DCT

1:17-cv-10422

StrikeForce Tech Inc v. Gemalto

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:17-cv-10422, D. Mass., 03/14/2017
  • Venue Allegations: Plaintiff alleges venue is proper in the District of Massachusetts because Defendant Gemalto maintains continuous and systematic contacts with the district, directs activities at its residents, and operates a regular and established business location in Tewksbury, MA.
  • Core Dispute: Plaintiff alleges that Defendant’s two-factor authentication products and services infringe patents related to out-of-band methods and systems for securing access to computer resources.
  • Technical Context: The technology at issue is out-of-band, two-factor authentication, a security process used to protect access to sensitive online systems such as banking websites, corporate networks, and VPNs.
  • Key Procedural History: The asserted patents claim priority to an earlier patent, U.S. Patent No. 7,870,599. The complaint notes that Plaintiff has offered its own commercial product, ProtectID®, since 2003 and has maintained a webpage with statutory patent notices since at least February 2011.

Case Timeline

Date Event
2000-09-05 Priority Date for '698 and '701 Patents
2003-08-01 Plaintiff's ProtectID® product offered
2011-02-01 Plaintiff's website identified parent '599 patent
2013-07-09 '698 Patent issued
2013-10-01 Plaintiff's website identified '698 patent
2014-04-29 '701 Patent issued
2014-06-01 Plaintiff's website identified '701 patent
2017-03-14 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,484,698

  • Patent Identification: U.S. Patent No. 8,484,698, titled "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System (COBAS)," issued on July 9, 2013. (Compl. ¶13).

The Invention Explained

  • Problem Addressed: The patent describes the security vulnerability of "in-band" authentication, where a user's credentials and the authentication process occur on the same network channel, creating a "self-authenticating environment" that is susceptible to hackers. It further notes that traditional "callback" systems are ineffective against modern attacks originating from the internet, where an IP address is not tied to a fixed physical location. (’698 Patent, col. 2:30-50).
  • The Patented Solution: The invention proposes a multichannel security method where an initial login attempt on a primary "access channel" (e.g., the internet) is intercepted. A separate "authentication channel" (e.g., a telephone network) is then used to contact the user on a pre-registered peripheral device to verify their identity. Only after successful out-of-band verification is access granted on the original access channel. This architecture isolates the authentication protocol from the access channel. (’698 Patent, Abstract; col. 4:13-19; Fig. 1A).
  • Technical Importance: This approach enhances security by verifying not just something the user knows (a password), but also something the user has (a separate device), thereby adding a layer of location and possession-based authentication that is difficult for a remote attacker to compromise. (’698 Patent, col. 4:30-45).

Key Claims at a Glance

  • The complaint asserts independent claim 1. (Compl. ¶26).
  • The essential elements of claim 1 include:
    • Receiving a login identification demand at an interception device in a first channel to access a host computer.
    • Verifying the login identification.
    • Receiving the demand and login identification at a security computer in a second channel.
    • Outputting a prompt from the security computer requesting the transmission of data.
    • Receiving the transmitted data at the security computer.
    • Comparing the transmitted data to predetermined data.
    • Outputting an instruction to the host computer to grant or deny access based on the comparison.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 8,713,701

  • Patent Identification: U.S. Patent No. 8,713,701, titled "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System (COBAS)," issued on April 29, 2014. (Compl. ¶14).

The Invention Explained

  • Problem Addressed: The patent addresses the same problem as the ’698 Patent: the inherent security risks of in-band authentication systems where all information is exchanged on the same network. (’701 Patent, col. 2:23-38).
  • The Patented Solution: The invention claims a system architecture for implementing out-of-band authentication. It is composed of an "access channel" and a distinct "authentication channel." The system comprises specific components: an "interception device" in the access channel, and a "security computer," a "database" with peripheral device addresses, a "prompt mechanism," and a "comparator" in the authentication channel. This structure formalizes the separation of components to achieve out-of-band security. (’701 Patent, Abstract; col. 6:28-48).
  • Technical Importance: By defining a specific system architecture with functionally distinct channels and components, the invention provides a structured framework for building secure authentication systems that are not reliant on the security of the primary access network. (’701 Patent, col. 4:51-58).

