DCT

1:18-cv-01477

CosmoKey Solutions GmbH & Co. KG v. Duo Security, Inc.

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:18-cv-01477, D. Del., 04/03/2023
  • Venue Allegations: Venue is alleged to be proper in the District of Delaware on the basis that both Duo and Cisco are incorporated in Delaware and are therefore residents of the district.
  • Core Dispute: Plaintiff alleges that Defendants’ multi-factor authentication products, particularly the Duo Push functionality, infringe a patent directed to a secure authentication method that uses a temporarily activated function on a user's mobile device.
  • Technical Context: The lawsuit concerns multi-factor authentication (MFA), a widely adopted security technology used to verify a user's identity by requiring a second factor beyond a password, typically involving the user's mobile phone.
  • Key Procedural History: The case has a significant history. The original complaint was filed in September 2018. In 2019, Defendant Cisco unsuccessfully petitioned for inter partes review (IPR) of the patent-in-suit, with the Patent Trial and Appeal Board (PTAB) declining to institute proceedings. The district court later found the patent’s claims directed to ineligible subject matter, but this judgment was reversed by the U.S. Court of Appeals for the Federal Circuit in 2021, which held that the claims recite a patent-eligible "specific improvement to a particular computer-implemented authentication technique." This Second Amended Complaint follows those proceedings.

Case Timeline

Date Event
2011-10-31 '903 Patent Priority Date
2016-01-26 '903 Patent Issued
2016-12-14 Plaintiff allegedly notifies Duo of '903 Patent
2018-08-02 Cisco announces intent to acquire Duo
2018-08-21 Plaintiff sends formal notice letter to Duo
2018-09-11 Duo responds to Plaintiff's letter
2018-09-25 Original complaint filed against Duo
2018-10-01 Cisco completes acquisition of Duo
2019-09-24 Cisco files IPR petitions against the '903 Patent
2020-03-27 PTAB denies institution of Cisco's IPR petitions
2021-10-04 Federal Circuit reverses judgment of patent ineligibility
2022-08-25 Duo Verified Push first offered
2023-04-03 Second Amended Complaint filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,246,903 - “Authentication Method”

  • Issued: January 26, 2016.

The Invention Explained

  • Problem Addressed: The patent seeks to address a dilemma in user authentication where existing methods were either simple but insecure, or secure but overly complex and burdensome for users to handle. (’903 Patent, col. 1:15-28; Compl. ¶2).
  • The Patented Solution: The invention proposes a method where a user's identity is verified through two separate communication channels. A user identification is sent from a terminal to a transaction partner over a first channel (e.g., the internet). Concurrently, an authentication device uses a second channel (e.g., a mobile network) to determine if a specific "authentication function" on the user's mobile device is active. Crucially, this function is described as being "normally inactive" and is activated by the user "only preliminarily for the transaction." If the function is detected as active within a specific time window relative to the user ID transmission, the authentication is approved, after which the function is "automatically deactivated." (’903 Patent, Abstract; col. 2:57-65).
  • Technical Importance: This approach aims to provide robust security by requiring an out-of-band, time-sensitive confirmation from a device in the user's possession, without demanding complex user input like typing a code, thus simplifying the user experience. (’903 Patent, col. 2:20-31).

Key Claims at a Glance

  • The complaint’s allegations focus on independent claim 1. (Compl. ¶28).
  • The essential elements of independent claim 1 are:
    • transmitting a user identification from a terminal to a transaction partner via a first communication channel,
    • providing an authentication step where an authentication device uses a second communication channel to check an authentication function on a user's mobile device,
    • using a "predetermined time relation" between the user identification transmission and a response from the second channel as a criterion for granting or denying authentication,
    • ensuring the authentication function is "normally inactive" and is activated by the user "only preliminarily for the transaction,"
    • ensuring the response from the second channel indicates the authentication function is active, and
    • thereafter ensuring the authentication function is "automatically deactivated."
  • The complaint alleges infringement of "one or more claims," which suggests the right to assert other claims, including dependent claims, is reserved. (Compl. ¶29).

