DCT

2:22-cv-00211

Dynapass IP Holdings LLC v. BOKF National Association

Log In
Key Events
Complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:22-cv-00211, E.D. Tex., 06/17/2022
  • Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant maintains a regular and established place of business in the district, conducts substantial business there, and derives revenue from services provided to individuals in the district.
  • Core Dispute: Plaintiff alleges that Defendant’s online banking two-factor authentication system infringes a patent related to using personal communication devices for user authentication.
  • Technical Context: The technology concerns two-factor authentication, where a user’s identity is verified using a combination of something they know (a password or passcode) and something they have (a personal device, like a mobile phone, that receives a temporary code).
  • Key Procedural History: Post-filing, the asserted patent was subject to Inter Partes Review (IPR) proceedings (IPR2023-00425, IPR2023-01331). A resulting IPR Certificate, issued September 25, 2024, cancelled Claim 5, the only claim specifically identified and analyzed in the complaint. The certificate found claims 1, 3, 4, and 6 patentable. This development fundamentally impacts the viability of the complaint as currently pleaded.

Case Timeline

Date Event
2000-03-06 Priority Date for U.S. Patent No. 6,993,658
2006-01-31 U.S. Patent No. 6,993,658 Issues
2022-06-17 Complaint Filed
2024-09-25 IPR Certificate issues, cancelling Claim 5 of '658 Patent

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,993,658 - Use of Personal Communication Devices for User Authentication, issued January 31, 2006

The Invention Explained

  • Problem Addressed: The patent describes the security risks and user inconvenience associated with traditional password systems, particularly the tendency for users to write down complex, hard-to-remember passwords, which compromises security (ʼ658 Patent, col. 1:21-42).
  • The Patented Solution: The invention proposes a two-factor authentication system that leverages a device users already carry, such as a mobile phone or pager. A server generates a temporary, one-time "token" and sends it to the user's personal device. The user then combines this token with a secret, memorized "passcode" to form a valid password for accessing a secure system (ʼ658 Patent, Abstract; col. 4:52-57). This architecture, depicted in Figure 1, aims to enhance security by requiring physical possession of the communication device to complete the login process (ʼ658 Patent, Fig. 1).
  • Technical Importance: This approach sought to provide the security benefits of two-factor authentication, similar to dedicated hardware tokens like the SecurID card, without requiring users to carry an additional, single-purpose device (ʼ658 Patent, col. 1:43-59).

Key Claims at a Glance

  • The complaint specifically asserts independent system claim 5 (Compl. ¶25). As noted, Claim 5 was subsequently cancelled in an IPR proceeding.
  • The essential elements of asserted Claim 5 include:
    • a user database configured to associate a user with a personal communication device;
    • a control module to create a new password based on a token (unknown to the user) and a passcode (known to the user);
    • a communication module to transmit the token to the personal device over a cell phone network; and
    • an authentication module to receive the password from the user over a separate, secure computer network and grant/deny access.
  • The complaint asserts infringement of "at least Claim 5," potentially reserving the right to assert other claims (Compl. ¶25).

III. The Accused Instrumentality

Product Identification

  • The accused instrumentalities are the "systems and applications Defendant uses for access and authorization to their online banking system" (Compl. ¶19).

Functionality and Market Context

  • The complaint alleges these systems provide two-factor authentication for Defendant's online and mobile banking customers (Compl. ¶20). According to a screenshot of Defendant's "Account Security" FAQ page provided in the complaint, the system sends a "verification code via SMS text" to a user's phone on file if "unusual or abnormal patterns" are detected during login. This code, "coupled with your password," is required for account access to provide an "extra layer of protection" (Compl. p. 6). The complaint alleges this functionality is part of the sign-on procedure for Defendant's online banking system (Compl. ¶20). The complaint's reproduction of the patent's Figure 1 is used to illustrate the general process of two-factor authentication (Compl. p. 4).

