DCT

2:17-cv-00277

Smart Authentication IP LLC v. Autodesk Inc

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:17-cv-00277, E.D. Tex., 04/07/2017
  • Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant conducts business in the district, has committed acts of alleged infringement in the district, and Plaintiff is located in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s two-factor authentication system, used to secure access to its software products and services, infringes a patent related to methods for personalized, multi-factor user authentication.
  • Technical Context: The technology concerns systems for verifying a user's identity in online transactions by requiring multiple forms of proof across different communication channels, a common security measure for protecting digital accounts.
  • Key Procedural History: Post-filing, the asserted patent was the subject of an Inter Partes Review (IPR2017-02047). The proceeding resulted in the cancellation of all claims asserted in this complaint (Claims 1-10 and 12-17). This PTAB decision fundamentally affects the viability of the infringement claims as originally pleaded.

Case Timeline

Date Event
2005-06-27 ’213 Patent Priority Date
2011-12-20 ’213 Patent Issue Date
2017-04-07 Complaint Filing Date
2017-09-01 Inter Partes Review (IPR2017-02047) Filed
2020-02-27 IPR Certificate Issued Cancelling Asserted Claims

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 8,082,213 - "Method and System for Personalized Online Security," issued December 20, 2011

The Invention Explained

  • Problem Addressed: The patent describes a "central and continuing problem" for commercial entities and users in conducting electronic commerce: the need for reliable authentication to protect against fraud, identity theft, and other security breaches. It notes that existing password-based or even two-phase authentication schemes (like a PIN plus an ATM card) are often insufficient against determined attackers (’213 Patent, col. 1:21-54).
  • The Patented Solution: The invention proposes a centralized "Authentication Service Provider" (ASP) that acts as a trusted third party. A user can register with the ASP and create highly customized security "policies" that govern how they are authenticated for various transactions (’213 Patent, col. 2:1-10). These policies can dictate the use of "variable-factor authentication" across multiple communication channels—for instance, initiating a transaction on the internet (first medium) and receiving a one-time password via a cell phone (second medium) to complete the verification (’213 Patent, col. 3:21-25; FIG. 3). The core concept is to give users control over the complexity and context of their own authentication procedures.
  • Technical Importance: The technology represents a move toward user-configurable, dynamic, and multi-channel authentication, aiming to provide a higher level of security than static password systems by separating the authentication logic from the merchant (the "ASP client") and placing it under the user's control.

Key Claims at a Glance

  • The complaint asserts independent claims 1 and 12 (Compl. ¶19, ¶29).
  • Independent Claim 1 (System Claim): A user-authentication service comprising:
    • One or more computer systems.
    • Stored user-authentication policies specified by the user.
    • Stored user information.
    • Account interface routines allowing a user to manage policies.
    • Authentication-interface routines that, after a user initiates a transaction with an "authentication-service client," receive an authentication request from that client.
    • The routines employ "variable-factor authentication" where the user communicates with the service via a "third communications medium" different from the first or second media used for the transaction initiation.
  • Independent Claim 12 (Method Claim): A method for authenticating a user of an authentication service, comprising the steps of:
    • Receiving user-identifying information from an "authentication-service client."
    • Using that information to carry out an authentication procedure.
    • The procedure involves sending information to the user through a communications medium "different from the first communications medium" used by the client.
    • Returning an authentication result to the client.
  • The complaint also asserts dependent claims 2-5, 7-10, and 13-16 (Compl. ¶19).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are Autodesk's products and services that utilize its "two-factor authentication" system, including account features accessible via its website (www.autodesk.com), mobile applications (iOS, Android), and desktop applications (Compl. ¶15-16, ¶19). Specific software products mentioned include AutoCAD, Fusion, Drive, and others (Compl. ¶19).

Functionality and Market Context

  • The complaint alleges that Autodesk’s system requires users to first enter an "Email or Username" and password via a browser or app (the first communication medium). It then requires the user to verify their identity by entering a one-time "security code" (Compl. ¶16).
  • This security code is allegedly delivered through a separate medium, such as a voice call, a text message, or an email to the user's mobile device (Compl. ¶16). The complaint describes this process as "Two Step Verification," referencing a screenshot of the setup process provided as an exhibit. The screenshot, described in the complaint, shows options for receiving a code via text message or an authenticator app (Compl. ¶29; Exs. E, F).
  • The functionality is presented as a security feature for Autodesk's commercially significant computer-aided design products and services (Compl. ¶15).

IV. Analysis of Infringement Allegations

’213 Patent Infringement Allegations (Claim 1)

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
A user-authentication service implemented as routines that execute one or more computer systems... Autodesk provides a user authentication service through its computer systems that support its products and services. ¶20 col. 8:45-49
stored user-authentication policies specified by the user; The service allows users to specify authentication policies, such as setting up methods for receiving a one-time security code. ¶17, ¶20 col. 8:51-52
authentication-interface routines that implement an authentication interface by which... the authentication-service client submits an authentication request... A user initiates a transaction with an authentication-service client, such as Autodesk's website, which then submits an authentication request to Autodesk's authentication service. The complaint describes a screenshot of the Autodesk website login page (Ex. B). ¶20 col. 8:55-62
through the first communications medium or through a second communications medium... The request is submitted over the Internet via a browser (first medium) or via a mobile or desktop application (second medium). The complaint describes screenshots of mobile and desktop applications (Exs. C, D). ¶20 col. 8:62-64
the user communicates with the user-authentication service through a third communications medium different from the first and second communications media... The user receives a security code via a separate medium, such as a phone call, SMS text message, or email. ¶20 col. 8:65-col. 9:2

