Factor 2 Multimedia Systems LLC v. Tictok Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Factor2 Multimedia Systems, LLC (Virginia)
  • Defendant: TikTok Inc. (California) and ByteDance Ltd. (China)
  • Plaintiff’s Counsel: Whitestone Law
• Case Identification: 1:24-cv-00133, D.D.C., 01/16/2024
• Venue Allegations: Plaintiff alleges venue is proper because both TikTok Inc. and its parent, ByteDance Ltd., maintain a regular and established place of business in the District of Columbia.
• Core Dispute: Plaintiff alleges that the user authentication system within the TikTok social media platform infringes five patents related to methods of generating and validating temporary, single-use codes for secure access.
• Technical Context: The technology at issue involves two-factor and dynamic-code authentication, a widely used security measure for verifying a user's identity during online transactions or account logins.
• Key Procedural History: All five patents-in-suit are members of the same patent family. The patents are subject to terminal disclaimers, which may limit their effective term to that of the earliest-expiring patent in the family.

Case Timeline

Date	Event
2001-08-29	Earliest Priority Date for all Patents-in-Suit
2012-10-02	U.S. Patent No. 8,281,129 Issued
2017-07-11	U.S. Patent No. 9,703,938 Issued
2018-01-16	U.S. Patent No. 9,870,453 Issued
2018-09-25	U.S. Patent No. 10,083,285 Issued
2020-09-08	U.S. Patent No. 10,769,297 Issued
2024-01-16	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,769,297 - *"Centralized Identification and Authentication System and Method"*

The Invention Explained

• Problem Addressed: The patent describes the increasing need for users to release confidential personal and financial information to conduct e-commerce, which is noted as being unsafe and not a reliable method of proving a user's identity (’297 Patent, col. 2:40-51).
• The Patented Solution: The invention proposes a system where a "Central-Entity" generates a dynamic, non-predictable, and time-dependent "SecureCode" for a user upon request. The user provides this SecureCode, as part of a "digital identity," to an external entity like a merchant. The external entity then forwards the digital identity to the Central-Entity for validation, which confirms or denies the authentication without the merchant ever handling the user's underlying static credentials ('297 Patent, Abstract; col. 3:1-16).
• Technical Importance: This approach aims to enhance online security by centralizing trust and minimizing the widespread distribution of static user credentials to numerous online services, thereby reducing the attack surface for data breaches ('297 Patent, col. 2:8-15).

Key Claims at a Glance

• Independent claim 1 is asserted in the complaint (Compl. ¶21, 67).
• The claim recites an authentication system comprising computing devices configured to perform operations including:
  • Electronically receiving a request for a "SecureCode."
  • Generating the SecureCode.
  • Providing the SecureCode to the user, wherein the code is invalid after a predetermined time, invalid after one use, and valid only for authenticating that user.
  • Receiving a digital authentication request that includes the SecureCode.
  • Authenticating the user by evaluating the validity of the SecureCode in the request.
• The complaint reserves the right to assert other claims, which would include dependent claims (Compl. ¶67).

U.S. Patent No. 8,281,129 - *"Direct Authentication System and Method Via Trusted Authenticators"*

The Invention Explained

• Problem Addressed: The patent identifies the core problem of identity theft as stemming from flawed societal assumptions: first, that knowledge of personal information (like an SSN) proves identity, and second, that such sensitive information can be kept secret (’129 Patent, Abstract; col. 1:16-col. 2:47).
• The Patented Solution: The invention discloses a "two-factor" authentication method that leverages a pre-existing "trusted authenticator," such as a bank. A user combines "something the individual knows" (a static key) with "something the individual receives" (a dynamic code from the trusted authenticator). This combination is provided to a third-party business, which then communicates with the trusted authenticator to verify both factors and confirm the user's identity ('129 Patent, col. 6:7-21).
• Technical Importance: The technology established a framework for leveraging an existing, high-trust relationship (e.g., with a financial institution) to securely vouch for a user's identity in transactions with other, potentially untrusted, entities online ('129 Patent, col. 3:40-52).

Key Claims at a Glance

• Independent claim 1 is asserted in the complaint (Compl. ¶22, 37).
• The claim recites a computer-implemented method to authenticate an individual, comprising:
  • Receiving, at a trusted-authenticator's computer, a request for a dynamic code.
  • Calculating the dynamic code, which is valid for a predefined time and becomes invalid after use.
  • Sending the dynamic code to the individual.
  • Receiving, from an entity, an authentication request based on a user information and the dynamic code.
  • Authenticating the individual's identity based on the user information and dynamic code, and providing the result to the entity.
• The complaint asserts claims 1-52, which includes dependent claims (Compl. ¶37).

