiving a second request comprising the second account and the computing resource;
  
  granting the second account access to the computing resource based on the permissions vector of the second account;
  
  disabling a first feature of the computing resource based on a first entry of the plurality of entries of the permissions vector for the second account; and
  
  providing a second feature of the computing resource based on a second entry of the plurality of entries of the permissions vector for the second account.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-readable storage medium of claim 14, storing computer-readable program code which when executed by the processor causes the processor to perform the steps of:
    - determining, based on the permissions vector of the second account, that the second account is authorized to access the computing resource.
  - 16. The computer-readable storage medium of claim 15, wherein the computing resource comprises the application, wherein the second request comprises the application, the medium further storing computer-readable program code which when executed by the processor causes the processor to perform the steps of:
    - receiving a third request comprising the second account and the operation, the operation comprising one or more of;
      
      (i) a purchase request, (ii) a credit request, and (iii) a request to transfer funds; and
      
      determining, based on the permissions vector of the second account, that the second account is not authorized to perform the operation based on at least in part on an amount specified by the third request exceeds a maximum amount specified by the permissions vector.
  - 17. The computer-readable storage medium of claim 14, further storing computer-readable program code which when executed by the processor causes the processor to perform the steps of:
    - receiving a third request comprising the second account and the computing resource;
      
      receiving, from a second contactless card of the second account, encrypted data and a digital signature;
      
      transmitting the encrypted data and the digital signature received from the second contactless card to the authentication server;
      
      receiving, from the authentication server, a second result that the authentication server decrypted the encrypted data received from the second contactless card; and
      
      receiving, from the authentication server, a third result that the authentication server decrypted the digital signature was based on a public key.
  - 18. The computer-readable storage medium of claim 14, wherein the permissions data is received from the contactless card according to at least one of near field communication (NFC), Bluetooth, and Wi-Fi, wherein the computing resource comprises the application, wherein the first and second features comprise a first interface and a second interface of the application, respectively.
  - 19. The computer-readable storage medium of claim 14, further storing computer-readable program code which when executed by the processor causes the processor to perform the steps of:
    - receiving a third request comprising the second account and the computing resource;
      
      receiving, from a second contactless card of the second account, encrypted data and a digital signature;
      
      transmitting the encrypted data and the digital signature received from the second contactless card to the authentication server;
      
      receiving, from the authentication server, a second result that the authentication server did not decrypt the encrypted data received from the second contactless card; and
      
      rejecting the third request based on the second result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Rule, Jeffrey, Miller, Walter A.
Primary Examiner(s)
Hewitt, II, Calvin L
Assistant Examiner(s)
Shahabi, Arastoo (Ari)

Application Number

US16/360,149
Publication Number

US 20200304311A1
Time in Patent Office

747 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/604   Tools and structures for ma...

G06Q 20/352   Contactless payments by cards

G06Q 20/3829   involving key management

G06Q 20/405   Establishing or using trans...

G06Q 2220/00   Business processing using c...

H04L 9/3234   involving additional secure...

Delegated administration of permissions using a contactless card

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

549 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Delegated administration of permissions using a contactless card

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

549 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links