Search

US-12621285-B2 - Systems and methods for using partial cookies for electronic authentication and authorization

US12621285B2US 12621285 B2US12621285 B2US 12621285B2US-12621285-B2

Abstract

The methods and systems disclosed herein allow for faster and more efficient authentication using a partial cookie instead of a full cookie (or other data structure). In one example, a server receives, during the first browser session at the first time, a first request for authorization from an electronic device along with authentication information. Responsive to generating a profile using the authentication information, the server transmits to the electronic device a first data source configured to grant access to the profile to the electronic device, via a first authentication protocol; and receives, at a second browser session at a second time, from the electronic device, a second request for authorization to access the profile; responsive to a determination that the electronic device includes the first data source, the server executes a secondary authentication protocol.

Inventors

  • Jiwon Kim
  • Jose Carlos MATIAS
  • Ernesto Carvajal LASTRES
  • Suhas Hoskote Muralidhar

Assignees

  • Stripe, LLC

Dates

Publication Date
20260505
Application Date
20240424

Claims (16)

  1. 1 . A system, comprising: one or more processors coupled to non-transitory memory, the one or more processors configured to: receive, during a first browser session at a first time, a first request for authorization from an electronic device; receive authentication information associated with an end-user of the electronic device; responsive to generating a profile for the end-user using the authentication information, during the first browser session and prior to receiving the authentication information again, transmit, to the electronic device, a first data source configured to grant a first level of access to the profile via a first authentication protocol, wherein the first level of access grants partial access to the profile; receive, at a second browser session at a second time, from the electronic device, a second request for authorization to access the profile; identify a first attribute associated with the second request; responsive to a determination that the electronic device includes the first data source, transmit a first notification to an authorized device associated with the profile; upon receiving a response to the first notification that the electronic device has been successfully authenticated, transmit, to the electronic device, a second data source configured to grant a second level of access to the profile via a second authentication protocol having fewer authentication prompts than the first authentication protocol, wherein the second level of access grants full access to the profile; receive, at a third browser session at a third time, from the electronic device, a third request for authorization to access the profile; identify a second attribute associated with the third request; when the first attribute does not match the second attribute, transmit a second notification to the electronic device indicating suspicious activity associated with the profile; and upon determining that the electronic device includes the second data source and receiving a response to the second notification, grant full access to the profile via the second authentication protocol.
  2. 2 . The system of claim 1 , wherein the one or more processors are further configured to: generate the profile to store the authentication information associated with the end-user of the electronic device; and generate the first data source to grant partial access to the profile during the first browser session via the first authentication protocol.
  3. 3 . The system of claim 1 , wherein the first data source or the second data source is configured to grant partial or full access to the profile for a defined period of time.
  4. 4 . The system of claim 1 , wherein the one or more processors are further configured to embed a code within the first notification, the code including a plurality of alphanumeric values.
  5. 5 . The system of claim 1 , wherein the authentication information comprises at least one of an electronic mail address, credit card information, debit card information, a cardholder name, a phone number, or a region.
  6. 6 . The system of claim 1 , wherein the one or more processors are further configured to: when the first attribute does not match the second attribute, revoke the second data source.
  7. 7 . The system of claim 1 , wherein the first attribute or the second attribute is one of at least a geographical location, an internet protocol address of the electronic device, or an operating system of the electronic device.
  8. 8 . The system of claim 1 , wherein the one or more processors are further configured to determine that the electronic device includes the first data source by retrieving the first data source from memory of the electronic device.
  9. 9 . A method, comprising: receiving, by one or more processors during a first browser session at a first time, a first request for authorization from an electronic device; receiving, by the one or more processors, authentication information associated with an end-user of the electronic device; responsive to generating a profile for the end-user using the authentication information, during the first browser session and prior to receiving the authentication information again, transmitting, by the one or more processors, to the electronic device a first data source configured to grant a first level of access to the profile via a first authentication protocol, wherein the first level of access grants partial access to the profile; receiving, by the one or more processors, at a second browser session at a second time, from the electronic device, a second request for authorization to access the profile; identifying, by the one or more processors, a first attribute associated with the second request; responsive to a determination that the electronic device includes the first data source, transmitting, by the one or more processors, a first notification to an authorized device associated with the profile; upon receiving a response to the first notification that the electronic device has been successfully authenticated, transmitting, by the one or more processors, to the electronic device a second data source configured to grant a second level of access to the profile via a second authentication protocol having fewer authentication prompts than the first authentication protocol, wherein the second level of access grants full access to the profile; receiving, by the one or more processors at a third browser session at a third time, from the electronic device, a third request for authorization to access the profile; identifying, by the one or more processors, a second attribute associated with the third request; when the first attribute does not match the second attribute, transmitting, by the one or more processors, a second notification to the electronic device indicating suspicious activity associated with the profile; and upon determining that the electronic device includes the second data source and receiving a response to the second notification, granting, by the one or more processors, full access to the profile via the second authentication protocol.
  10. 10 . The method of claim 9 , further comprising: generating, by the one or more processors, the profile to store the authentication information associated with the end-user of the electronic device; and generating, by the one or more processors, the first data source to grant partial access to the profile during the first browser session, via the first authentication protocol.
  11. 11 . The method of claim 9 , wherein the first data source or the second data source is configured to grant partial or full access to the profile for a defined period of time.
  12. 12 . The method of claim 9 , wherein transmitting the first notification to the authorized device further comprises embedding, by the one or more processors, a code within the first notification, the code including a plurality of alphanumeric values.
  13. 13 . The method of claim 9 , wherein the authentication information comprises at least one of an electronic mail address, credit card information, debit card information, a cardholder name, a phone number, and a region.
  14. 14 . The method of claim 9 , further comprising: when the first attribute does not match the second attribute, revoking, by the one or more processors, the second data source.
  15. 15 . The method of claim 9 , wherein the first attribute or the second attribute is one of at least a geographical location, internet protocol address of the electronic device, or an operating system of the electronic device.
  16. 16 . The method of claim 9 , further comprising determining, by the one or more processors, that the electronic device includes the first data source.