U.S. Patent No. 9,703,938 - *"Direct Authentication System and Method Via Trusted Authenticators"*

• Technology Synopsis: This patent continues the technology family of the ’129 Patent, describing a system to combat online identity theft. The invention focuses on using a trusted third-party entity to generate and validate temporary, dynamic authentication codes that are used in conjunction with static user information for two-factor verification during online transactions (’938 Patent, Abstract).
• Asserted Claims: Claims 1-26 (Compl. ¶43).
• Accused Features: The accused features are the authentication systems and methods employed by the TikTok Apparatus (Compl. ¶2, 14).

U.S. Patent No. 9,870,453 - *"Direct Authentication System and Method Via Trusted Authenticators"*

• Technology Synopsis: As a further continuation in the same family, this patent refines the method for enabling online entities to verify a user's identity. The system relies on a "two-factor" technique where a trusted authenticator provides a dynamic code to a user for a specific transaction, enhancing security over methods that rely solely on static credentials (’453 Patent, Abstract).
• Asserted Claims: Claims 1-26 (Compl. ¶55).
• Accused Features: The accused features are the authentication systems and methods employed by the TikTok Apparatus (Compl. ¶2, 14).

U.S. Patent No. 10,083,285 - *"Direct Authentication System and Method Via Trusted Authenticators"*

• Technology Synopsis: This patent also pertains to the family's core technology of using a trusted entity to issue a dynamic, single-use code for user authentication. The method is designed to provide high assurance that a user is who they claim to be during an online transaction by combining this temporary code with other user information (’285 Patent, Abstract).
• Asserted Claims: Claims 1-30 (Compl. ¶61).
• Accused Features: The accused features are the authentication systems and methods employed by the TikTok Apparatus (Compl. ¶2, 14).

III. The Accused Instrumentality

Product Identification

• The accused instrumentality is the "TikTok Apparatus," defined as including the TikTok mobile application as well as the backend systems and backbone infrastructure that provide access, functionality, content distribution, and user authentication (Compl. ¶23).

Functionality and Market Context

• The complaint alleges that the TikTok Apparatus provides an authentication system for users to log in or verify their identity. This system functions by receiving a request for a verification code, generating that code, and sending it to a user's device (e.g., via SMS). The user then enters this time-sensitive, single-use code into the application to gain access (Compl. ¶29). A screenshot shows the user entering a phone number to request a code (Compl. p. 9). The complaint alleges that Defendants derive profit from the use of the accused products through advertisement revenue throughout the United States (Compl. ¶4, 5).

IV. Analysis of Infringement Allegations

10,769,297 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
while the online computer system is connected to the computing device of the user via a communication network, electronically receiving a request for a SecureCode	The TikTok server receives a request for a code after a user enters their phone number into the TikTok app and taps "Send code."	¶29, p. 9	col. 5:29-32
generating the SecureCode	The TikTok backend system generates a 6-digit verification code in response to the user's request.	¶29, p. 9	col. 5:32-34
electronically providing to the user the SecureCode... wherein: the SecureCode is invalid after a predetermined time passes, the SecureCode is invalid after one use... and the SecureCode is only valid for authenticating the user	TikTok sends an SMS message containing the 6-digit code to the user's phone. A screenshot indicates the code is "valid for 5 minutes."	¶29, p. 10	col. 6:21-31
electronically receiving from the online computer system a digital authentication request for authenticating the user, wherein: the digital authentication request comprises a digital identity of the user, and the digital identity includes the SecureCode	The user enters the received 6-digit code into the TikTok app, which transmits it to TikTok's servers as an authentication request.	¶29, p. 11	col. 5:40-45
authenticating the user by evaluating a validity of the SecureCode included in the digital authentication request	TikTok's system evaluates whether the entered code is correct and valid to grant the user access to their account.	¶29, p. 11	col. 5:45-52

8,281,129 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving electronically a request for a dynamic code for the individual... by a trusted-authenticators computer	TikTok's backend servers, alleged to be the "trusted-authenticators computer," receive a request for a code when a user initiates a login verification.	¶29, p. 9	col. 10:59-64
calculating by the trusted-authenticators computer the dynamic code... wherein the dynamic code is valid for a predefined time and becomes invalid after being used	TikTok's servers generate the temporary 6-digit code, which the complaint alleges is time-limited and single-use.	¶29, p. 10	col. 12:40-42
sending by the trusted-authenticator's computer electronically the dynamic code to the individual	TikTok's system sends the generated code to the user's mobile device via an SMS message.	¶29, p. 9	col. 11:2-4
receiving by the trusted-authenticator's computer electronically an authentication request... based on a user information and the dynamic code	TikTok's servers receive the authentication request, which includes the user's phone number ("user information") and the entered 6-digit "dynamic code."	¶29, p. 11	col. 10:11-16
authenticating by the trusted-authenticator's computer an identity of the individual based on the user information and the dynamic code	TikTok's servers verify the user's identity by confirming that the submitted code corresponds to the user's phone number.	¶29, p. 11	col. 10:17-21