Key Claims at a Glance

  • The complaint asserts independent claim 1. (Compl. ¶40).
  • The essential elements of claim 1 include:
    • A security system comprising an access channel and an authentication channel.
    • The access channel includes an interception device for receiving a login identification.
    • The authentication channel includes a security computer for receiving the login ID and communicating with a peripheral device.
    • The authentication channel includes a database with at least one peripheral address record.
    • The authentication channel includes a prompt mechanism for instructing the user to enter and transmit data.
    • The authentication channel includes a comparator for verifying a match between the transmitted data and predetermined data.
    • The security computer outputs an instruction to grant or deny access.
  • The complaint does not explicitly reserve the right to assert dependent claims.

III. The Accused Instrumentality

Product Identification

The complaint names Gemalto's SafeNet Authentication Service ("SAS"), Ezio Suite, and MobileID as the "Infringing Products," with a focus on SAS when used with the MobilePASS+ application. (Compl. ¶¶ 18, 25).

Functionality and Market Context

  • The accused products provide two-factor authentication for users accessing protected resources like web applications or corporate networks. (Compl. ¶19). The complaint alleges a process where a user's login request is redirected to the SAS server, which then sends an out-of-band push notification to the user's registered mobile device. The user approves the request on the mobile device (e.g., by tapping the notification or using a fingerprint), which triggers the delivery of a one-time password (OTP) back to the SAS server. Upon validation, SAS grants access to the protected resource. (Compl. ¶19). The complaint provides a diagram illustrating this three-step process of a user initiating a request, receiving and approving a push notification, and being logged into the protected resource. (Compl. ¶19, p. 6).
  • The Ezio Suite is described as including an out-of-band messaging server and mobile SDK to establish a secure channel for authentication. (Compl. ¶21). A diagram in the complaint illustrates this flow involving a bank's server, the Ezio Secure Messenger Server, and a mobile application. (Compl. ¶21, p. 7).
  • The MobileID service is alleged to enable authentication via a "click-OK on a mobile phone" after entering a mobile phone number as a username. (Compl. ¶23). A screenshot from a promotional video shows a user prompted to tap an "OK" button on a handset to access a website. (Compl. ¶23, p. 8).

IV. Analysis of Infringement Allegations

'698 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
receiving at an interception device in a first channel a login identification demand to access a host computer also in the first channel; An element of the system intercepts the user's login request before granting access to the protected computer or application. ¶27 col. 9:24-34
verifying the login identification; The system verifies the login information of the user. ¶27 col. 9:46-54
receiving at a security computer in a second channel the demand for access and the login identification; The SAS or Ezio server receives the demand for access and login identification. ¶27 col. 6:28-48
outputting from the security computer a prompt requesting transmission of data; The system sends a push notification to the user's mobile device requesting confirmation or denial of the authorization request. ¶27 col. 9:35-45
receiving the transmitted data at the security computer; The SAS or Ezio server receives the user's response to the push notification. ¶27 col. 9:55-61
comparing the transmitted data to predetermined data; The complaint alleges this comparison occurs when the server receives the user's response, though specific details of the comparison are not provided. ¶27 col. 14:1-12
depending on the comparison... outputting an instruction from the security computer to the host computer to grant access... or deny access thereto. Based on the user's response, the SAS or Ezio server outputs an instruction to the protected computer to grant or deny access. ¶27 col. 10:2-10

'701 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
an access channel comprising: an interception device for receiving a login identification originating from an accessor for access to said host computer An element of the system intercepts the user's login request prior to granting access to the protected application. ¶41 col. 13:8-12
an authentication channel, a security computer... for receiving... said login identification and for communicating... with a peripheral device of said accessor The SAS or Ezio server receives the login identification and communicates with the user's mobile device via a push notification. ¶41 col. 13:13-21
a database having at least one peripheral address record corresponding to said login identification The system uses a database, accessed by SAS or Ezio, for communicating with the user's mobile device. ¶41 col. 7:38-44
a prompt mechanism for instructing said accessor to enter predetermined data at and transmit said predetermined data from said peripheral device An element of the system issues a push notification on the user's mobile device prompting the user to confirm or deny authorization. ¶41 col. 12:13-24
a comparator for authenticating access demands... by verifying a match between said predetermined data and said entered and transmitted data... The SAS or Ezio server receives the user's response and, based on that response, authenticates the access demand. ¶41 col. 5:48-59