IV. Analysis of Infringement Allegations

'658 Patent Infringement Allegations

Claim Element (from Independent Claim 5) Alleged Infringing Functionality Complaint Citation Patent Citation
a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network with the user authentication system; The Accused Instrumentalities allegedly include a computer processor and user database that associates banking customers with their mobile phones, which communicate with the system via a cell phone network. ¶21 col. 12:26-33
a control module executed on the computer processor configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user, the control module further configured to set a password associated with the user to be the new password; The Accused Instrumentalities allegedly include a control module that creates new passwords based on a "token" (the access code sent to the user) and a "passcode" (known to the user). ¶22 col. 12:34-42
a communication module configured to transmit the token to the personal communication device through the cell phone network; and The Accused Instrumentalities allegedly include a communication module for transmitting the token (the verification code) to the user's mobile device via the cell phone network, using SMS text messaging. ¶23 col. 12:43-46
an authentication module configured to receive the password from the user through a secure computer network, said secure computer network being different from the cell phone network...wherein the authentication module activates access to the account...and deactivates the account within a predetermined amount of time after activating the account... The Accused Instrumentalities allegedly include an authentication module that receives the user's password through the secure online banking system (which is different from the cell phone network) and activates access to the user's account for a limited time. ¶24 col. 12:47-60
  • Identified Points of Contention:
    • Legal Question: The primary issue is the legal status of the complaint itself. With Claim 5—the only claim specifically alleged to be infringed—having been cancelled post-filing, the complaint may no longer state a viable claim for relief without amendment.
    • Technical Question: Assuming Plaintiff amends to assert a surviving claim, a key technical question is whether the accused system "create[s] a new password based at least upon a token and a passcode." The complaint alleges the SMS verification code is the "token" and the user's normal password is the "passcode" (Compl. ¶22). The court may need to determine if verifying two separate factors (password and code) is the same as creating and receiving a single "new password" that is a combination of both, as described in the patent's preferred embodiment (ʼ658 Patent, col. 4:52-57).
    • Scope Question: Does the term "passcode" as used in the patent, which is described as a secret memorized by the user specifically for this system, read on a user's general-purpose login password for an online banking account?

V. Key Claim Terms for Construction

  • The Term: "a new password based at least upon the token and a passcode"

  • Context and Importance: This term is central to the infringement theory. Its construction will determine whether the accused system, which appears to verify a standard password and a separate SMS code, falls within the claim scope. The dispute may turn on whether "based upon" requires a specific combination (e.g., concatenation) to form a single new data string, or if it can cover a logical association where two separate inputs are required for authentication.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The claim language "based at least upon" does not explicitly require concatenation or any other specific method of combination, which could support an argument that any system where the token and passcode are both necessary for authentication meets the limitation.
    • Evidence for a Narrower Interpretation: The specification's preferred embodiment describes combining the token and passcode "to form a password," for example, by concatenating "a valid, memorized passcode of 'abcd' with a valid token of '1234' to form a valid password of 'abcd1234'" (ʼ658 Patent, col. 4:52-57). This specific example may be used to argue for a narrower construction requiring the creation of a single, new password string.

  • The Term: "passcode"

  • Context and Importance: Practitioners may focus on this term because the complaint equates it with the user's existing banking password. The distinction between a general-purpose password and a dedicated "passcode" for the authentication system could be a key non-infringement argument.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The patent states the passcode is "preferably secret and only known to the user" and that the user "preferably commits to memory the user ID 152 and passcode 154" (ʼ658 Patent, col. 4:38-41). This functional description could be argued to encompass any secret password known to the user.
    • Evidence for a Narrower Interpretation: The patent consistently distinguishes between "password" (the final combined credential) and "passcode" (one of the two components, along with the token). An embodiment describes the user combining the "token 156 with the passcode 154 to form a password 158" (ʼ658 Patent, col. 4:52-54). This suggests "passcode" is a component part of the final "password," not the password itself.

VI. Other Allegations

  • Indirect Infringement: The complaint does not contain specific allegations of indirect infringement (e.g., inducement or contributory infringement).
  • Willful Infringement: The complaint does not plead facts sufficient to support a claim for willful infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

  1. A dispositive procedural question is one of case viability: given the post-filing IPR cancellation of Claim 5, the sole claim identified in the complaint, can Plaintiff's action proceed without an amendment to substitute a surviving, patentable claim?
  2. A core issue will be one of functional operation: does Defendant's two-factor authentication system, which verifies a user's password and a separately-delivered SMS code, perform the claimed function of "creat[ing] a new password based at least upon the token and a passcode," or does this represent a fundamentally different technical approach to authentication?
  3. A central claim construction question will be one of definitional scope: can the term "passcode," which the patent describes as a secret component combined with a token, be construed to read on a pre-existing, general-purpose account password that is submitted alongside a verification code?