DCT

1:25-cv-01393

Factor2 Multimedia Systems LLC v. State Employees Credit Union Of Maryland Inc

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:25-cv-01393, D. Md., 05/01/2025
  • Venue Allegations: Plaintiff alleges venue is proper in the District of Maryland because the Defendant maintains a regular and established place of business in the district and has committed the alleged acts of infringement there.
  • Core Dispute: Plaintiff alleges that Defendant’s online banking authentication systems infringe six patents related to secure, multi-factor user authentication methods.
  • Technical Context: The technology concerns methods for verifying a user's identity in online transactions by using temporary, single-use codes in addition to static credentials, a foundational technique in modern digital security.
  • Key Procedural History: The patents-in-suit belong to a large, interrelated family of applications. The front pages of the asserted patents indicate that they are subject to terminal disclaimers, which may affect the patents' enforceable terms and can be relevant to potential double patenting issues.

Case Timeline

Date Event
2001-08-29 Earliest Priority Date (’129, ’938, ’864, ’453, ’285, ’297 Patents)
2012-10-02 U.S. Patent No. 8,281,129 Issued
2017-07-11 U.S. Patent No. 9,703,938 Issued
2017-07-19 U.S. Patent No. 9,727,864 Issued
2017-12-27 U.S. Patent No. 9,870,453 Issued
2018-09-25 U.S. Patent No. 10,083,285 Issued
2020-08-19 U.S. Patent No. 10,769,297 Issued
2025-05-01 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,769,297 - "Centralized Identification and Authentication System and Method"

  • Patent Identification: U.S. Patent No. 10,769,297, "Centralized Identification and Authentication System and Method," issued August 19, 2020 (Compl. ¶17).

The Invention Explained

  • Problem Addressed: The patent’s background section describes the growing risk of exposing confidential personal and financial information to conduct online commerce, noting that conventional identification methods are "not only unsafe but also it is not fool proof that the user is really the person he says he is" (’297 Patent, col. 1:47-51).
  • The Patented Solution: The invention proposes a system architecture involving a "Central-Entity" that manages user identity verification for one or more "External-Entities" (e.g., merchant websites) (’297 Patent, Fig. 2). Instead of providing sensitive data directly to a merchant, a user requests a temporary, dynamic "SecureCode" from the Central-Entity and provides this code as part of a "digital identity" to the merchant, which then verifies it with the Central-Entity to authenticate the transaction (’297 Patent, Abstract; col. 2:53-61).
  • Technical Importance: This centralized, dynamic-code approach was designed to mitigate the risks of static credential theft (e.g., stolen passwords), a significant vulnerability in e-commerce systems. (’297 Patent, col. 1:40-51).

Key Claims at a Glance

  • The complaint asserts independent Claim 1 (Compl. ¶19).
  • The essential elements of independent Claim 1 include:
    • An authentication system configured to perform operations comprising:
    • Electronically receiving a request for a SecureCode;
    • Generating the SecureCode;
    • Electronically providing the SecureCode to the user, wherein the SecureCode is invalid after a predetermined time, invalid after one use, and only valid for authenticating the user;
    • Electronically receiving a digital authentication request that comprises a digital identity including the SecureCode; and
    • Authenticating the user by evaluating the validity of the SecureCode.
  • The complaint asserts claims 1-29 of the ’297 Patent, thereby reserving the right to assert dependent claims (Compl. ¶61).

U.S. Patent No. 8,281,129 - "Direct Authentication System And Method Via Trusted Authenticators"

  • Patent Identification: U.S. Patent No. 8,281,129, "Direct Authentication System And Method Via Trusted Authenticators," issued October 2, 2012 (Compl. ¶12).

The Invention Explained

  • Problem Addressed: The patent family addresses the problem of identity theft where criminals use stolen personal information to impersonate victims, noting that authentication based on knowledge of supposedly confidential data is a flawed premise (’285 Patent, col. 1:52-2:6).
  • The Patented Solution: The invention describes a two-factor authentication method that leverages an existing trusted relationship between a user and a "trusted-authenticator" (e.g., a bank) to verify the user's identity to another entity (a "business") (’129 Patent, Abstract). The method combines "Something the individual knows" (a static key) with "Something the individual receives" (a dynamic code generated by the trusted-authenticator), both of which are provided to the business for verification by the trusted-authenticator (’285 Patent, col. 7:25-41).
  • Technical Importance: This approach creates a federated identity framework using existing financial institutions as trust anchors, which avoids the need to build a new, universal identity system from scratch while improving upon static, knowledge-based authentication methods (’285 Patent, col. 4:50-60).

Key Claims at a Glance

  • The complaint asserts independent Claim 1 (Compl. ¶20).
  • The essential elements of independent Claim 1 include:
    • A computer implemented method comprising:
    • Receiving, by a trusted-authenticator's computer, a request for a dynamic code;
    • Calculating the dynamic code, which is valid for a predefined time and becomes invalid after being used;
    • Sending the dynamic code to the individual;
    • Receiving, by the trusted-authenticator's computer, an authentication request from an entity, the request based on user information and the dynamic code; and
    • Authenticating the individual's identity based on the user information and the dynamic code, with the result provided to the entity.
  • The complaint asserts claims 1-52 of the ’129 Patent, thereby reserving the right to assert dependent claims (Compl. ¶41).