Identified Points of Contention

• Scope Questions: The infringement theory for the ’129 Patent family raises the question of whether an integrated system, where the service provider (TikTok) also acts as its own authenticator, falls within the scope of a "trusted-authenticator." The patent specifications frequently describe the authenticator as a separate entity from the business conducting the transaction, such as a user's bank authenticating them for a merchant ('129 Patent, Fig. 2a-2b). The defense may argue that the claims, read in light of the specification, require a three-party architecture (user, business, authenticator) not present in the accused two-party system (user, TikTok).
• Technical Questions: A screenshot in the complaint shows an "Incorrect code" error message after an apparent failed login attempt (Compl. p. 10). The complaint uses this to support the "invalid after one use" limitation. However, this visual evidence could merely show a mistyped code rather than the invalidation of a previously correct but reused code. The factual basis for whether the accused system actually invalidates a code after a single successful use may become a point of dispute.

V. Key Claim Terms for Construction

• The Term: "trusted-authenticator" (from the '129, '938, '453, and '285 Patents)

• Context and Importance: The definition of this term is central to the architectural scope of the claims. Whether TikTok's own servers can be considered a "trusted-authenticator" for authenticating users to its own service will be a critical issue. Practitioners may focus on this term because the patents' examples often depict a separate, third-party entity.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The claims themselves do not explicitly require the "trusted-authenticator" and the "entity" to be different, legally separate organizations. A plaintiff may argue the term simply refers to the computer system performing the authentication function, which could be operated by the same company providing the end service.
  • Evidence for a Narrower Interpretation: The specification of the ’129 Patent repeatedly illustrates the invention with figures and examples showing a "Business" (20) and a separate "Trusted-Authenticator" (30, 40) interacting to verify an "Individual" (10) ('129 Patent, Fig. 1a, 1b, 2a, 2b). The description of leveraging an existing trust relationship, such as with a bank, to secure a transaction with a different merchant may support an interpretation requiring separate entities ('129 Patent, col. 3:40-52).

• The Term: "SecureCode" / "dynamic code"

• Context and Importance: The properties of this code—being dynamic, time-limited, and single-use—are the core technical features alleged to be infringed. The dispute may turn on whether the accused codes possess all the specific characteristics required by the claims.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The patents define the term broadly, for instance, as "a key or information that is variable" and can be an "alphanumeric code" ('285 Patent, col. 8:56-61). This language could encompass a wide variety of temporary verification codes.
  • Evidence for a Narrower Interpretation: The patents describe the dynamic code as one of two factors, contrasted with a "static key" representing "Something the individual knows" ('129 Patent, col. 6:7-13). A defendant might argue that to be a "dynamic code" in the context of the claimed invention, it must be used as part of a true two-factor system as described, raising the question of what constitutes the corresponding "static key" in the accused system.

VI. Other Allegations

• Indirect Infringement: The complaint alleges both induced and contributory infringement. Inducement is based on Defendants providing the TikTok Apparatus and encouraging or instructing users to engage in the allegedly infringing authentication methods (Compl. ¶38, 44). Contributory infringement is alleged on the basis that Defendants supply the TikTok system, which is a material part of the invention, not a staple article of commerce, and is known to be especially made for an infringing use (Compl. ¶25, 39).
• Willful Infringement: Plaintiff seeks a judgment of willful infringement and enhanced damages (Compl., Prayer for Relief ¶B). The complaint does not plead specific facts indicating that Defendants had pre-suit knowledge of the patents-in-suit.

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of architectural scope: can the term "trusted-authenticator," which is described in the context of a separate entity like a bank authenticating a user for a third-party business, be construed to cover an integrated platform like TikTok authenticating its own users for its own service?
• A second key issue will be one of claim construction: does the accused system, which sends a verification code to a phone number provided by the user, meet the "two-factor" structure detailed in the specifications, which distinguishes between "something the user knows" (a static key) and "something the user receives" (a dynamic code)?
• A third question will be evidentiary: what technical evidence will be presented to prove that the accused "SecureCode" is definitively invalidated after a single successful use, as required by the claims, beyond the ambiguous visual evidence provided in the complaint?