DCT

1:17-cv-10423

StrikeForce Tech Inc v. Vasco Data Security Intl Inc

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:17-cv-10423, D. Mass., 03/14/2017
  • Venue Allegations: Venue is alleged to be proper in the District of Massachusetts based on Defendant VASCO Data Security, Inc. operating a regular and established business location within the district.
  • Core Dispute: Plaintiff alleges that Defendant’s two-factor authentication products, which utilize push notifications to mobile devices, infringe patents related to multichannel, out-of-band authentication systems.
  • Technical Context: The technology concerns out-of-band authentication, a security method that uses a secondary communication channel to verify a user's identity, which is critical for securing access to sensitive systems like corporate networks and online banking.
  • Key Procedural History: The complaint alleges that Defendant had pre-suit knowledge of the patented technology and at least one patent in the family. Allegations include a 2010 meeting where Plaintiff demonstrated its commercial product to Defendant's representatives and subsequent partnership discussions in 2011, during which Plaintiff allegedly provided materials identifying its intellectual property.

Case Timeline

Date Event
2000-09-05 Earliest Priority Date for '698 and '701 Patents
2003-08-01 Plaintiff StrikeForce begins offering its ProtectID® product
2010-03-08 Plaintiff alleges Defendant became aware of its ProtectID® product at the RSA Conference
2011-01-11 U.S. Patent No. 7,870,599 (parent to asserted patents) issues
2011-11-10 Plaintiff alleges Defendant became aware of the '599 patent through materials provided during partnership discussions
2013-07-09 U.S. Patent No. 8,484,698 ('698 Patent) issues
2014-04-29 U.S. Patent No. 8,713,701 ('701 Patent) issues
2017-03-14 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,484,698 - "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System (COBAS)," issued July 9, 2013

The Invention Explained

  • Problem Addressed: The patent describes the security risk of "in-band" authentication, where a user's credentials (e.g., password) are transmitted over the same network channel as the data they are trying to access, creating an environment where a hacker can intercept both the request and the credentials ('698 Patent, col. 2:31-41). Traditional "callback" systems are noted as being ineffective against attacks originating from the internet ('698 Patent, col. 2:42-53).
  • The Patented Solution: The invention proposes a security system that separates the authentication process from the access process. When a user attempts to log in via a primary "access channel" (e.g., the internet), the request is intercepted and routed to a security system ('698 Patent, col. 6:30-42). This system then initiates contact with the user over a separate, "out-of-band" authentication channel (e.g., a telephone call or wireless network) to verify their identity. Only after successful out-of-band verification does the system instruct the host to grant access on the original access channel ('698 Patent, Abstract; Fig. 1A).
  • Technical Importance: This out-of-band architecture prevents an attacker who has compromised the primary access network from also intercepting the authentication credentials, thereby isolating the authentication protocol from the system being accessed ('698 Patent, col. 4:56-59).

Key Claims at a Glance

  • The complaint asserts independent claim 1 ('698 Patent, Compl. ¶25).
  • Claim 1 of the '698 patent is a method claim with the following essential elements:
    • Receiving at an interception device in a first channel a login identification demand to access a host computer.
    • Verifying the login identification.
    • Receiving at a security computer in a second, different channel the demand for access and the login identification.
    • Outputting from the security computer a prompt requesting transmission of data.
    • Receiving the transmitted data at the security computer.
    • Comparing the transmitted data to predetermined data.
    • Based on the comparison, outputting an instruction from the security computer to the host computer to grant or deny access.
  • The complaint does not explicitly reserve the right to assert dependent claims.

U.S. Patent No. 8,713,701 - "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System (COBAS)," issued April 29, 2014

The Invention Explained

  • Problem Addressed: As a continuation of the '698 patent family, the '701 patent addresses the same fundamental problem of insecure in-band authentication systems vulnerable to interception by hackers ('701 Patent, col. 2:27-41).
  • The Patented Solution: The solution is architecturally identical to that described in the '698 patent, involving the use of separate access and authentication channels to confirm a user's identity before granting access to a host computer ('701 Patent, Abstract; col. 6:8-23). The primary distinction lies in the claims, which are directed to a security system rather than a method of use.
  • Technical Importance: The invention provides a system architecture for implementing the high-security, out-of-band authentication method, separating the means of access from the means of verification ('701 Patent, col. 4:32-37).

