DCT
5:25-cv-03329
Okta Inc v. Biogy Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Okta, Inc. (Delaware)
- Defendant: Biogy, Inc. (Delaware)
- Plaintiff’s Counsel: Fish & Richardson P.C.
- Case Identification: 3:25-cv-03329, N.D. Cal., 06/11/2025
- Venue Allegations: Venue is alleged to be proper as both parties have their principal places of business in the district, Defendant is subject to personal jurisdiction, and a substantial part of the events giving rise to the claim occurred in the district.
- Core Dispute: Plaintiff Okta seeks a declaratory judgment that its identity management platform does not infringe Defendant Biogy’s patent related to generating and validating temporary passcodes.
- Technical Context: The lawsuit concerns methods for secure user authentication, specifically time-based one-time passcode (TOTP) systems, a widely used technology for multi-factor authentication.
- Key Procedural History: The complaint states that Defendant Biogy has sent letters to multiple Okta customers alleging that their use of Okta’s TOTP functionality infringes the patent-in-suit. Furthermore, Biogy has filed a lawsuit against at least one Okta customer, Albertsons Companies, Inc., in the Eastern District of Texas, based on the same infringement theory.
Case Timeline
| Date | Event |
|---|---|
| 2004-12-20 | ’236 Patent Priority Date |
| 2009-01-01 | Okta Founded |
| 2010-02-23 | ’236 Patent Issue Date |
| 2024-04-24 | Biogy sends infringement notice letter to Okta customer Albertsons |
| 2025-06-11 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,669,236 - Determining Whether to Grant Access to a Passcode Protected System (Issued Feb. 23, 2010)
The Invention Explained
- Problem Addressed: The patent describes the difficulty for users of remembering many different passwords for various systems and the susceptibility of static passwords to theft and fraud (’236 Patent, col. 1:40-44).
- The Patented Solution: The invention discloses a system for generating temporary passcodes. A user provides identifying information (e.g., a fingerprint) to a "passcode device," which then generates a passcode from a "passcode generator" (’236 Patent, col. 4:30-36). An administrator system independently generates the same passcode to verify it. Crucially, after a successful use, the system changes the passcode generator itself (e.g., via a "perturbing" function
f(Gi)=Gi+1) so that the next access attempt will require a different passcode derived from a new generator (’236 Patent, Fig. 8). This "one-time" nature is designed to defeat replay attacks. - Technical Importance: This approach aims to provide security that does not rely on users remembering passwords or on static credentials that can be stolen and reused.
Key Claims at a Glance
- The complaint identifies claims 5, 12, 14, and 24 as being asserted by Biogy (Compl. ¶22).
- Independent Claim 5: A method comprising the steps of:
- generating, via a machine, a passcode that is valid temporarily, wherein the passcode is based on information associated with a user;
- determining whether an attempted access is permitted, based on the passcode generated, by at least determining whether the passcode generated matches a passcode received;
- if there is a match, permitting the attempted access;
- wherein the generating of the passcode includes at least: retrieving a prior passcode generator, generating a current passcode generator by perturbing the prior one, and generating the passcode from the current passcode generator.
- Independent Claim 12: A method comprising the steps of:
- receiving at a machine a passcode from a user;
- retrieving at least one passcode generator from a storage unit;
- generating at least one passcode from the at least one passcode generator;
- determining if the generated passcode matches the received passcode;
- if there is a match, granting access, perturbing the passcode generator to create a new passcode generator, and storing the new passcode generator.
- The complaint does not explicitly reserve the right to assert dependent claims, but seeks a declaration of non-infringement for "any claim of the '236 patent" (Compl. ¶41).
III. The Accused Instrumentality
- Product Identification: The "Okta Accused Products" are identified as the collection of Okta's software and services that generate or process time-based one-time passcodes ("TOTPs") for multi-factor authentication, including the Okta Identity Engine and Okta Classic Engine (Compl. ¶3, ¶31).
- Functionality and Market Context:
- The complaint alleges that the accused functionality is Okta's implementation of the TOTP algorithm as described in the public standard RFC 6238 (Compl. ¶25, ¶27). This functionality is provided to Okta's customers to secure access to their own websites and applications (Compl. ¶17-18).
- The complaint positions Okta as a "pioneer of the 'Identity-as-a-Service' industry" and its platform as "industry-leading," suggesting significant commercial importance (Compl. ¶2, ¶17).
IV. Analysis of Infringement Allegations
The complaint seeks a declaratory judgment of non-infringement. The following table summarizes Okta's asserted position that its products do not practice the claimed elements.
