DCT
2:25-cv-03640
Avatier IP LLC v. Microsoft Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Avatier IP, LLC (Delaware)
- Defendant: Microsoft Corporation (Washington)
- Plaintiff’s Counsel: Perkowski Legal, PC; Daignault Iyer LLP
- Case Identification: 2:25-cv-03640, C.D. Cal., 04/24/2025
- Venue Allegations: Plaintiff alleges venue is proper because Microsoft maintains regular and established places of business in the district, conducts substantial business in the state, and has committed acts of infringement in the district.
- Core Dispute: Plaintiff alleges that Defendant’s Microsoft Authenticator and Microsoft Entra product families infringe eight patents related to mobile device-based authentication, secure access control, and aggregator technology for web applications.
- Technical Context: The technology at issue is in the field of identity and access management (IAM), a critical component of enterprise and consumer cybersecurity, with a focus on modern authentication methods like passwordless and multi-factor authentication.
- Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history between the parties concerning the patents-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 2006-10-24 | Earliest Priority Date for ’103 and ’166 Patents |
| 2012-07-17 | U.S. Patent No. 8,225,103 Issues |
| 2013-07-30 | U.S. Patent No. 8,499,166 Issues |
| 2015-02-24 | Earliest Priority Date for ’941, ’750, ’207, ’397, ’715, and ’273 Patents |
| 2017-06-20 | U.S. Patent No. 9,686,273 Issues |
| 2018-05-22 | U.S. Patent No. 9,979,715 Issues |
| 2020-04-14 | U.S. Patent No. 10,623,397 Issues |
| 2021-11-09 | U.S. Patent No. 11,171,941 Issues |
| 2021-11-09 | U.S. Patent No. 12,250,207 Issues |
| 2023-11-07 | U.S. Patent No. 11,811,750 Issues |
| 2025-04-24 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,171,941 - "Mobile Device Enabled Desktop Tethered and Tetherless Authentication"
- Patent Identification: U.S. Patent No. 11,171,941, "Mobile Device Enabled Desktop Tethered and Tetherless Authentication," issued November 9, 2021.
The Invention Explained
- Problem Addressed: The patent addresses limitations of existing authentication methods, such as proximity-based logins (e.g., Bluetooth), which can create security vulnerabilities if the proximity device is stolen and brought near the target computer (’941 Patent, col. 1:47-54). It also addresses the broader challenge of managing federated identities across different enterprise networks (’941 Patent, col. 1:62-67).
- The Patented Solution: The invention describes a system centered on a "cloud clearinghouse" that links a user's identity to their mobile device (’941 Patent, Abstract). This system allows a user to authenticate to a laptop or desktop computer using their mobile device, even if the primary computer is not connected to the internet. Authentication can occur through a "tethered" connection (e.g., USB) or a "tetherless" one (e.g., Bluetooth, local Wi-Fi) by leveraging the mobile device's connectivity to the cloud server (’941 Patent, col. 2:25-34; Fig. 16).
- Technical Importance: This approach provides a method for secure, multi-factor authentication that decouples the authentication process from the primary computing device's own internet connection, enhancing security and flexibility for a mobile workforce (’941 Patent, Abstract).
Key Claims at a Glance
- The complaint asserts independent claim 1 and dependent claims 2-9 (Compl. ¶91).
- Independent Claim 1 is a method claim with the following essential elements:
- Receiving and storing, at a cloud universal identification server, a plurality of identifying attributes for a user.
- Receiving and storing registration information associating a mobile device with the user's attributes.
- During a login process, receiving a request at the cloud server to authenticate the login process at the computing device, where the request comes from "credential provider code" previously installed on the computing device.
- The request indicates the mobile device was selected for authentication.
- Confirming the identity of the computing device by matching it against previously registered devices.
- Retrieving a protocol for communicating with the mobile device.
- Transmitting "at least three authentication factors" to the mobile device for authentication.
- Receiving data from the mobile device that satisfies the authentication factors.
- Transmitting authentication data to the computing device's credential provider code to complete a successful login.
