DCT

3:25-cv-04957

Microsoft Corp v. Biogy Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 3:25-cv-04957, N.D. Cal., 06/11/2025
  • Venue Allegations: Venue is asserted on the basis that Defendant Biogy, Inc. has its principal place of business in San Francisco, California, and is therefore deemed to "reside" in the Northern District of California.
  • Core Dispute: Plaintiff Microsoft seeks a declaratory judgment that its multi-factor authentication products, which utilize the public RFC 6238 standard for time-based one-time passcodes, do not infringe Defendant Biogy's patent related to generating and updating temporary passcodes.
  • Technical Context: The technology concerns secure user authentication, a critical component of cybersecurity for enterprise and consumer services, which often relies on standardized methods for generating single-use codes.
  • Key Procedural History: The complaint states that Defendant Biogy has sent letters to Microsoft's customers alleging infringement of the patent-in-suit and has filed a lawsuit against at least one customer, Albertsons Companies, Inc., in the Eastern District of Texas. These actions, coupled with direct communications to Microsoft's counsel, form the basis for the declaratory judgment action.

Case Timeline

Date Event
2004-12-20 ’236 Patent Priority Date
2010-02-23 ’236 Patent Issue Date
2024-04-24 Biogy sends exemplary notice letter to Microsoft customer Albertsons
2025-06-11 Complaint for Declaratory Judgment Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,669,236 - "Determining Whether to Grant Access to a Passcode Protected System"

  • Patent Identification: U.S. Patent No. 7,669,236, "Determining Whether to Grant Access to a Passcode Protected System," issued February 23, 2010.

The Invention Explained

  • Problem Addressed: The patent's background section identifies the difficulty for users in remembering numerous passwords and the susceptibility of static passwords to theft and fraud (ʼ236 Patent, col. 1:40-44).
  • The Patented Solution: The invention describes a system where a user's device generates a temporary, one-time passcode. An administrator system authenticates this passcode not by looking it up, but by independently generating its own passcode using a corresponding "passcode generator" and comparing the two. A central feature is that after a successful authentication, the system "changes" or "perturbs" the passcode generator (e.g., Gi+1=f(Gi)) so that the next authentication cycle will use a new generator to produce a different passcode ('236 Patent, Abstract; Fig. 8; col. 6:1-12).
  • Technical Importance: The described approach aims to enhance security by ensuring passcodes are temporary and single-use, thus limiting the utility of an intercepted passcode without requiring the user to remember complex, changing credentials ('236 Patent, col. 3:10-24).

Key Claims at a Glance

  • The complaint identifies claims 5, 12, 14, and 24 as being at issue (Compl. ¶28). The independent claims are 12 and 24.
  • Independent Claim 12 includes these essential elements:
    • retrieving at least one passcode generator from a storage unit associated with the machine;
    • generating at least one passcode from the at least one passcode generator;
    • determining whether the generated passcode matches a received passcode;
    • if there is a match, granting access;
    • if there is a match, perturbing the passcode generator to create a new passcode generator; and
    • if there is a match, storing the new passcode generator in place of the old one.
  • Independent Claim 24 includes these essential elements:
    • after a registration process, receiving a request for access from a user with a "user-generated passcode";
    • in response, an automated administrator generates an "administrator-generated passcode" from a "current passcode generator";
    • determining if the user-generated and administrator-generated passcodes match;
    • if they match, permitting access;
    • generating a new passcode generator from the current passcode generator; and
    • storing the new passcode generator.

III. The Accused Instrumentality

Product Identification

  • Microsoft Entra ID (a cloud-based identity and access management service) and Microsoft Authenticator (an application for account sign-in), collectively the "Accused Products" (Compl. ¶¶ 2-4).

Functionality and Market Context

  • The relevant functionality of the Accused Products is the generation and processing of time-based one-time passcodes (TOTPs) for multi-factor authentication (Compl. ¶¶ 9-10).
  • The complaint alleges that Biogy's infringement accusations are based on the Accused Products' implementation of the public "RFC 6238 Standard" (Compl. ¶6). Microsoft's online documentation, cited by Biogy, confirms that Microsoft Entra ID supports "OATH-TOTP SHA-1 and SHA-256 tokens that refresh codes every 30 or 60 seconds" (Compl. ¶8). This positions the technical dispute around the operation of a widely adopted industry standard.

IV. Analysis of Infringement Allegations

Microsoft’s complaint seeks a declaratory judgment of non-infringement. The following table summarizes Microsoft’s position by mapping the elements of an exemplary independent claim to Microsoft's assertion that its products do not perform the claimed steps.

