DCT
3:25-cv-03330
Microsoft Corp v. Biogy Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Microsoft Corporation (Washington)
- Defendant: Biogy, Inc. (Delaware)
- Plaintiff’s Counsel: Fish & Richardson P.C.
- Case Identification: 3:25-cv-03330, N.D. Cal., 04/14/2025
- Venue Allegations: Plaintiff Microsoft alleges venue is proper in the Northern District of California because Defendant Biogy "resides" in the district, maintaining its principal place of business in San Francisco.
- Core Dispute: Plaintiff seeks a declaratory judgment that its Microsoft Entra ID product, and its customers' use thereof, does not infringe Defendant's patent related to generating and authenticating temporary passcodes.
- Technical Context: The technology concerns secure authentication systems, specifically methods for generating single-use or temporary passcodes to protect access to a secure entity, a key component of modern multi-factor authentication (MFA).
- Key Procedural History: The complaint states that this action arises from Defendant Biogy sending notice letters and claim charts to Microsoft's customers, alleging infringement. Biogy has also filed a patent infringement lawsuit against at least one Microsoft customer, Albertsons Companies, Inc., in the Eastern District of Texas, based on the same patent and accused functionality. These actions by Biogy form the basis for Microsoft's claim that a justiciable controversy exists, warranting a declaratory judgment.
Case Timeline
| Date | Event |
|---|---|
| 2004-12-20 | Priority Date for U.S. Patent No. 7,669,236 |
| 2010-02-23 | Issue Date for U.S. Patent No. 7,669,236 |
| 2024-04-24 | Biogy sends exemplary notice letter to Microsoft customer Albertsons |
| 2025-04-14 | Microsoft files Complaint for Declaratory Judgment |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,669,236 - DETERMINING WHETHER TO GRANT ACCESS TO A PASSCODE PROTECTED SYSTEM
- Patent Identification: U.S. Patent No. 7,669,236, "DETERMINING WHETHER TO GRANT ACCESS TO A PASSCODE PROTECTED SYSTEM," issued February 23, 2010 (the ’236 Patent).
The Invention Explained
- Problem Addressed: The patent's background section identifies the difficulty for users in remembering many different passwords and the susceptibility of conventional passwords to theft and fraud (col. 1:40-44).
- The Patented Solution: The invention describes a two-part security system comprising a user's "passcode device" and a back-end "administrator" (col. 1:52-54; FIG. 1A). To gain access, a user's device generates a temporary passcode from an internal, evolving state variable called a "passcode generator" (col. 9:10-15). The administrator validates the submitted passcode by independently generating its own passcode from its synchronized version of the user's passcode generator. Crucially, after a successful authentication, both the user's device and the administrator update or "perturb" their respective passcode generators to a new state, ensuring the next passcode will be different (col. 1:56-62, col. 21:5-14).
- Technical Importance: This approach creates a "one-time passcode" system where the underlying secret (the "passcode generator") is not static but evolves with each use, which may offer enhanced security over systems that rely on a fixed secret. (col. 4:5-19).
Key Claims at a Glance
- The complaint identifies independent claims 5, 12, and 24 as being asserted by Biogy (Compl. ¶¶19, 27).
- Independent Claim 5 recites a method comprising:
- generating, via a machine, a passcode that is valid temporarily, wherein the passcode is based on information associated with a user;
- determining whether an attempted access is permitted, based on the passcode generated, by at least determining whether the passcode generated matches a passcode received;
- wherein the generating of the passcode includes generating a current passcode generator based on the information, and generating the passcode from the current passcode generator.
- Independent Claim 12 recites a method comprising:
- receiving at a machine a passcode from a user;
- retrieving at least one passcode generator from a storage unit associated with the machine;
- generating at least one passcode from the at least one passcode generator;
- determining whether the generated passcode matches the received passcode;
- if there is a match, granting access, perturbing the passcode generator to create a new passcode generator, and storing the new passcode generator.
- The complaint notes that Microsoft seeks a declaratory judgment of non-infringement of any claim of the ’236 Patent (Compl. ¶26).
III. The Accused Instrumentality
Product Identification
- Microsoft Entra ID, a cloud-based identity and access management service (Compl. ¶2).
Functionality and Market Context
- The specific functionality at issue is the product's ability to generate and process Time-based One-Time Passcodes ("TOTPs") for multi-factor authentication (Compl. ¶2).
- The complaint alleges that Biogy's infringement theory is not specific to Microsoft's implementation but targets any use of the industry-standard TOTP algorithm, as defined by RFC 6238 (Compl. ¶¶18-19). Microsoft provides this functionality to its customers, and also uses it internally (Compl. ¶¶4, 11).
IV. Analysis of Infringement Allegations
Microsoft's complaint seeks a declaratory judgment of non-infringement. The following tables summarize Microsoft's asserted non-infringement positions for key limitations of the independent claims.
No probative visual evidence provided in complaint.