Multi-Patent Capsules

  • U.S. Patent No. 9,703,938 - "Direct Authentication System and Method Via Trusted Authenticators"

    • Patent Identification: U.S. Patent No. 9,703,938, "Direct Authentication System and Method Via Trusted Authenticators," issued July 11, 2017 (Compl. ¶13).
    • Technology Synopsis: This patent, related to the ’129 Patent, describes a method for a user to authenticate with a business by leveraging a trusted third-party authenticator. The user obtains a temporary "dynamic code" from the trusted entity and provides it along with static credentials to the business, which in turn relies on the trusted entity to verify the information (’938 Patent, Abstract).
    • Asserted Claims: Claims 1-26 (Compl. ¶45).
    • Accused Features: The accused instrumentality is the SECU online banking authentication system that provides and validates temporary codes for user login (Compl. ¶3, 11).

  • U.S. Patent No. 9,727,864 - "Centralized Identification and Authentication System and Method"

    • Patent Identification: U.S. Patent No. 9,727,864, "Centralized Identification and Authentication System and Method," issued July 19, 2017 (Compl. ¶14).
    • Technology Synopsis: This patent, related to the ’297 Patent, describes a centralized authentication system where a central entity issues a temporary "SecureCode" to a user upon request. The user presents this code as part of a "digital identity" to a third-party entity, which then confirms the user's identity by validating the code with the central entity (’864 Patent, Abstract).
    • Asserted Claims: Claims 1-15 (Compl. ¶49).
    • Accused Features: The accused instrumentality is the SECU online banking authentication system that provides and validates temporary codes for user login (Compl. ¶3, 11).

  • U.S. Patent No. 9,870,453 - "Direct Authentication System and Method Via Trusted Authenticators"

    • Patent Identification: U.S. Patent No. 9,870,453, "Direct Authentication System and Method Via Trusted Authenticators," issued December 27, 2017 (Compl. ¶15).
    • Technology Synopsis: This patent, related to the ’129 Patent, describes a method for a user to authenticate with a business by leveraging a trusted third-party authenticator. The user obtains a temporary "dynamic code" from the trusted entity and provides it along with static credentials to the business, which in turn relies on the trusted entity to verify the information (’453 Patent, Abstract).
    • Asserted Claims: Claims 1-26 (Compl. ¶53).
    • Accused Features: The accused instrumentality is the SECU online banking authentication system that provides and validates temporary codes for user login (Compl. ¶3, 11).

  • U.S. Patent No. 10,083,285 - "Direct Authentication System and Method Via Trusted Authenticators"

    • Patent Identification: U.S. Patent No. 10,083,285, "Direct Authentication System and Method Via Trusted Authenticators," issued September 25, 2018 (Compl. ¶16).
    • Technology Synopsis: This patent, related to the ’129 Patent, describes a system for a user to authenticate with a business by leveraging a trusted third-party authenticator. The user obtains a temporary "dynamic code" from the trusted entity and provides it along with static credentials to the business, which in turn relies on the trusted entity to verify the information (’285 Patent, Abstract).
    • Asserted Claims: Claims 1-30 (Compl. ¶57).
    • Accused Features: The accused instrumentality is the SECU online banking authentication system that provides and validates temporary codes for user login (Compl. ¶3, 11).

III. The Accused Instrumentality

  • Product Identification: The "SECU System and Apparatus," which includes the internet website and associated back-end systems used by State Employees Credit Union of Maryland, Inc. for user authentication (Compl. ¶21).
  • Functionality and Market Context: The accused instrumentality is an online banking platform. The complaint alleges that its two-factor (or multi-factor) authentication functionality infringes the patents-in-suit. Specifically, when a user attempts to log in, the SECU system can be configured to require a "SecureCode," which SECU refers to as a "one-time code" (Compl. ¶27). This code is generated by SECU's system and sent to the user via SMS text or another electronic method. The user must then enter this code to successfully authenticate and access their account (Compl. ¶27). The complaint includes a screenshot of the SECU online banking login interface where users enter their username and password (Compl. p. 8). Another screenshot shows the user interface for enabling two-factor authentication via "CODE VIA SMS" (Compl. p. 9).