U.S. Patent No. 11,811,750 - "Mobile Device Enabled Desktop Tethered and Tetherless Authentication"
- Patent Identification: U.S. Patent No. 11,811,750, "Mobile Device Enabled Desktop Tethered and Tetherless Authentication," issued November 7, 2023.
The Invention Explained
- Problem Addressed: As a continuation of the application leading to the ’941 Patent, this patent addresses the same technical problems related to the security risks of proximity-based authentication and the complexities of federated identity management (’750 Patent, col. 1:50-57).
- The Patented Solution: The patent discloses a virtually identical solution to the ’941 Patent, centered on a "cloud clearinghouse" that uses a mobile device to authenticate a user to a separate computing device (’750 Patent, Abstract). It enables authentication whether the target computer is online or offline by using various communication protocols between the computer and the mobile device, which in turn communicates with the cloud server (’750 Patent, col. 2:28-37).
- Technical Importance: The invention provides a flexible framework for multi-factor authentication that enhances security by centralizing identity verification through a cloud service while allowing for local, offline login scenarios (’750 Patent, Abstract).
Key Claims at a Glance
- The complaint asserts independent claim 1 and dependent claims 2-9 (Compl. ¶109).
- Independent Claim 1 is a method claim with elements substantially similar to Claim 1 of the ’941 Patent, including:
- Receiving and storing user and device attributes at a cloud universal identification server.
- Receiving a request from "credential provider code" on a computing device to authenticate a login process.
- Confirming the computing device's identity.
- Retrieving a communication protocol and transmitting "an authentication factor" to the mobile device.
- Receiving data satisfying the authentication factor from the mobile device.
- Transmitting authentication data to the computing device to complete the login.
Multi-Patent Capsule: U.S. Patent No. 8,225,103 - "Controlling Access to a Protected Network"
- Patent Identification: U.S. Patent No. 8,225,103, "Controlling Access to a Protected Network," issued July 17, 2012.
- Technology Synopsis: The patent describes a system where a network access control module restricts access to a protected network. A user initiates access via a "communication device" (e.g., a phone) which transmits a unique identifier to the module for authentication; upon success, the module submits log-on information directly to the user's computer to grant access (Compl. ¶¶34-37).
- Asserted Claims: Claims 10-17 (Compl. ¶127).
- Accused Features: The complaint alleges that Microsoft Authenticator's use of a QR code, scanned by a mobile app to authenticate a user and grant access to Microsoft accounts on a computer, infringes this patent (Compl. ¶129).
Multi-Patent Capsule: U.S. Patent No. 8,499,166 - "Controlling Access to A Protected Network"
- Patent Identification: U.S. Patent No. 8,499,166, "Controlling Access to A Protected Network," issued July 30, 2013.
- Technology Synopsis: This patent is a continuation of the application for the ’103 Patent and describes a nearly identical system for controlling network access. A communication device sends a unique identifier to a network access control module, which authenticates the device and user before submitting log-on information to the user's computer (Compl. ¶¶42-45).
- Asserted Claims: Claims 11-18 (Compl. ¶138).
- Accused Features: The infringement allegations are substantially the same as for the ’103 Patent, focusing on the QR code-based authentication process in Microsoft Authenticator (Compl. ¶140).
Multi-Patent Capsule: U.S. Patent No. 10,623,397 - "Aggregator Technology Without Usernames and Passwords"
- Patent Identification: U.S. Patent No. 10,623,397, "Aggregator Technology Without Usernames and Passwords," issued April 14, 2020.
- Technology Synopsis: The patent describes a method where a user signs into an "aggregator" system using a third-party social login identity provider. The system then automatically creates a "secret username and secret, highly secured generated password," both inaccessible to the user, and maps the social login to this secret identity for accessing web applications (’397 Patent, Abstract; Compl. ¶¶70-74).
- Asserted Claims: Claims 1-3 (Compl. ¶149).
- Accused Features: The complaint accuses Microsoft Entra products of infringement by providing access to web applications over a network using social login identity providers like Google or Facebook (Compl. ¶¶151, 152).
