DCT
3:25-cv-03329
Okta Inc v. Biogy Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Okta, Inc. (Delaware)
- Defendant: Biogy, Inc. (Delaware)
- Plaintiff’s Counsel: Fish & Richardson P.C.
- Case Identification: 3:25-cv-03329, N.D. Cal., 06/11/2025
- Venue Allegations: Venue is asserted on the basis that Defendant Biogy is subject to personal jurisdiction in the district, both parties maintain their principal places of business in the district, and a substantial part of the events giving rise to the action, including the creation of the accused products by Plaintiff Okta, occurred in the district.
- Core Dispute: Plaintiff seeks a declaratory judgment that its identity and authentication products do not infringe Defendant's patent related to generating and validating temporary passcodes.
- Technical Context: The technology concerns secure user authentication through time-based one-time passcodes (TOTP), a widely used method for multi-factor authentication in the cybersecurity industry.
- Key Procedural History: This declaratory judgment action arises from Defendant Biogy's enforcement campaign, which includes sending notice letters to Plaintiff Okta's customers and filing a patent infringement lawsuit against at least one customer, Albertsons Companies, Inc., in the Eastern District of Texas, based on their use of Okta's products.
Case Timeline
| Date | Event |
|---|---|
| 2004-12-20 | '236 Patent Priority Date |
| 2009-01-01 | Okta, Inc. founded |
| 2010-02-23 | '236 Patent Issue Date |
| 2024-04-24 | Biogy sends notice letter to Okta customer Albertsons |
| 2025-06-11 | Complaint for Declaratory Judgment filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,669,236 - "DETERMINING WHETHER TO GRANT ACCESS TO A PASSCODE PROTECTED SYSTEM" (Issued Feb. 23, 2010)
The Invention Explained
- Problem Addressed: The patent's background section identifies the difficulty for users in remembering numerous passwords and the susceptibility of static passwords to theft and fraud (U.S. Patent No. 7,669,236, col. 1:40-44).
- The Patented Solution: The invention describes a security system where a user's device generates a temporary passcode. An administrator system then validates this passcode not by simply checking it against a stored value, but by independently generating a passcode from a corresponding "passcode generator" and comparing the two. A central feature is that after a successful use, the system changes or "perturbs" the passcode generator itself, so that the next authentication cycle will use a new generator to produce a new, different passcode ('236 Patent, Abstract; col. 2:56-66; Fig. 8).
- Technical Importance: This method of using single-use passcodes generated from a dynamic, evolving "generator" or "seed" was designed to defeat replay attacks, where an attacker who intercepts a password can use it later, thereby enhancing security over static password systems ('236 Patent, col. 3:10-18).
Key Claims at a Glance
The complaint identifies independent claims 5, 12, and 24, and dependent claim 14, as being asserted by Biogy against Okta's customers (Compl. ¶22).
Independent Claim 12 asserts a method comprising:
- receiving at a machine a passcode from a user;
- retrieving at least one passcode generator from a storage unit associated with the machine;
- generating at least one passcode from the at least one passcode generator;
- determining whether the at least one passcode of the at least one passcode generated matches the passcode received;
- if the one passcode matches the passcode received, ... granting the user access to a secure entity,
- if the one passcode matches the passcode received, ... perturbing the at least one passcode generator of the at least one passcode generator to create a new passcode generator; and
- if the one passcode matches the passcode received, ... storing the new passcode generator in place of the at least one passcode generator.
Independent Claims 5 and 24 claim similar methods involving the generation of temporary passcodes from a "current passcode generator," determining if a received passcode matches, and upon a match, generating and storing a "new passcode generator" in place of the current one ('236 Patent, cl. 5, 24).
The complaint seeks a declaratory judgment of non-infringement for all claims of the '236 Patent (Compl. p. 13, ¶A).
III. The Accused Instrumentality
Product Identification
- The "Okta Accused Products" are identified as a collection of Okta's software and services that "generate or process time-based one-time passcodes ('TOTPs')," including the Okta Identity Engine and Okta Classic Engine (Compl. ¶3, ¶31).
Functionality and Market Context
- The accused products provide "industry-leading identity management and authentication" services, which are used by customers for multi-factor authentication (Compl. ¶2, ¶3).
- The complaint alleges that Biogy's infringement theory targets any implementation of the standard Time-based One-Time Password (TOTP) algorithm, as specified in industry standard RFC 6238 (Compl. ¶18, ¶22). Okta's products are alleged to utilize this algorithm to provide passcodes for its customers (Compl. ¶25, ¶27). The complaint references a screenshot from a Biogy claim chart sent to an Okta customer, which shows a CSS file named "okta-sign-in.min.css" hosted on an Okta server as evidence of infringement (Compl. ¶26, p. 6). This screenshot shows a file directory on an Okta server, with a specific CSS file selected and its contents displayed. (Compl. ¶26).