III. The Accused Instrumentality

Product Identification

The complaint names a suite of products and services, collectively referred to as the "accused products." The core accused functionality centers on "Duo Push," which is part of the "Traditional Duo Prompt," "Duo Universal Prompt," and the "Duo Mobile App." These are integrated into broader Cisco offerings such as "Cisco Secure Access by Duo" and "Cisco AnyConnect." (Compl. ¶¶27, 58, 59).

Functionality and Market Context

The accused products provide multi-factor authentication. In a typical use case, after a user enters a password at a terminal, the Duo system sends a "push notification" to that user's enrolled mobile device. (Compl. ¶25). The user then taps "Approve" on the notification within the Duo Mobile app to gain access. (Compl. ¶33). This process is central to Defendants' "zero trust" security platform, which aims to verify user and device trust at every access attempt. (Compl. ¶¶17, 59). A network diagram provided in the complaint illustrates the separation between the initial login communication and the subsequent mobile authentication communication. (Compl. p. 12, ¶32).

IV. Analysis of Infringement Allegations

’903 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A method of authenticating a user to a transaction at a terminal, comprising the steps of: transmitting a user identification from the terminal to a transaction partner via a first communication channel, When a user logs in, the Duo Prompt on a terminal (e.g., an RDP Client computer) transmits the user's identification over a network (the first channel) to a transaction partner (e.g., a Microsoft Session Host). A diagram depicts this as step 1 in an authentication flow. (Compl. p. 12, ¶32). ¶32 col. 8:39-43
providing an authentication step in which an authentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user, The Duo system provides an authentication step by sending a push notification to the Duo Mobile app on the user's mobile device. This uses a second communication channel (e.g., a mobile network) to interact with the authentication function (the Duo Mobile app). The user taps 'Approve' to proceed. A screenshot shows the mobile app receiving a login request. (Compl. p. 13, ¶33-34). ¶¶33-34 col. 8:43-51
as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel, The Duo system imposes a predetermined time limit, alleged to be 60 seconds, within which the user must respond to the push notification on the mobile device. If no response is received within this interval, the authentication attempt expires and is denied. (Compl. ¶35). ¶35 col. 2:8-15
ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction, The complaint alleges the Duo Mobile app is "normally inactive" or "dormant" and is activated only preliminarily for the transaction when a login is requested and the user interacts with the push notification. (Compl. ¶36). ¶36 col. 2:57-60
ensuring that said response from the second communication channel includes information that the authentication function is active, and Upon receiving a Duo Push notification, the user's interaction (e.g., tapping 'Approve') activates the Duo Mobile app, which then transmits an approval response. This response allegedly serves as information that the authentication function is active. (Compl. ¶37). ¶37 col. 2:60-63
thereafter ensuring that the authentication function is automatically deactivated. The authentication function is allegedly deactivated either after the user approves/denies the request or when the 60-second time interval expires. (Compl. ¶38). ¶38 col. 2:63-65
  • Identified Points of Contention:
    • Scope Questions: A potential dispute may arise over the meaning of "normally inactive." The complaint alleges the Duo Mobile app is "dormant" (Compl. ¶36), but a defendant could argue that an app with background processes constantly listening for push notifications from a server is not "inactive" in the manner contemplated by the patent, which describes activating a transceiver or an applet. (’903 Patent, col. 5:59-62).
    • Scope Questions: The sequence of events may be a critical issue. The claim requires the function to be "activated by the user only preliminarily for the transaction." The patent’s figures suggest activation occurs before the transaction request is sent. (’903 Patent, FIG. 2). In the accused Duo Push flow, the transaction request at the terminal triggers a prompt for the user to perform an activation step (tapping "Approve"). (Compl. ¶33). This raises the question of whether an activation that occurs in response to the transaction request satisfies the "preliminarily for the transaction" limitation.
    • Technical Questions: The complaint asserts that the user's interaction with the push notification "activates" the app (Compl. ¶37), but it also frames the entire process as being "directed and controlled by Duo" without requiring user steps for infringement (Compl. ¶39). This raises an evidentiary question about what "activation" means in a technical sense and creates tension regarding the role of the user, which is central to the extensive allegations of joint and divided infringement. (Compl. ¶¶40-44).