IV. Analysis of Infringement Allegations

U.S. Patent No. 10,769,297 Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
An authentication system for enhancing computer network security by authenticating a user... comprising one or more computing devices configured to perform operations comprising: SECU provides online banking services through a website where users log in to access their accounts. ¶26 col. 1:29-36
while the online computer system is connected to the computing device of the user via a communication network, electronically receiving a request for a SecureCode; After a user enters their primary credentials and clicks the login button, the SECU system receives a request to generate and send a one-time code for two-factor authentication. ¶27 col. 5:29-34
generating the SecureCode; The SECU online computer system generates a "one-time code" to be used for authentication. ¶28 col. 5:31-33
electronically providing to the user the SecureCode in response to the request for the SecureCode, wherein: The SECU system sends the generated one-time code to the user via SMS text or another electronic communication method. ¶29 col. 5:35-39
the SecureCode is invalid after a predetermined time passes, The complaint alleges that the SECU website will reject a SecureCode if it is not used within a predetermined period, prompting an error message. ¶30 col. 6:21-23
the SecureCode is invalid after one use of the SecureCode for authentication, and The complaint alleges that the "one-time code" is valid for only one use and that an already-used code will be rejected. ¶31 col. 6:25-30
the SecureCode is only valid for authenticating the user; and The complaint alleges the code is generated for a particular user and that a code for one user will not work for another user. ¶32 col. 2:48-52
while the online computer system is connected... electronically receiving from the online computer system a digital authentication request for authenticating the user, wherein: the digital authentication request comprises a digital identity of the user, and the digital identity includes the SecureCode; and SECU's system receives the user's digital identity, which includes the user's username and the SecureCode they were sent. ¶33, ¶34 col. 5:41-45
while the online computer system is connected... authenticating the user by evaluating a validity of the SecureCode included in the digital authentication request. The SECU system validates the login by confirming that the submitted SecureCode is valid and corresponds to the submitted username. ¶36 col. 5:45-54

Identified Points of Contention

  • Scope Questions: The '297 and '864 Patents describe a "Central-Entity" providing authentication services for one or more "External-Entities" (’297 Patent, Fig. 1). The complaint accuses SECU's system of infringement for authenticating its own users for its own services. This raises the question of whether a self-contained authentication system, where a single entity acts as both the service provider and the authenticator, falls within the scope of a claimed "centralized" system designed to operate with distinct external parties.
  • Technical Questions: The complaint alleges on "information and belief" that SECU's "one-time code" meets all three negative limitations of the claimed "SecureCode": time expiration, single use, and user-specificity (Compl. ¶30, 31, 32). What evidence the complaint provides that the accused code performs each of these distinct invalidation functions as required by the claim will likely be a point of dispute, as the included screenshots do not explicitly confirm all three behaviors.

V. Key Claim Terms for Construction

The Term: "SecureCode"

  • Context and Importance: This term is the technical core of the asserted claims. The infringement analysis hinges on whether the Defendant's "one-time code" meets the full definition of "SecureCode," including the specific characteristics recited in Claim 1 of the ’297 Patent. Practitioners may focus on this term because the claim requires the code to be invalid after a time, invalid after one use, and valid only for that user.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification provides a general definition: "any dynamic, non-predictable and time dependent alphanumeric code, secret code, PIN or other code, which may be broadcast to the user" (’297 Patent, col. 2:48-52). This language could support an argument that various forms of temporary codes are covered.
    • Evidence for a Narrower Interpretation: Claim 1 of the ’297 Patent explicitly recites that the SecureCode has three distinct properties: it "is invalid after a predetermined time passes," "is invalid after one use...for authentication," and "is only valid for authenticating the user" (’297 Patent, col. 6:58-64). A party may argue that these limitations are definitional and that any accused code must be proven to have all three characteristics.

The Term: "digital identity"

  • Context and Importance: Claim 1 of the ’297 Patent requires the system to receive a "digital authentication request" which "comprises a digital identity of the user," where that identity "includes the SecureCode." The viability of the infringement theory depends on construing the combination of data submitted by the user (e.g., username and the one-time code) as meeting this "digital identity" element.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The specification defines the term as "a combination of user's 'SecureCode' and user's information such as 'UserName'" (’297 Patent, col. 2:53-56). This provides direct support for the plaintiff's theory that submitting a username and the code together constitutes the claimed "digital identity."
    • Evidence for a Narrower Interpretation: A party might scrutinize the specification for any language suggesting "digital identity" requires a more formal or structured data object than simply two data fields entered into a web form, although the express definition provided in the specification appears to favor the broader construction.

VI. Other Allegations

  • Willful Infringement: The complaint does not contain specific factual allegations to support a claim for willful infringement, such as pre-suit knowledge of the patents-in-suit. The prayer for relief includes a request for enhanced damages under 35 U.S.C. § 284 and a declaration that the case is exceptional under § 285, but the basis for these requests is not detailed in the body of the complaint beyond a conclusory allegation that Defendant has "no good faith defense" (Compl. ¶38; Prayer for Relief ¶C, E).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of architectural scope: can the claims of the "centralized" authentication patents (e.g., the '297 Patent), which describe a "Central-Entity" serving third-party "External-Entities," be construed to cover a self-contained system where a single entity (SECU) authenticates its own users for its own online services?
  • A key evidentiary question will be one of functional correspondence: what discovery evidence will emerge to support the plaintiff's allegations, made on "information and belief," that the accused "one-time code" meets all the specific functional limitations of the claimed "SecureCode," particularly the requirements that it becomes invalid after both a predetermined time and a single use?