’236 Patent Infringement Allegations

Claim Element (from Independent Claim 24) Alleged Non-Infringing Functionality Complaint Citation Patent Citation
generating, via a machine that runs an automated administrator, an administrator-generated passcode...from a current passcode generator... Microsoft alleges the Accused Products do not generate a passcode from a "current passcode generator" in the manner required by the patent. ¶49 col. 32:12-20
generating a new passcode generator from the current passcode generator Microsoft alleges the Accused Products do not "perturb a current passcode generator to generate a new passcode generator." ¶49 col. 32:29-31
storing the new passcode generator in place of the current passcode generator in a storage unit associated with the machine. Microsoft alleges its products "do not store any such new passcode generator in place of a prior/current passcode generator." ¶49 col. 32:32-35

No probative visual evidence provided in complaint.

Identified Points of Contention

  • Scope Questions: The central dispute appears to be whether the implementation of the public RFC 6238 (TOTP) standard falls within the scope of the patent's claims. A key question is whether the "shared secret" used in the TOTP standard can be considered a "passcode generator" as that term is used in the patent.
  • Technical Questions: The patent claims a method of "perturbing" a generator to create a "new" one that is then "stored." The TOTP standard, in contrast, typically uses a static shared secret combined with a dynamic factor (time). A primary technical question is whether using an incrementing time-step with a fixed secret key constitutes "perturbing" the "passcode generator" to "create a new passcode generator" that is then "stored," or if this represents a fundamentally different, stateless authentication mechanism not contemplated by the patent.

V. Key Claim Terms for Construction

The Term: "passcode generator"

  • Context and Importance: The definition of this term is critical. The patent requires this "generator" to be retrieved, used, and then perturbed or changed into a "new" generator. Practitioners may focus on whether this term refers merely to a secret key, as in TOTP, or to a more complex, stateful data structure that itself is modified and replaced after each use. The outcome of this construction could determine whether a standard TOTP implementation can infringe.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent states a "passcode generator, also known as a seed, can be a string of characters or other form of a code" ('236 Patent, col. 9:10-12), which could support an argument that it is simply a secret key.
    • Evidence for a Narrower Interpretation: The patent repeatedly describes a process where a current generator Gi is used to create a new generator Gi+1 via a function f(Gi), which is then stored. This is illustrated in figures and described as "updating" or "changing" the generator itself, suggesting a stateful object that evolves over time, rather than a static key ('236 Patent, Fig. 8; col. 20:58-62).

The Term: "perturbing the ... passcode generator to create a new passcode generator"

  • Context and Importance: This term defines the core action that distinguishes the patented method. The infringement analysis will hinge on whether the operation of the accused TOTP algorithm constitutes "perturbing" to "create" a "new" generator.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent provides various examples of perturbing, including simple arithmetic like adding 1 or 2 to the generator, which could be argued to be analogous to a time-step increment ('236 Patent, col. 21:3-7).
    • Evidence for a Narrower Interpretation: The specification consistently links the "perturbing" step to creating a new passcode generator which is then stored ... in place of the old one ('236 Patent, col. 10:8-12; col. 28:10-12). This suggests a durable, state-changing operation on the generator itself, which may be argued as distinct from the transient use of a time factor in the TOTP algorithm, where the underlying secret key remains unchanged.

VI. Other Allegations

  • Indirect Infringement: The complaint states that Biogy has accused Microsoft of indirect infringement by alleging that Microsoft's online documentation and instructions induce its customers to use the Accused Products in a manner that allegedly infringes the ’236 patent (Compl. ¶¶ 27, 39).
  • Willful Infringement: The complaint does not allege willfulness. However, it establishes Microsoft's knowledge of the ’236 patent and Biogy's allegations as of the time it began receiving indemnification requests from customers who had received Biogy's demand letters (Compl. ¶40).

VII. Analyst’s Conclusion: Key Questions for the Case

The resolution of this declaratory judgment action will likely depend on the answers to two central questions:

  1. A core issue will be one of claim scope: Can the term "passcode generator", which the patent describes as being dynamically "perturbed" and "stored" as a new entity (Gi -> Gi+1), be construed to read on the functionally static "shared secret" used in the accused RFC 6238 TOTP standard?
  2. A key technical question will be one of operational equivalence: Does the accused TOTP algorithm—which combines a fixed secret key with an external, changing time-step—perform the specific, stateful process of "perturbing" a generator to "create a new passcode generator" that is then "stored," as required by the claims, or is this a fundamentally different technical operation?