Identified Points of Contention

  • Scope Questions: A central issue may be whether the internet can serve as both the "first channel" (for the login attempt) and the "second channel" (for the push notification), or if the patent requires physically distinct networks (e.g., data network vs. telephone network), as heavily featured in the specification. The defense may argue that the accused products do not use a true "out-of-band" channel as contemplated by the patent.
  • Technical Questions: The patent specification describes an "interception device" as a router internal to a corporate network that diverts traffic (’698 Patent, Fig. 1A). The complaint describes the accused SAS product as receiving a redirected request. A question for the court will be whether this redirection architecture is equivalent to the "interception" claimed in the patents.
  • Technical Questions: It is unclear from the complaint whether the accused products perform the "verifying the login identification" step before initiating the out-of-band communication, as sequenced in claim 1 of the ’698 Patent. The sequence of operations will likely be a point of dispute.

V. Key Claim Terms for Construction

The Term: "interception device" ('698 Patent, cl. 1; '701 Patent, cl. 1)

  • Context and Importance: This term is foundational to how the patented system initiates the security process. Its construction will determine whether the accused products, which allegedly redirect login requests to a separate authentication server, perform the claimed "interception." Practitioners may focus on this term because its scope could either be limited to network-level hardware like a router or be broad enough to cover software-based redirection.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The term itself is not explicitly defined or limited in the claims. Plaintiff may argue that any component, hardware or software, that intercepts, receives, or diverts a login request for security processing meets the plain and ordinary meaning of the term.
    • Evidence for a Narrower Interpretation: The specification's primary embodiment shows the "request-for-access is diverted by a router 36 internal to the corporate network 38" (’698 Patent, col. 6:40-42; Fig. 1A). A defendant could argue this embodiment limits the term to a network hardware device that diverts traffic, rather than an application-level server that receives a configured redirection.

The Term: "second channel" ('698 Patent, cl. 1) / "authentication channel" ('701 Patent, cl. 1)

  • Context and Importance: This term is the crux of the "out-of-band" invention. Its definition will be critical to determining if the accused products, which use internet-based push notifications, infringe. The dispute will likely center on whether a "channel" must be a physically separate network or can be a logically separate path over the same physical infrastructure.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification defines "out-of-band" as being "carried over separate facilities, frequency channels, or time slots" (’698 Patent, col. 4:16-19). Plaintiff may argue that a push notification pathway is a logically separate "facility" from an HTTP web session, even if both traverse the internet.
    • Evidence for a Narrower Interpretation: The preferred embodiments consistently depict the "authentication channel" as a "voice network" or "telephone network," physically distinct from the "access network" (the internet). (’698 Patent, Fig. 1A; col. 6:33-35). Defendant may argue this context limits the scope of "channel" to physically separate communication networks.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges both induced and contributory infringement. The inducement allegation is based on Gemalto's alleged marketing, instructions, and directions that encourage its customers to use the products in an infringing manner. (Compl. ¶¶ 28, 34, 42, 48). The contributory infringement allegation claims Gemalto provides material components of an out-of-band system that are not staple articles of commerce and have no substantial non-infringing use. (Compl. ¶¶ 29, 43).
  • Willful Infringement: The complaint alleges that Gemalto's infringement is willful, knowing, and deliberate. (Compl. ¶¶ 37, 51). It pleads that Gemalto had knowledge of the asserted patents "at least as early as, and no later than, the filing of this Complaint." (Compl. ¶¶ 17, 31, 45). The complaint also notes Plaintiff's public patent marking on its website, which could be used to argue for pre-suit knowledge. (Compl. ¶16).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the term "second channel" (or "authentication channel"), which is rooted in the patent's examples of physically separate telephone and data networks, be construed to cover a logically distinct push notification pathway that travels over the same physical network (the internet) as the initial access request? The outcome of this claim construction dispute will be pivotal.
  • A key evidentiary question will be one of architectural equivalence: does the accused products' architecture, which relies on application-level redirection to a separate authentication service, meet the claim limitation of an "interception device", which the patent specification depicts as a network router that diverts traffic? The analysis will require a detailed comparison of the technical operation of the accused systems against the language of the claims and specification.