DCT

1:17-cv-00941

Smart Authentication IP LLC v. Personal Capital Corp

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:17-cv-00941, D. Del., 07/13/2017
  • Venue Allegations: Venue is alleged based on the Defendant conducting substantial business in the District of Delaware, including offering the accused infringing services to individuals in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s two-factor authentication system, used for its financial planning software and applications, infringes a patent related to methods and systems for personalized, multi-channel user authentication.
  • Technical Context: The technology at issue involves systems for authenticating users by requiring verification through more than one communication channel, such as initiating a login on a website and receiving a confirmation code via a separate text message.
  • Key Procedural History: While not mentioned in the complaint, public records indicate that after this complaint was filed, an Inter Partes Review (IPR) proceeding was initiated against the patent-in-suit (IPR2017-02047). An IPR Certificate issued on February 27, 2020, confirmed the cancellation of all claims asserted in this complaint (claims 1-10 and 12-17), while finding claim 11 patentable. This subsequent invalidation of all asserted claims is a central development for the litigation.

Case Timeline

Date Event
2005-06-27 '213 Patent Priority Date
2011-12-20 '213 Patent Issue Date
2017-07-13 Complaint Filing Date
2017-09-01 IPR2017-02047 Filed
2020-02-27 IPR Certificate Issued Cancelling Asserted Claims

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,082,213 - "Method and System for Personalized Online Security"

  • Patent Identification: U.S. Patent No. 8,082,213, "Method and System for Personalized Online Security," issued December 20, 2011.

The Invention Explained

  • Problem Addressed: The patent describes a growing need for more reliable user authentication for electronic transactions, noting that existing password-based and even two-factor schemes (like an ATM card plus a PIN) were increasingly vulnerable to fraud and identity theft (’213 Patent, col. 1:21-40).
  • The Patented Solution: The invention proposes a centralized "authentication service provider" (ASP) that allows users to create and manage their own security policies. When a third-party service (an "ASP client," like a bank's website) needs to authenticate a user, it contacts the ASP. The ASP then executes an authentication procedure according to the user's pre-defined rules, which can involve using multiple, different communication channels—for instance, interacting with the bank's website over the internet while receiving a one-time password on a cell phone (’213 Patent, col. 2:1-19; Fig. 3).
  • Technical Importance: The described system provided a framework for user-controlled, strong authentication that could adapt to new threats by allowing users to define the complexity and methods of their own security procedures (’213 Patent, col. 2:1-10).

Key Claims at a Glance

  • The complaint asserts independent claims 1 and 12.
  • Independent Claim 1 (System Claim): A user-authentication service comprising:
    • One or more computer systems;
    • Stored user-authentication policies specified by the user;
    • Stored user information;
    • "Account interface routines" for the user to manage policies; and
    • "Authentication-interface routines" that receive a request from an "authentication-service client" and employ "variable-factor authentication", during which the user communicates with the service via a third communications medium using a user device different from the one used to initiate the transaction.
  • Independent Claim 12 (Method Claim): A method for authenticating a user of an authentication service, comprising:
    • Receiving user-identifying information from an "authentication-service client" (which communicates with the user via a first communications medium);
    • Carrying out an authentication procedure by sending information to the user through a communications medium different from the first; and
    • Returning an authentication result to the "authentication-service client".
  • The complaint also asserts dependent claims 2-5, 7-10, and 13-16 (’213 Patent, col. 9:4-10:57; Compl. ¶18).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are Defendant's "computer-aided products and services related to financial tools for financial planning," specifically the "two-factor authentication" methods required to access them (Compl. ¶15, 18).

Functionality and Market Context

  • The complaint alleges that Defendant's service requires users to first authenticate a new device (Compl. ¶18). This process involves a user entering their credentials (e.g., username and password) via a first medium like an internet browser or mobile app (Compl. ¶15).
  • The system then requires the user to verify their identity by receiving and entering a one-time code sent via a different medium, such as a text message (SMS), voice call, or email (Compl. ¶15-16).
  • The complaint includes a screenshot of a "Security Settings" page, suggesting that users can manage and store authentication policies, such as their mobile phone number for receiving codes (Compl. p. 6). The settings page shown on page 6 of the complaint allows a user to specify and edit their email and mobile phone number for security purposes (Compl. p. 6).