Multi-Patent Capsule: U.S. Patent No. 9,686,273 - "Aggregator Technology Without Usernames and Passwords"
- Patent Identification: U.S. Patent No. 9,686,273, "Aggregator Technology Without Usernames and Passwords," issued June 20, 2017.
- Technology Synopsis: This patent, from the same family as the '397 patent, describes a similar aggregator system where a user logs in via a third-party identity provider, and the system generates a private, inaccessible user identity to manage access to applications (Compl. ¶¶166-172, incorporating by reference earlier allegations).
- Asserted Claims: Claims 1-7 (Compl. ¶163).
- Accused Features: The complaint targets Microsoft Entra's system for allowing users to log into third-party applications using a selectable login identity provider (Compl. ¶¶166-167).
Multi-Patent Capsule: U.S. Patent No. 9,979,715 - "Aggregator Technology Without Usernames and Passwords"
- Patent Identification: U.S. Patent No. 9,979,715, "Aggregator Technology Without Usernames and Passwords," issued May 22, 2018.
- Technology Synopsis: Also from the same family as the '397 and '273 patents, this patent covers similar aggregator technology for providing access to web applications via social logins while managing a private user identity internally (Compl. ¶¶179-186, incorporating by reference earlier allegations).
- Asserted Claims: Claims 1-4 (Compl. ¶176).
- Accused Features: The allegations are directed at the Microsoft Entra system's functionality for federated and social identity login (Compl. ¶¶178-179).
Multi-Patent Capsule: U.S. Patent No. 12,250,207 - "Mobile Device Enabled Desktop Tethered and Tetherless Authentication"
- Patent Identification: U.S. Patent No. 12,250,207, "Mobile Device Enabled Desktop Tethered and Tetherless Authentication," issued November 9, 2021.
- Technology Synopsis: This patent is from the same family as the '941 and '750 patents and covers the same core technology: a cloud clearinghouse that uses a mobile device for tethered or tetherless authentication to a separate computing device (Compl. ¶¶79-80).
- Asserted Claims: Claims 1-9 (Compl. ¶190).
- Accused Features: The infringement allegations are substantially the same as those for the '941 and '750 patents, targeting the functionality of the Microsoft Authenticator products (Compl. ¶¶193-202).
III. The Accused Instrumentality
- Product Identification: The accused products are collectively referred to as the "Microsoft Authenticator Products" (Compl. ¶90). This includes the Microsoft Authenticator application for mobile devices (iOS, Android) and the Microsoft Entra family of identity and network access products, such as Entra ID, Entra Domain Services, and Entra External ID (Compl. ¶¶81, 84-89).
- Functionality and Market Context: The Microsoft Authenticator app is a core component of Microsoft's security ecosystem, enabling multi-factor and passwordless authentication for Microsoft and third-party accounts (Compl. ¶¶81-82). It allows users to approve sign-in requests on a computer by interacting with a prompt on their trusted mobile device, using methods like a single tap, PIN, fingerprint, or face recognition (Compl. ¶81.c). The Microsoft Entra product suite provides a comprehensive enterprise-level identity and access management (IAM) platform that uses the Authenticator app and allows organizations to manage user access, implement Zero Trust security policies, and federate identities with external partners and social login providers (Compl. ¶¶84, 88).