’213 Patent Infringement Allegations (Claim 12)

Claim Element (from Independent Claim 12) Alleged Infringing Functionality Complaint Citation Patent Citation
A method for authenticating... a user of the authentication service to an authentication-service client that communicates with the user... through a first communications medium... Autodesk's "Two Step Verification" authenticates a user to its client (e.g., autodesk.com website), which communicates with the user via the Internet. The complaint describes screenshots of the verification process (Exs. E, F). ¶29 col. 10:15-19
receiving user-identifying information from the authentication-service client; The authentication service receives the user's Autodesk "Email or Username" from the client. ¶29 col. 10:20-21
using the user-identifying information received... to carry out an authentication procedure... by sending information to the user... through a communications medium different from the first communications medium; The service uses the username to send a security code to the user via a text message, which is a different medium from the Internet browser used initially. ¶29 col. 10:22-29
and returning a authentication result to the authentication-service client. After the procedure, the service returns an authentication result to the client (the website or application). ¶29 col. 10:30-31

Identified Points of Contention

  • Scope Questions: A central question may be whether Autodesk’s integrated account security feature constitutes the distinct "authentication-service" and "authentication-service client" architecture described in the patent. The patent's specification consistently describes an ASP as a third-party entity providing services to separate commercial clients (’213 Patent, FIG. 3; col. 2:45-51). The court may need to decide if the claims read on a vertically integrated system where the "service" and "client" are both operated by the same entity (Autodesk).
  • Technical Questions: The complaint alleges the use of first, second, and third communication media. A factual question will be whether a desktop application and a web browser accessing the same backend service over the same network (the Internet) constitute distinct "communications media" as required by claim 1, or if they are merely different user interfaces using a single medium.

V. Key Claim Terms for Construction

The Term: "variable-factor authentication"

  • Context and Importance: This term, appearing in the abstract and independent claim 1, is presented as a key feature of the invention. Its construction is critical to determining if Autodesk's standard two-factor authentication (2FA) process meets the claim requirements.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent does not provide an explicit definition in the specification. The term could be argued to broadly cover any authentication method that varies its factors, such as using a password and a one-time code. Claim 1 itself simply requires communication on a third medium as the implementation of this factor.
    • Evidence for a Narrower Interpretation: The abstract defines it as a process where "the user... provides both secret information as well as evidence of control of a tangible object" (’213 Patent, Abstract). An embodiment describes sending a password to a user's cell phone (’213 Patent, col. 3:35-40). A party could argue that merely receiving a code on a phone that could be spoofed or forwarded does not constitute "evidence of control of a tangible object," suggesting a narrower meaning that Autodesk's system may not meet.

The Term: "authentication-service client"

  • Context and Importance: This term is fundamental to the claimed architecture. Whether Autodesk's own website and applications qualify as "clients" of its own "authentication service" will be a key point of the infringement analysis. Practitioners may focus on this term because the patent's narrative appears to frame the "client" as a separate commercial entity from the "ASP" (Authentication Service Provider).
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The claims do not explicitly state that the "client" and the "service" must be operated by different commercial entities. The complaint alleges that Autodesk's website is the client and its backend system is the service (Compl. ¶20).
    • Evidence for a Narrower Interpretation: The patent's background and detailed description repeatedly distinguish between "users," "commercial entities" (as clients), and the "authentication service provider" (’213 Patent, col. 1:24-29; FIG. 3). Figure 3, for instance, depicts the ASP-client 306 and the ASP 310 as separate interacting components, which may suggest they are intended to be distinct entities.

VI. Other Allegations

  • Indirect Infringement: The complaint does not plead a separate count for indirect infringement (inducement or contributory). The sole count is for direct infringement under 35 U.S.C. § 271(a) (Compl. ¶19).
  • Willful Infringement: The complaint does not allege facts to support a claim of willful infringement, such as pre-suit knowledge of the patent or objectively reckless conduct. The prayer for relief requests damages pursuant to 35 U.S.C. § 284 but does not explicitly request enhanced damages.

VII. Analyst’s Conclusion: Key Questions for the Case

  1. Procedural Viability: The foremost question is whether this case can proceed, given that an Inter Partes Review concluded after the complaint was filed and resulted in the cancellation of every claim asserted by the Plaintiff. This post-filing development presents a dispositive challenge to the entire action.

  2. Architectural Scope: Should the case proceed, a core issue will be one of architectural interpretation: can the claims, which describe a seemingly modular architecture of an "authentication-service client" interacting with a separate "user-authentication service", be construed to read on Autodesk's vertically integrated system where both functions are part of the same entity's product offering?

  3. Technical Equivalence: A key evidentiary question will be one of functional mapping: does Autodesk’s standard two-factor authentication system, which uses a password and a temporary code, practice the specific method of "variable-factor authentication" as contemplated by the patent, particularly in light of specification language suggesting it requires "evidence of control of a tangible object"?