IV. Analysis of Infringement Allegations

'213 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A user-authentication service implemented as routines that execute on one or more computer systems Defendant's service runs on computer systems, such as a server with authentication functionality. ¶19 col. 8:45-50
stored user-authentication policies specified by the user Defendant stores user-specified authentication policies, such as the user's choice of method for receiving a verification code. ¶19 col. 8:50-54
account interface routines that implement an account interface by which the user specifies, modifies, adds, and deletes user-authentication policies Defendant provides "Security Settings" where a user can specify and modify information like a mobile phone number used for authentication. A screenshot on page 6 of the complaint shows a user interface for managing these security settings. p. 6 col. 8:54-57
authentication-interface routines that implement an authentication interface by which... the authentication-service client submits an authentication request Defendant's website or app (the "authentication-service client") submits an authentication request to Defendant's back-end authentication service. p. 7-8 col. 8:58-65
to authenticate the user, the authentication-interface routines employing a variable-factor authentication... during which the user communicates with the user-authentication service through a third communications medium The user communicates with the service by receiving a security code via SMS, voice call, or email, which is a different communication medium from the initial login. A screenshot on page 9 shows the user flow from login to selecting an authentication method to entering the received code. p. 9 col. 7:35-41
different from the first and second communications media and a user device different from that employed by the user to initiate the transaction with the authentication-service client The complaint alleges a user can initiate a login on a computer and receive the authentication code on a separate smartphone. p. 10 col. 9:1-3
  • Identified Points of Contention:
    • Scope Questions: A central question may be whether Defendant's integrated system, where Personal Capital is both the client-facing entity and the authentication provider, maps to the patent's distinct "authentication-service client" and "user-authentication service" architecture (’213 Patent, col. 3:47-54). The court would need to determine if these claimed entities can be different software components within a single company's system.
    • Technical Questions: Claim 1 requires the use of a "user device different from that employed by the user to initiate the transaction" (’213 Patent, col. 9:1-3). It is a factual question whether the accused system always satisfies this limitation. For example, a user could initiate a login and receive an authentication code on the same smartphone, raising the question of whether this configuration would fall outside the claim's scope.

V. Key Claim Terms for Construction

  • The Term: "variable-factor authentication"

  • Context and Importance: This term appears in independent claim 1 and is central to the inventive concept. Its definition will determine what type of authentication process is covered. Practitioners may focus on this term because the patent's abstract suggests a specific meaning: providing "both secret information as well as evidence of control of a tangible object" (’213 Patent, Abstract).

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The specification discusses various authentication policies, including those based on location, time, or the communication medium itself, which could support a construction that is not strictly limited to a "tangible object" (’213 Patent, col. 7:20-30).
    • Evidence for a Narrower Interpretation: The abstract's explicit definition linking "variable-factor authentication" to "evidence of control of a tangible object" provides strong evidence for a narrower construction. The specific example of receiving a password on a cell phone during a transaction reinforces this interpretation (’213 Patent, col. 7:8-16).

  • The Term: "user device different from that employed by the user to initiate the transaction"

  • Context and Importance: This limitation in claim 1 is critical for infringement. If "different" is construed to mean physically separate devices, infringement may be avoided in scenarios where a user performs all authentication steps on a single device, such as a smartphone.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: A party could argue that "different device" could mean a logically distinct communication channel or application on a single physical device, though the patent does not appear to explicitly state this.
    • Evidence for a Narrower Interpretation: The specification repeatedly uses examples that imply physically distinct devices, such as "a combination of the Internet and a cell phone" (’213 Patent, col. 3:23-25) and communicating with a client via one medium and the ASP via "one or more other communications medium" (’213 Patent, col. 2:58-62). This language may support a construction requiring physically separate hardware.

VI. Other Allegations

  • Indirect Infringement: The complaint does not plead a separate count for indirect infringement, nor does it allege specific facts to support the required elements of knowledge and intent, such as alleging that Defendant's user manuals instruct users to perform the claimed steps (Compl. ¶¶1-20).
  • Willful Infringement: The complaint does not plead a separate count for willfulness or allege any facts regarding Defendant's knowledge of the '213 patent prior to the lawsuit. The prayer for relief includes a request for a declaration that the case is "exceptional" under 35 U.S.C. § 285, but this is not supported by specific factual allegations in the body of the complaint (Compl. p. 11, ¶C).

VII. Analyst’s Conclusion: Key Questions for the Case

  • The foremost issue for this case is one of mootness due to patent validity. Given that a post-filing IPR proceeding resulted in the cancellation of all patent claims asserted in the complaint, the primary question is whether the plaintiff has any remaining basis for its suit. The case may not be able to proceed unless the plaintiff is able to amend its complaint to assert the sole surviving claim (Claim 11).
  • Assuming the claims were still valid, a key question would be one of architectural scope: can the patent's claimed architecture, which distinguishes between an "authentication-service client" and a separate "user-authentication service", be read to cover an integrated system where a single entity (Personal Capital) provides both the client-facing application and the backend authentication?
  • Finally, a dispositive infringement question would be the interpretation of "different device" in claim 1. The case could turn on whether this phrase requires two physically separate devices (e.g., a laptop and a smartphone), or if it can be satisfied by a user performing all steps on a single smartphone, a common use case for the accused service.