DCT
2:25-cv-08317
Coinbase Inc v. Dynapass Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Coinbase, Inc. (Delaware)
- Defendant: Dynapass Inc. and Dynapass IP Holdings LLC (Delaware)
- Plaintiff’s Counsel: Jones Day
- Case Identification: 2:25-cv-08317, C.D. Cal., 09/03/2025
- Venue Allegations: Plaintiff alleges venue is proper because Defendants are subject to personal jurisdiction in the district, deeming them to reside there, and because a substantial part of the events giving rise to the claims occurred in the district.
- Core Dispute: Plaintiff Coinbase seeks a declaratory judgment that it does not infringe, and that the claims are invalid, for a patent related to two-factor user authentication technology that Defendant Dynapass has asserted against it.
- Technical Context: The patent addresses methods for securing access to computer systems by requiring users to present both a secret passcode and a temporary token sent to a personal device like a mobile phone.
- Key Procedural History: The complaint notes that on July 12, 2024, the U.S. Patent and Trademark Office, in an Inter Partes Review (IPR), found claim 5 of the patent-in-suit unpatentable, a decision Dynapass did not appeal. The complaint also references a letter from Dynapass asserting the patent against Coinbase and citing successful enforcement against other companies.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | ’658 Patent Priority Date |
| 2006-01-31 | ’658 Patent Issue Date |
| 2018-01-01 (approx.) | Coinbase allegedly began requiring 2FA for all users |
| 2020-03-06 | ’658 Patent Expiration Date |
| 2024-07-12 | USPTO finds claim 5 of the ’658 Patent unpatentable in IPR proceeding |
| 2025-07-18 | Dynapass sends letter to Coinbase alleging infringement |
| 2025-09-03 | Complaint for Declaratory Judgment filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication"
- Patent Identification: U.S. Patent No. 6,993,658, “Use of Personal Communication Devices for User Authentication,” issued January 31, 2006.
The Invention Explained
- Problem Addressed: The patent addresses the security weaknesses of traditional user ID and password systems, which are vulnerable to guessing and often lead users to write down complex passwords, compromising security, particularly for remote access to secure networks (’658 Patent, col. 1:12-42).
- The Patented Solution: The invention proposes a two-factor authentication system that leverages a device the user already possesses, such as a mobile phone. To log in, a user combines a secret passcode (something they know) with a temporary, randomly generated "token" (something they have) that is sent to their personal device over a separate network like a cellular network. This combination forms a new, one-time-use password to access the secure system (’658 Patent, Abstract; col. 2:1-16). Figure 1 illustrates the architecture, showing a user (108) receiving a token (156) on their device (106) from a server (102) and using it to log into a secure system (110) (’658 Patent, FIG. 1).
- Technical Importance: This approach sought to provide the benefits of two-factor authentication without requiring users to carry a dedicated, single-purpose hardware token, instead utilizing the increasingly common personal mobile phone (’658 Patent, col. 1:55-60).
Key Claims at a Glance
- The complaint asserts non-infringement of all claims and specifically reproduces independent claim 1 (Compl. ¶18, ¶22).
- The essential elements of independent claim 1 include:
- Associating a user with a personal communication device (e.g., cell phone) on a second network, different from the first secure computer network.
- Receiving a request from the user for a token via the personal communication device.
- Generating a new password for the first network based on the token (which is unknown to the user) and a passcode (which is known to the user).
- Setting the password associated with the user to be the new password.
- Activating access to the user account.
- Transmitting the token to the personal communication device.
- Receiving the password from the user via the first secure network.
- Deactivating access to the account within a predetermined amount of time.
- The complaint does not explicitly reserve the right to assert dependent claims, as it is a declaratory judgment action seeking non-infringement of all claims (Compl. ¶25).
III. The Accused Instrumentality
Product Identification
- The instrumentality accused by Dynapass is Coinbase's implementation of two-factor authentication (2FA) technology for its commercial services and website platforms (Compl. ¶10).
Functionality and Market Context
- The complaint alleges that Dynapass's infringement accusations relate to Coinbase's use of 2FA technology, which Coinbase has required for all its users since at least 2018 (Compl. ¶10). The complaint does not provide specific technical details regarding the operation of Coinbase's 2FA system, as its purpose is to deny infringement rather than map the system's features to the patent's claims.
IV. Analysis of Infringement Allegations
The complaint seeks a declaratory judgment of non-infringement and therefore does not contain a traditional infringement claim chart. Instead, it identifies specific claim limitations that Coinbase's system allegedly does not meet. No probative visual evidence provided in complaint.