IV. Analysis of Infringement Allegations
’941 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving and storing, at a cloud universal identification server having a digital storage, a plurality of identifying attributes associated with a user and one or more identifying attributes associated with a computing device | Microsoft’s cloud servers receive and store user attributes (e.g., credentials) when a user sets up a work or school account and device attributes when a device is marked as trusted. A screenshot shows instructions for adding a trusted device (Compl. p. 19). | ¶95 | col. 12:10-21 |
| receiving and storing, at the cloud universal identification server, registration information that associates a mobile device with the plurality of identifying attributes associated with the user | During setup, the user installs the Authenticator app on a mobile device and associates it with their account, for example by scanning a QR code, thereby storing registration information linking the device to the user's identity. This setup process is depicted in a screenshot showing the QR code scan step (Compl. p. 20). | ¶96 | col. 12:22-27 |
| during a login process to the computing device associated with the user, receiving, at the cloud universal identification server, a request to authenticate the login process at the computing device | When a user initiates a sign-in on a computer, Microsoft’s servers receive a request to authenticate that login process. | ¶98 | col. 12:28-32 |
| the request being received from credential provider code that was previously installed on the computing device | The request is alleged to be received from the Authenticator app, which was previously installed on the computing device via a web browser. | ¶99 | col. 12:33-35 |
| wherein the request indicates that the mobile device was selected for authentication purposes | The user's selection of a passwordless or multi-factor sign-in method, which relies on the Authenticator app, indicates that the mobile device was selected for authentication. | ¶101 | col. 12:38-40 |
| confirming, at the cloud universal identification server, the identity of computing device of the request for authentication by positively matching the identity of the computing device with one of previously registered computing devices | Microsoft’s system checks if the sign-in attempt is from a trusted device by matching its identity information against a list of previously registered devices. | ¶102 | col. 12:41-47 |
| transmitting, by the cloud universal identification server...at least three authentication factors associated with the user...for delivery to the mobile device | Microsoft’s servers transmit authentication factors to the user’s mobile device, such as a prompt to enter a displayed number. A screenshot shows a prompt on a mobile device to select the number "72" displayed on the computer screen (Compl. p. 25). | ¶104 | col. 12:51-64 |
| upon receiving, at the cloud universal identification server and from the mobile device, data that satisfies the authentication factor, transmitting for delivery to the credential provider code...authentication data causing the authentication to the process to be successful | After the user provides the correct input on the mobile device (e.g., tapping the correct number), the mobile device sends satisfying data to the server, which then transmits authentication data back to the computer to complete the login. | ¶105 | col. 12:65-13:4 |
’750 Patent Infringement Allegations
The complaint alleges infringement of the ’750 Patent by incorporating by reference its allegations for the ’941 Patent, indicating an identical theory of infringement (Compl. ¶¶114-123).
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving and storing, at a cloud universal identification server having a digital storage, a plurality of identifying attributes associated with a user and one or more identifying attributes associated with a computing device | Microsoft’s cloud servers receive and store user and device attributes when a user sets up an account and registers a trusted device. | ¶114 | col. 22:2-7 |
| receiving and storing, at the cloud universal identification server, registration information that associates a mobile device with the plurality of identifying attributes associated with the user | The Microsoft Authenticator setup process registers and stores information associating the user’s mobile device with their account identity. | ¶115 | col. 22:8-13 |
| receiving, at the cloud universal identification server, a request to authenticate a process at the computing device | When a user signs in on a computer, a request is sent to Microsoft’s servers to authenticate the process. | ¶116 | col. 22:16-19 |
| the request being received from credential provider code that was previously installed on the computing device | The request originates from the Authenticator system, which is alleged to constitute credential provider code installed on the computing device. | ¶117 | col. 22:20-22 |
| wherein the request indicates that the mobile device was selected for authentication purposes | The user's choice to use the Authenticator app for sign-in serves as the indication that the mobile device was selected for authentication. | ¶119 | col. 22:26-28 |
| confirming, at the cloud universal identification server, the identity of computing device...by positively matching the identity of the computing device with one of previously registered computing devices | The system confirms the identity of the device attempting to log in by checking it against a list of registered trusted devices. | ¶120 | col. 22:29-35 |
| transmitting, by the cloud universal identification server...an authentication factor associated with the user...for delivery to the mobile device | Microsoft's servers transmit an authentication challenge, such as a push notification or a number-matching prompt, to the user's mobile device. | ¶122 | col. 22:42-49 |
| upon receiving, at the cloud universal identification server and from the mobile device, data that satisfies the authentication factor, transmitting for delivery to the credential provider code...authentication data causing the authentication to the process to be successful | Upon successful user interaction with the prompt on the mobile device, data is sent to the server, which then sends the necessary authentication data to the computer to grant access. | ¶123 | col. 22:50-58 |
Identified Points of Contention
- Scope Questions: A primary question may be the interpretation of "credential provider code that was previously installed on the computing device." The complaint’s theory appears to treat the mobile Authenticator app as the "credential provider code," but this code resides on the mobile device, not the "computing device" (the laptop/desktop) being logged into. The defense may argue a fundamental mismatch between the claimed architecture and the accused system's operation.