’236 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Non-Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| generating, via a machine, a passcode that is valid temporarily, wherein the passcode is based on information associated with a user | The Accused Product does not base a passcode or a generator on "information associated with a user," such as biometric data. | ¶28(a), ¶32 | col. 3:25-30 |
| generating a current passcode generator based on the information | The Accused Product does not generate a "passcode generator" from user information. | ¶28(c), ¶32 | col. 9:8-10 |
| generating the passcode from the current passcode generator | The Accused Product does not generate a passcode from a "current passcode generator" as contemplated by the patent. | ¶28(d), ¶32 | col. 9:36-39 |
’236 Patent Infringement Allegations
| Claim Element (from Independent Claim 12) | Alleged Non-Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| retrieving at least one passcode generator from a storage unit associated with the machine | The Accused Product does not retrieve a "passcode generator" as claimed. | ¶29(a) | col. 9:10-15 |
| if the one passcode matches the passcode received, ... perturbing the at least one passcode generator of the at least one passcode generator to create a new passcode generator | The Accused Product does not "perturb" a current passcode generator to generate a new one. | ¶29(e), ¶32 | col. 20:62-66 |
| if the one passcode matches the passcode received, ... storing the new passcode generator in place of the at least one passcode generator | The Accused Product does not store a new passcode generator in place of a prior one after a successful login. | ¶29(f), ¶32 | col. 22:10-14 |
Identified Points of Contention
- Scope Questions: The primary dispute appears to be a mismatch between the patent's specific architecture and the operation of the industry-standard TOTP algorithm. A central question for the court will be whether the term "passcode generator" can be construed to read on the static "shared secret" used in a standard TOTP system.
- Technical Questions: A key factual question is whether the accused TOTP functionality performs the specific claimed steps of dynamically updating its state. Does the accused system "perturb" a "passcode generator" to create a new one after each use, or does it rely on a static secret combined with a time-based moving factor, as is typical for TOTP? Microsoft's complaint argues it does the latter, which it contends is outside the scope of the claims (Compl. ¶32).
V. Key Claim Terms for Construction
The Term: "passcode generator"
- Context and Importance: This term is the central, evolving element of the claimed invention. Its definition is critical because standard TOTP systems use a static "shared secret," and the infringement case may turn on whether a static secret can be considered a "passcode generator" that is "perturbed," as required by claims like claim 12.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification provides a somewhat general definition, stating a passcode generator "can be a string of characters or other form of a code similar to registration code R or a passcode" (col. 9:11-13).
- Evidence for a Narrower Interpretation: The patent consistently describes the generator as a dynamic entity that is updated or changed after use. FIG. 8 (element 806) explicitly shows a step to "Change the Passcode Generator," and the specification describes this with the equation "f(G_i)=G_i+1" (col. 9:43-44). The term "perturbing" in claim 12 further supports a dynamic, non-static interpretation.
The Term: "based on information associated with a user"
- Context and Importance: Practitioners may focus on this term because Microsoft explicitly denies that its product bases passcodes on such information (Compl. ¶32). The dispute will likely involve whether a standard TOTP shared secret, which is associated with a user's account but often randomly generated, meets this limitation.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself is facially broad and does not explicitly limit the type of "information."
- Evidence for a Narrower Interpretation: The specification provides specific, personal examples of such information, including "fingerprints, a name, a birthday, a favorite number, a social security number, and/or a driver's license" (col. 3:25-28). Dependent claim 2 further specifies "biometric data." This context may support a narrower construction limited to user-specific, identifying data rather than a generic shared secret.
VI. Other Allegations
Indirect Infringement
- Microsoft seeks a declaratory judgment that it does not indirectly infringe the ’236 Patent (Compl. ¶26). The complaint states that Biogy has accused Microsoft's customers of direct infringement for their use of Microsoft Entra ID. This posture makes Microsoft a potential target for claims of induced infringement, based on allegations that it provides the accused product and instructs customers on how to use its allegedly infringing TOTP functionality (Compl. ¶¶4, 24).
Willful Infringement
- This being a declaratory judgment action, there is no allegation of willfulness against Microsoft. However, Microsoft requests that the case be found "exceptional" under 35 U.S.C. § 285, entitling it to attorneys' fees (Prayer for Relief, ¶B). This suggests Microsoft believes Biogy's infringement allegations, as communicated in letters to its customers, are baseless or asserted in bad faith.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of technical scope: Does the industry-standard Time-based One-Time Passcode (TOTP) algorithm, which relies on a static shared secret and a time-based moving factor, practice the methods claimed in the ’236 Patent, which repeatedly describe a dynamic "passcode generator" that is "perturbed" and updated after each successful authentication?
- A key question of claim construction will determine the outcome: Can the term "information associated with a user," in the context of a specification that provides examples of biometric and personal data, be interpreted broadly enough to cover a system's randomly-generated shared secret that is merely linked to a user account?
- An overarching question will be whether the patent claims a specific, state-evolving security architecture or if it can be read to cover the general field of temporary passcodes, including the widely adopted TOTP standard. The court's resolution of these questions will likely decide the non-infringement issue.