Key Claims at a Glance

  • The complaint asserts independent claim 1 ('701 Patent, Compl. ¶39).
  • Claim 1 of the '701 patent is a system claim comprising the following key components:
    • An access channel with an interception device for receiving a login identification.
    • An authentication channel with:
      • A security computer for receiving the login ID and communicating with a peripheral device.
      • A database with a peripheral address record corresponding to the login ID.
      • A prompt mechanism for instructing the user to enter and transmit predetermined data from the peripheral device.
      • A comparator for verifying a match between the transmitted data and stored data.
    • The security computer outputs an instruction to the host computer to grant or deny access based on the comparator's verification.
  • The complaint does not explicitly reserve the right to assert dependent claims.

III. The Accused Instrumentality

Product Identification

The accused instrumentalities are Defendant’s "IDENTIKEY product family and DIGIPASS software" ("Infringing Products") (Compl. ¶19).

Functionality and Market Context

  • The complaint alleges the accused products provide two-factor authentication using out-of-band technology (Compl. ¶20). The described process involves a user attempting to log into a protected application on a computer, which constitutes a first channel. The request is redirected to the IDENTIKEY authentication server, which sends an out-of-band push notification to the user's mobile device (e.g., via the DIGIPASS App) (Compl. ¶¶20-21). A screenshot in the complaint depicts a laptop screen stating "An authentication has been sent to your device" while a user holds a smartphone displaying the login approval request (Compl. p. 7). After the user approves the request on the mobile device (a second channel), the server grants access to the application on the computer (Compl. ¶21). A high-level diagram shows how the IDENTIKEY server sits between remote/local users and the corporate network's application servers, managing authentication (Compl. p. 8).
  • The complaint asserts that IDENTIKEY is marketed as a server authentication tool for "secure and seamless access to corporate resources and applications of all kinds" (Compl. ¶20).

IV. Analysis of Infringement Allegations

'698 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A software method for employing a multichannel security system to control access to a computer... The accused products comprise a software-based authentication platform (IDENTIKEY server and DIGIPASS software) for controlling access. ¶26 col. 13:28-31
receiving at an interception device in a first channel a login identification demand to access a host computer also in the first channel An element of the system intercepts the user's login request on their computer (e.g., laptop) before granting access to the protected application. ¶26 col. 6:37-42
receiving at a security computer in a second channel the demand for access and the login identification and outputs a prompt requesting transmission of data The IDENTIKEY authentication server receives the login demand and sends a push notification to the user's mobile device, which prompts the user to confirm or deny authorization. This communication occurs via a separate, out-of-band channel. ¶26 col. 9:20-36
receiving the transmitted data at the security computer, compares the transmitted data to predetermined data... The user's response from the mobile device is received by the IDENTIKEY authentication server or DIGIPASS software, which compares the response to determine if access should be granted. ¶26 col. 10:55-63
...outputting an instruction from the security computer to the host computer to grant access to the host computer or deny access thereto Based on the user's response, the IDENTIKEY server or DIGIPASS software outputs an instruction to the protected computer or application to grant or deny access. ¶26 col. 12:1-25

'701 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
an access channel comprising: an interception device for receiving a login identification originating from an accessor for access to said host computer The system includes an element that intercepts the user's login request made from their computer. ¶40 col. 6:37-42
an authentication channel, a security computer... for receiving from said interception device said login identification... and for communicating with a peripheral device of said accessor The IDENTIKEY authentication server receives the login ID and communicates with the user's mobile device (the peripheral device) via a push notification. ¶40 col. 13:42-53
a database having at least one peripheral address record corresponding to said login identification A database accessed by the IDENTIKEY server or DIGIPASS software contains information for communicating with the user's mobile device. ¶40 col. 7:37-41
a prompt mechanism for instructing said accessor to enter predetermined data at and transmit said predetermined data from said peripheral device An element of the system issues a push notification to the user's mobile device, prompting the user to confirm or deny the login attempt. ¶40 col. 10:35-46
a comparator for authenticating access demands... by verifying a match between said predetermined data and said entered and transmitted data, wherein said security computer outputs an instruction to the host computer to either grant access The IDENTIKEY server and/or DIGIPASS software receives the user's response and, based on that response, outputs an instruction to the protected computer or application to grant or deny access. ¶40 col. 13:21-25

Identified Points of Contention

  • Scope Questions: A central issue may be whether the term "telephone," used frequently in the patent's detailed description (e.g., '698 Patent, col. 6:26), can be construed to encompass a modern smartphone running an application over a mobile data network. Plaintiff may point to broader language and figures referencing "wireless network[s]" and "PDA[s]" ('698 Patent, Fig. 13) to argue the claims cover such modern implementations.
  • Technical Questions: The infringement theory hinges on the accused system having an "interception device." The parties may dispute whether the accused software architecture, which likely uses API calls and server-side redirection, performs the function of the "interception device" (e.g., router 36 in '698 Patent, Fig. 1A) as contemplated by the patent. The question is whether a software-based redirection constitutes "interception" in the claimed sense.