- Technical Questions: Claim 1 of the ’941 Patent requires the transmission of "at least three authentication factors." It is a point for factual dispute whether Microsoft’s system, particularly in a simple push notification scenario, transmits the required number of distinct factors. The complaint’s evidence shows number matching, which could be argued as one factor, and a question remains as to what other factors are transmitted as required by the claim.
V. Key Claim Terms for Construction
The Term: "at least three authentication factors" (’941 Patent, Claim 1)
- Context and Importance: This term is critical because the number of factors required by the claim may not be met by the accused product's common use cases, such as a single push notification approval. The viability of the infringement allegation against the '941 patent may depend on whether implicit data points (e.g., device ID, location data) are counted as "authentication factors" under the patent's definition.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification provides a non-exhaustive list of authentication methods, including "biometrics, social informational data, questions and answers, and more," suggesting the term is not limited to a narrow set of user-provided inputs (’941 Patent, col. 2:25-28).
- Evidence for a Narrower Interpretation: The detailed description of an exemplary embodiment involves a user providing their favorite color, car model, and a fingerprint, which are three distinct pieces of information supplied for a single authentication event, potentially suggesting three discrete and user-verifiable data points are required (’941 Patent, col. 13:8-13).
The Term: "credential provider code that was previously installed on the computing device" (’941 and ’750 Patents, Claim 1)
- Context and Importance: This term is central to whether the accused system's architecture meets the claim limitations. Microsoft's Authenticator app resides on a mobile device, which communicates with the computing device (e.g., a laptop). Practitioners may focus on this term because if "the computing device" is construed to mean only the laptop, then code installed on the mobile phone would not meet this limitation.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent states that in one embodiment, "an application is installed on the laptop or desktop to recognize the mobile device," and separately that "a credential provider is installed on the user's PC, laptop, Mac, or similar device" (’941 Patent, col. 9:19-24). This could support an interpretation where the "credential provider code" is a distributed system with components on both the computing device and the mobile device.
- Evidence for a Narrower Interpretation: The claim language distinguishes between the "computing device" and the "mobile device." A narrow reading would require the specific "credential provider code" that receives the final authentication data to be located on the computing device itself, not on the mobile device used for authentication.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement for all asserted patents. The basis for this allegation is that Microsoft provides the accused products and services along with instructions, user manuals, and technical support documents (which are cited extensively in the complaint) that allegedly direct and encourage customers to use the products in an infringing manner (Compl. ¶¶92, 110).
- Willful Infringement: The complaint makes a conclusory allegation of willful infringement in the prayer for relief (Compl. ¶207.i) but does not plead any specific facts demonstrating that Microsoft had pre-suit knowledge of the patents-in-suit.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural mapping: can Avatier demonstrate that Microsoft’s system, where the primary authentication application resides on a mobile phone, meets the claim limitation requiring a "credential provider code...previously installed on the computing device" that is being logged into? This may become a central dispute over claim scope and construction.
- A key evidentiary question will be one of functional satisfaction: does the accused Microsoft Authenticator system, in its various modes of operation (e.g., push notification, number matching), actually transmit the "at least three authentication factors" required by Claim 1 of the ’941 Patent? The definition of "authentication factor" and the technical evidence of what data is transmitted will be critical.
- For the patents related to "aggregator technology," a central question will be whether the functionality of Microsoft Entra as an enterprise identity hub—which federates access to various applications—is equivalent to the claimed method of creating a "secret username and secret, highly secured generated password" that is "unknown and inaccessible to the user." The case may turn on whether Entra’s technical implementation aligns with this specific claimed solution.