V. Key Claim Terms for Construction

  • The Term: "authentication function"

    • Context and Importance: This term is the core technical element that is manipulated (activated/deactivated). Its construction is critical to determining whether the behavior of the Duo Mobile app—which may be viewed as always-on in a background state—meets the claim requirements of being "normally inactive" and then "active."
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: The specification suggests the function could be an "applet that can be activated and deactivated independently of the apparatus as a whole," which may support an interpretation that a change in a software module's state within a running application is sufficient. (’903 Patent, col. 5:60-62).
      • Evidence for a Narrower Interpretation: The patent also provides examples such as activating the device’s entire "transceiver, so that it connects to the nearest Base Station" or checking a "Home Location Register (HLR) of the mobile network." (’903 Patent, col. 2:57-68). This could support a narrower construction requiring a more fundamental change in the device's network-connectivity state, rather than just a software state.

  • The Term: "activated by the user only preliminarily for the transaction"

    • Context and Importance: The timing and cause of activation are central to the claimed process. The definition of "preliminarily" will determine whether the accused workflow, where the transaction request precedes the user's activation step, can infringe a claim that may require the reverse sequence.
    • Intrinsic Evidence for Interpretation:
      • Evidence for a Broader Interpretation: A party could argue "preliminarily" simply means "before the transaction is authenticated and completed," which would encompass the Duo workflow where the user's approval is preliminary to gaining access.
      • Evidence for a Narrower Interpretation: The patent’s own time diagrams, such as FIG. 2, explicitly show activation (t1) occurring before the transaction steps (t2). This provides strong intrinsic evidence that the inventors contemplated activation as an initial, user-initiated step that precedes the "transmitting a user identification" step of the claim.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges both induced and contributory infringement against Duo and Cisco. The inducement theory is based on Defendants allegedly providing instructional materials, user guides, and marketing that encourage and direct customers and partners to use the accused products in an infringing manner, with knowledge of the patent. (Compl. ¶¶49, 66, 99). The contributory infringement theory alleges that the Duo Push feature is a material component especially made for infringing use with no substantial non-infringing uses. (Compl. ¶¶54, 102).
  • Willful Infringement: Willfulness is alleged based on pre-suit and post-suit knowledge. The complaint alleges Duo had pre-suit knowledge from at least December 2016 via messages to its founders and from a formal notice letter in August 2018. (Compl. ¶¶73, 75). Cisco's knowledge is alleged from at least its acquisition of Duo in October 2018, which occurred after the initial lawsuit was filed, and is further evidenced by its own IPR filings in 2019. (Compl. ¶¶80-82, 113). The complaint alleges that continued infringement despite this knowledge and after the favorable Federal Circuit ruling constitutes willful disregard of Plaintiff's patent rights. (Compl. ¶¶92, 114).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope and sequence: Can the claim phrase "activated by the user only preliminarily for the transaction," which the patent’s own figures depict as an action preceding the transmission of a user ID, be construed to cover the accused Duo Push method, where the transmission of the user ID triggers a prompt for subsequent user activation?
  • A second central question will concern the technical state of the accused system: Does the Duo Mobile app, which maintains a background process to receive push notifications, meet the claim requirement of being "normally inactive"? The resolution will depend on whether this limitation requires a device's communication hardware to be off or if a change in a software component's status is sufficient.
  • Finally, a key legal question will be one of attribution of conduct: As the claimed method involves actions at a terminal, on a server, and on a mobile device (including a required user interaction), the case will likely test whether Plaintiff can prove that Defendants direct or control the entire process to such a degree that all steps are attributable to them for a finding of direct infringement, or whether the case is primarily one of indirect infringement.