IV. Analysis of Infringement Allegations
The complaint does not contain a traditional infringement claim chart from the plaintiff. Instead, as a declaratory judgment action, it presents a non-infringement chart outlining why Okta's products allegedly do not meet the limitations of the asserted claims. The following table summarizes Okta's asserted non-infringement position for representative independent claim 12.
'236 Patent Infringement Allegations
| Claim Element (from Independent Claim 12) | Alleged Non-Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| retrieving at least one passcode generator from a storage unit associated with the machine | The Accused Products do not practice this element. | ¶43(a) | col. 28:36-39 |
| generating at least one passcode from the at least one passcode generator | The Accused Products do not generate a passcode from a passcode generator. | ¶43(b), ¶46 | col. 28:40-42 |
| if the one passcode matches the passcode received, ... perturbing the at least one passcode generator of the at least one passcode generator to create a new passcode generator | The Accused Products do not perturb a current passcode generator to generate a new passcode generator. | ¶43(e), ¶46 | col. 28:47-51 |
| if the one passcode matches the passcode received, ... storing the new passcode generator in place of the at least one passcode generator | The Accused Products do not store any new passcode generator in place of a current one. | ¶43(f), ¶46 | col. 28:52-55 |
- Identified Points of Contention:
- Scope Questions: A primary dispute concerns whether the standardized TOTP algorithm (RFC 6238), which allegedly forms the basis of the accused functionality, falls within the scope of the patent's claims (Compl. ¶21, ¶30). Biogy's allegations suggest it believes any implementation of the standard infringes, while Okta contends the '236 patent's claims do not encompass that functionality (Compl. ¶5, ¶8).
- Technical Questions: The complaint raises a fundamental technical question: does the accused TOTP system, which generates codes from a shared secret and a time-based moving factor, perform the claimed steps of "perturbing" a "passcode generator" to create and store a "new passcode generator"? (Compl. ¶46). Okta’s position is that its system does not perform these specific algorithmic steps as claimed in the patent.
V. Key Claim Terms for Construction
The Term: "passcode generator"
- Context and Importance: This term is foundational to all asserted independent claims. The claims require a specific lifecycle: retrieving a generator, using it to create a passcode, and then modifying it to create a new generator for subsequent use. Practitioners may focus on this term because its construction will determine whether a static shared secret key, as is common in standard TOTP implementations, can be considered a "passcode generator" that is itself changed or perturbed, as the patent appears to require.
- Intrinsic Evidence for a Broader Interpretation: The specification defines the term broadly, stating a passcode generator "can be a string of characters or other form of a code" ('236 Patent, col. 9:11-13). This could support an interpretation covering a wide range of data structures.
- Intrinsic Evidence for a Narrower Interpretation: The patent's flowcharts and detailed descriptions consistently depict a process where the generator (
Gᵢ) is explicitly transformed into a new generator (Gᵢ₊₁) via a function (f) after each successful authentication ('236 Patent, Fig. 8, step 806; Fig. 9, step 916; col. 20:65-67). This may support a narrower construction requiring a dynamic data object that is itself altered, rather than a static key used with a changing external input like time.
The Term: "perturbing"
- Context and Importance: This active verb from claim 12 is critical for defining the mechanism of creating a "new passcode generator." Okta's non-infringement argument relies on its products not performing this step (Compl. ¶46). The dispute will likely center on whether the progression of time in a TOTP system constitutes "perturbing" the generator.
- Intrinsic Evidence for a Broader Interpretation: The specification provides examples of "perturbing" functions that include simple arithmetic like adding 1 or other algorithmic combinations ('236 Patent, col. 21:1-6). This could suggest that any predictable, algorithmic state change could qualify as "perturbing."
- Intrinsic Evidence for a Narrower Interpretation: The specification describes the "perturbing method" as a function
fthat is applied directly to the generator Gᵢ to produceGᵢ₊₁('236 Patent, col. 10:44-45; col. 20:65-67). This language may support a construction requiring a direct modification of the stored generator data itself, which may be technically distinct from how a standard TOTP algorithm uses a static shared secret with an external, changing time value as joint inputs.
VI. Other Allegations
- Indirect Infringement: Okta seeks a judgment of non-infringement for inducement (Compl. ¶41). The complaint states that Biogy's accusations against Okta's customers are effectively claims that Okta induces infringement by "providing the Okta Accused Products to customers and instructing them on the use" of the allegedly infringing functionality (Compl. ¶36).
- Willful Infringement: The complaint does not contain allegations of willfulness.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the claim term "passcode generator", which the patent describes as being "perturbed" or "changed" after each use, be construed to read on the static shared secret key used in a standard TOTP algorithm like RFC 6238?
- A key evidentiary question will be one of functional operation: does the accused Okta system perform the specific, multi-step method recited in the claims—retrieving a generator, using it, and then algorithmically altering the generator itself to create and store a new one—or is there a fundamental mismatch between the claimed method and the accused system’s actual technical implementation?