V. Key Claim Terms for Construction

The Term: "interception device" ('698 Patent, cl. 1; '701 Patent, cl. 1)

  • Context and Importance: This term is critical as it defines the mechanism that initiates the out-of-band process. The construction will determine whether the accused products, which are primarily software-based, meet this limitation. Practitioners may focus on this term because its interpretation could decide whether a software redirection plug-in is equivalent to the hardware router shown in the patent's primary embodiment.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claims do not limit the "interception device" to a specific type of hardware. The specification states that the "request-for-access is diverted by a router 36 internal to the corporate network" ('698 Patent, col. 6:40-42), but this is one example embodiment. Plaintiff may argue that any component, software or hardware, that diverts the login flow for authentication meets the plain meaning of the term.
    • Evidence for a Narrower Interpretation: The primary figure illustrating the invention (Fig. 1A) depicts the interception device as a hardware "internal router" (36). Defendant may argue that this embodiment limits the scope of the term to a piece of networking hardware that physically intercepts traffic, rather than a software module that redirects an application-level request.

The Term: "second channel" ('698 Patent, cl. 1) / "authentication channel" ('701 Patent, cl. 1)

  • Context and Importance: This term defines the "out-of-band" nature of the invention. Infringement requires the accused push notification system to be a separate "channel." The dispute will likely focus on the required degree of separation between the access and authentication pathways.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent defines an "out-of-band" operation as using an authentication channel "separated from the channel carrying the information" ('698 Patent, col. 4:14-17). It provides examples including a "voice network" (Fig. 1A) and a "wireless network" (Fig. 13), demonstrating that the concept is not limited to physically distinct media like PSTN vs. internet, but rather to logically separate communication paths. This would support including a mobile data network for push notifications.
    • Evidence for a Narrower Interpretation: Defendant may argue that since both the initial login attempt from a laptop and the subsequent push notification to a smartphone can travel over the public internet, they are not meaningfully separate "channels." The argument would be that for channels to be separate, they must use fundamentally different network infrastructure, as with the patent's telephone network example.

VI. Other Allegations

Indirect Infringement

The complaint alleges inducement by claiming Defendant distributes, markets, and provides instructions that encourage customers to use the accused products in an infringing manner (Compl. ¶¶33, 47). It also alleges contributory infringement, asserting that the accused products are material components of an infringing system, are not staple articles of commerce, and have no substantial non-infringing use (Compl. ¶¶28, 42).

Willful Infringement

The complaint alleges willful infringement based on both pre-suit and post-suit knowledge (Compl. ¶¶36, 50). The pre-suit knowledge allegations are based on Plaintiff's claims that it met with Defendant's representatives at a 2010 conference and later provided materials in 2011 describing its technology and identifying the '599 patent, a parent to the patents-in-suit (Compl. ¶¶16-17). The complaint alleges that Defendant only began offering its own out-of-band products after these interactions (Compl. ¶17).

VII. Analyst’s Conclusion: Key Questions for the Case

The resolution of this case may turn on the court’s answers to several central questions:

  • A core issue will be one of definitional scope: Can the claim terms of patents with a 2000 priority date, drafted with reference to technologies like "telephone dialup" and "PDAs," be construed to cover modern security implementations using smartphone applications and push notifications over mobile data networks?
  • A key evidentiary question will be one of technical structure: Does the accused software-based architecture, which uses application-level redirection and server logic, meet the structural requirements of the claims, particularly the "interception device" limitation, or is there a fundamental mismatch with the hardware-centric embodiments described in the patents?
  • A third major question will concern willfulness: What evidence will discovery reveal regarding the alleged 2010-2011 interactions between the parties, and can Plaintiff prove that Defendant had knowledge of the patented technology, and either the asserted patents or their direct parent, prior to the infringing activity?