Description

TECHNICAL FIELD This application relates generally to using data structures (e.g., cookies) for electronic authentication and authorization. BACKGROUND Systems often use cookies to capture extensive user data, including personal information, login credentials, browsing history, and interaction patterns. Full-data cookies offer enhanced customization and convenience for users by providing seamless authentication. As a result, many use cookies to mark an electronic device as safe or authorized to access various data records. However, extensive data stored within full data cookies increases the risk of unauthorized access and misuse. For instance, a misplaced cookie (while ensuring easy access to the account for the right person) can also allow bad actors to have access to an account that is otherwise not accessible. Accordingly, if an entity uses cookies, the entity must ensure that the cookie is transmitted to the user's device correctly and at the right time. For instance, some entities transmit the cookie when the user has provided both a username and password to an account. SUMMARY For the aforementioned reasons, there is a desire for systems and methods to use cookies to ease the user's access to certain information (e.g., accessing an account). Using the methods and systems discussed herein, an entity can use partial cookies to expedite the login process while not compromising security. The methods and systems discussed herein allow for efficient and secure protection of user data, such that users are no longer required to enter their entire authentication information. Using partial cookies allows for securing the data of unverified users prior to using a full cookie (e.g., prior to receiving full authentication information). As used herein, the partial cookie may include any type of session IDs and basic browsing information that may be provided to secure the data of the user. Using the systems and methods described herein, one or more processors (e.g., a server or cloud computer environment) can receive, during a first browser session at the first time, a request to authorize a payment from a computer, phone, tablet, or other computing device. The request may be, for example, a payment authorization request, a payment capture request, a payment funds request, or any other type of secure transaction. The one or more processors can receive authentication information corresponding to a user of the computing device. The systems and methods described herein, can use the authentication information to generate a profile to secure any data of the user and transmit a partial cookie to the computing device to grant access to the profile via a first authentication protocol. The partial cookie can show redacted information of the profile to protect the data within the profile in the event that another user accesses the computing device. Because these techniques do not rely on conventional approaches for using partial cookies, the approaches described herein do not suffer from the memory and bandwidth constraints of conventional systems. Using the systems and methods described herein, the partial cookie can securely be distributed to the computing device and used to access the profile prior to verifying the user. Using the partial cookie in this manner does not require costly full cookie operations and is, therefore, more efficient with regard to time and computing resources. In an embodiment, a system comprises one or more processors coupled with non-transitory memory. The one or more processors can receive, during a first browser session at a first time, a first request for authorization from an electronic device; receive authentication information associated with an end-user of the electronic device; responsive to generating a profile for the end-user using the authentication information, during the first browser session and prior to receiving the authentication information again, transmit to the electronic device a first data source configured to grant access to the profile via a first authentication protocol; receive, at a second browser session at a second time, from the electronic device, a second request for authorization to access the profile; responsive to a determination that the electronic device includes the first data source, transmit a first notification to an authorized device associated with the profile; and upon receiving a response to the first notification, transmit to the electronic device a second data source configured to grant access to the profile via a second authentication protocol. In some embodiments, the one or more processors are further configured to generate the profile to store the authentication information associated with the end-user of the electronic device; and generate the first data source to grant access to the profile during the first browser session via the first authentication protocol. In some embodiments, the one or more processors are further configured to determine