’658 Patent Non-Infringement Allegations
| Claim Element (from Independent Claim 1 and others) | Basis for Non-Infringement Allegation | Complaint Citation | Patent Citation |
|---|---|---|---|
| generating a new password for said first secure computer network based at least upon the token and a passcode... | The complaint asserts that Coinbase's system does not perform this function, but does not provide technical details of its system's operation. | ¶23 | col. 11:53-57 |
| setting a password associated with the user to be the new password | The complaint asserts that Coinbase's system does not perform this function. | ¶23 | col. 12:1-2 |
| receiving the password from the user via the first secure computer network | The complaint asserts that Coinbase's system does not perform this function. | ¶23 | col. 12:6-7 |
| a control module... configured to create a new password based at least upon a token and a passcode... | The complaint asserts that Coinbase's system does not contain a module configured to perform this function. | ¶23 | col. 12:28-32 |
| the control module further configured to set a password associated with the user to be the new password | The complaint asserts that Coinbase's system does not contain a module configured to perform this function. | ¶23 | col. 12:32-35 |
| an authentication module configured to receive the password from the user through a secure computer network | The complaint asserts that Coinbase's system does not contain a module configured to perform this function. | ¶23 | col. 12:38-40 |
Identified Points of Contention
- Functional Questions: The core dispute appears to center on the mechanism of authentication. A primary question is whether Coinbase's 2FA system "generates" and "sets" a new account password for the user with each login, as recited in the claims, or whether it uses a one-time code merely to authorize a login session without altering the user's underlying account password.
- Scope Questions: The complaint's denial raises the question of whether the term "password" as used in the patent can be construed to cover the temporary, one-time codes used in many modern 2FA systems.
V. Key Claim Terms for Construction
The Term
- "generating a new password ... based at least upon the token and a passcode" and "setting a password associated with the user to be the new password"
Context and Importance
- These related terms appear central to the dispute, as Coinbase explicitly denies infringing them (Compl. ¶23). The case may turn on whether creating a temporary authentication code for a single session constitutes "generating" and "setting" a "new password" for the user's account on the secure network. Practitioners may focus on this distinction, as it highlights a potential operational difference between the patented method and modern 2FA implementations.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The patent describes the process in sequence: "token server generates password," then "token server updates password and activates user account in user database" (’658 Patent, FIG. 3, steps 306-308). This could support an argument that any server-side creation and acceptance of a temporary code for login constitutes "generating" and "setting" a password for that session.
- Evidence for a Narrower Interpretation: The claim language recites "setting a password associated with the user to be the new password" and later "deactivating access to the user account" after a time (’658 Patent, col. 12:1-2, 12:10-12). This could suggest a process that formally replaces the user's stored password in a database and later invalidates it, a more complex operation than simply validating a one-time code for a single login event.
VI. Other Allegations
- Invalidity: Coinbase alleges that the claims of the ’658 Patent are invalid under 35 U.S.C. §§ 101, 102, and/or 103 (Compl. ¶27-28). It specifically notes that the USPTO found claim 5 unpatentable in an IPR proceeding and argues the remaining claims are invalid for at least the same reasons (Compl. ¶27). Coinbase also alleges the claims are directed to the abstract idea of verifying a user's identity and fail to recite an inventive concept under Alice (Compl. ¶28).
- Exceptional Case: In its prayer for relief, Coinbase requests a finding that the case is exceptional under 35 U.S.C. § 285, which would entitle it to an award of attorneys' fees (Compl., p. 8).
VII. Analyst’s Conclusion: Key Questions for the Case
This declaratory judgment action appears poised to address several fundamental questions at the intersection of claim interpretation and evolving technology.
- A core issue will be one of functional mismatch: Does the patented method—which recites "generating a new password" and "setting a password" for the user's account—accurately describe the operation of modern 2FA systems, like the one used by Coinbase, which may use temporary codes to authorize a session without modifying the user's underlying account credentials?
- A second key question will be one of invalidity in view of post-grant review: What precedential or persuasive effect will the USPTO's IPR decision finding claim 5 unpatentable have on the court's analysis of the validity of the remaining asserted claims, particularly independent claim 1?
- Finally, the case will present a question of litigation conduct: Will Dynapass's decision to pursue this infringement claim against Coinbase, subsequent to the adverse IPR ruling and patent expiration, support Coinbase's request for a finding that this is an exceptional case warranting an award of attorneys' fees?