’236 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Non-Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| generating, via a machine, a passcode that is valid temporarily, wherein the passcode is based on information associated with a user | The Okta Accused Products do not base a passcode or a passcode generator on information associated with a user. | ¶42a, ¶46 | col. 28:16-18 |
| generating the passcode from the current passcode generator | The Okta Accused Products do not generate a passcode from a current passcode generator. | ¶42d, ¶46 | col. 27:30-34 |
| the method further including at least if it is determined that the passcode generated matches the passcode received ... applying a function to the current passcode generator to generate a new passcode generator | The Okta Accused Products do not perturb a current passcode generator to generate a new passcode generator. | ¶42f, ¶46 | col. 12:57-62 |
| the method further including at least if it is determined that the passcode generated matches the passcode received ... storing the new passcode generator in place the current passcode generator. | The Okta Accused Products do not store any such new passcode generator in place of a prior or current passcode generator. | ¶42g, ¶46 | col. 12:63-66 |
- Identified Points of Contention:
- Scope Questions: A primary issue will be whether the patent's term "passcode generator"—described in the specification as a data object that is itself retrieved, "perturbed," and replaced (e.g.,
G₁+₁=f(G₁))—can be construed to read on the components of a standard TOTP system (RFC 6238). Such systems typically use a static shared secret key combined with a dynamic time-based counter, rather than a generator that is itself dynamically altered and stored. - Technical Questions: The complaint raises the question of what evidence Biogy has that Okta's products perform the specific claimed methods. For example, Biogy's infringement allegation to one customer was supported by a screenshot of an Okta-provided CSS file (Compl. ¶25-26). This screenshot, showing the filename
okta-sign-in.min.cssfrom an Okta server, displays styling code for a web page rather than logic for a cryptographic algorithm (Compl. p. 7). The relevance of such evidence to the claimed method steps will be a point of contention. What evidence does Biogy have that Okta's system "perturbs" and "stores" a new generator, as opposed to using a static key with a moving time factor?
- Scope Questions: A primary issue will be whether the patent's term "passcode generator"—described in the specification as a data object that is itself retrieved, "perturbed," and replaced (e.g.,
V. Key Claim Terms for Construction
The Term: "passcode generator"
Context and Importance: This term is central to every independent claim and represents the core of the alleged invention. Okta's non-infringement defense hinges on its argument that its TOTP system does not use a "passcode generator" that is "perturbed" and "stored" as required by the claims (Compl. ¶46). Practitioners may focus on this term because its definition will likely decide the case.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent states a "passcode generator, also known as a seed, can be a string of characters or other form of a code" ('236 Patent, col. 9:11-13). This could support an argument that any secret data used to initiate passcode generation, including a standard TOTP secret key, is a "passcode generator."
- Evidence for a Narrower Interpretation: The patent consistently describes the generator as a dynamic entity that is itself changed. Figure 8 shows the explicit steps
Retrieve Current Passcode Generator Gᵢ(802) followed byChange the Passcode Generator (e.g., Gᵢ₊₁=f(Gᵢ))(806). Claim 12 requires "storing the new passcode generator in place of the at least one passcode generator." This supports a narrower construction where the generator is a specific data object that is updated and replaced after each use, a process distinct from using a static key with a variable counter.
The Term: "perturbing"
Context and Importance: This term, appearing in claims 5 and 12, describes the action performed on the "passcode generator" to create a new one. Okta denies its products "perturb a current passcode generator" (Compl. ¶46). The definition of this term is critical to determining if a standard TOTP algorithm, which does not modify its secret key during operation, can infringe.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent does not provide an explicit definition. A party could argue for a plain and ordinary meaning, suggesting any modification or change would suffice.
- Evidence for a Narrower Interpretation: The specification provides specific mathematical examples, such as
f(G₁)being a function that could "add 1 to passcode generator Gᵢ" or "permute the order of the symbols" ('236 Patent, col. 21:3-11). This suggests "perturbing" is a direct transformation applied to the generator data itself to create the next generator in a sequence, rather than simply using a different input (like a time step) with a static generator.
VI. Other Allegations
- Indirect Infringement: The complaint states that Biogy's allegations effectively accuse Okta of indirect infringement by "providing the Okta Accused Products to customers and instructing them on the use" of those products (Compl. ¶36). Biogy's use of Okta's own source code file and function calls in its communications to customers is cited as evidence that the allegations are directed at Okta's technology (Compl. ¶25, ¶28). The complaint alleges that Biogy has effectively asserted that Okta induced infringement (Compl. ¶37).
- Willful Infringement: The complaint does not allege willfulness on behalf of Okta. However, it does note that "Okta has been aware of the '236 patent, and Biogy's allegations" since receiving indemnification requests from its customers, establishing a timeline for Okta's knowledge of the dispute (Compl. ¶38).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: Can the claim term "passcode generator", which the patent describes as a dynamic data object that is itself "perturbed" and replaced after use, be construed broadly enough to read on the static secret key used in Okta's standards-based (RFC 6238) Time-based One-Time Password (TOTP) system?
- A key evidentiary question will be one of technical operation: Assuming a construction favorable to Biogy, what evidence will show that Okta's accused products actually perform the claimed steps of retrieving a prior generator, applying a "perturbing" function to create a new generator, and storing that new generator in place of the old one? The dispute centers on a potential mismatch between the patent's specific cyclical process and the accused product's alleged technical implementation.