DCT
2:22-cv-00212
Dynapass IP Holdings LLC v. JPMorgan Chase & Co
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: JPMorgan Chase & Co. (Delaware), JPMorgan Chase Bank, National Association (National Association), and Chase Bank USA National Association (National Association)
- Plaintiff’s Counsel: WILLIAMS SIMONS & LANDIS PLLC
- Case Identification: 2:22-cv-00212, E.D. Tex., 06/17/2022
- Venue Allegations: Plaintiff alleges venue is proper because Defendants maintain a regular and established place of business in the district and conduct substantial and persistent business in Texas.
- Core Dispute: Plaintiff alleges that Defendants' online and mobile banking two-factor authentication systems infringe a patent related to using personal communication devices for user authentication.
- Technical Context: The technology at issue is two-factor authentication (2FA), a security process where users provide two different authentication factors to verify themselves, commonly used to secure online financial transactions.
- Key Procedural History: The complaint asserts infringement of U.S. Patent No. 6,993,658. Subsequent to the filing of the complaint, this patent was the subject of Inter Partes Review (IPR) proceedings (IPR2023-00425, IPR2023-01331). According to the IPR Certificate issued September 25, 2024, Claim 5—the sole claim asserted in the complaint—was cancelled. Claims 1, 3, 4, and 6 were found patentable.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | ’658 Patent Priority Date |
| 2006-01-31 | ’658 Patent Issue Date |
| 2022-06-17 | Complaint Filing Date |
| 2023-01-06 | IPR proceeding (IPR2023-00425) filed against ’658 Patent |
| 2023-08-16 | IPR proceeding (IPR2023-01331) filed against ’658 Patent |
| 2024-09-25 | IPR Certificate issues, cancelling Claim 5 of the ’658 Patent |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - Use of Personal Communication Devices for User Authentication, issued January 31, 2006
The Invention Explained
- Problem Addressed: The patent describes the security deficiencies of traditional username and password systems, such as users choosing easily guessed passwords or writing down complex ones, thereby compromising security. It also notes that existing two-factor authentication systems required users to carry a dedicated, single-purpose hardware token, which was inconvenient. (Compl. ¶14; ’658 Patent, col. 1:13-59).
- The Patented Solution: The invention proposes a two-factor authentication system that leverages a device most users already possess: a personal communication device like a mobile phone. A central server generates a temporary, one-time "token" and transmits it (e.g., via SMS text message) to the user's phone. The user then combines this received token with a pre-memorized "passcode" to form a complete, valid password to access a secure system. ('658 Patent, Abstract; col. 2:1-16, Fig. 1). This method aims to provide the security of two-factor authentication without the need for a separate hardware device.
- Technical Importance: This approach sought to make two-factor authentication more convenient and accessible by integrating it with ubiquitous personal devices rather than requiring specialized hardware. ('658 Patent, col. 1:55-59).
Key Claims at a Glance
- The complaint asserts direct infringement of independent Claim 5. (Compl. ¶27). The prayer for relief seeks judgment on "one or more claims." (Compl. p. 8, ¶a).
- The essential elements of asserted independent Claim 5 include:
- A user authentication system comprising a computer processor.
- A user database to associate a user with a personal communication device (e.g., a mobile phone) that communicates over a cell phone network.
- A control module that creates a new password based on a token (not known to the user) and a passcode (known to the user), and sets this new password for the user's account.
- A communication module to transmit the token to the user's personal communication device via the cell phone network.
- An authentication module that receives the password from the user over a secure computer network (different from the cell phone network), activates account access upon receipt, and deactivates access after a predetermined time.
III. The Accused Instrumentality
Product Identification
The complaint identifies the "Accused Instrumentalities" as the systems and applications Defendants use for access and authorization to their online banking system, including the sign-on procedure for chase.com and the Chase Mobile® app. (Compl. ¶21-22).
Functionality and Market Context
- The accused functionality is a two-factor authentication system used to protect customer accounts. (Compl. ¶22).
- When a user signs in from an unrecognized device, the system requires the user's standard username and password, as well as a "temporary identification code." (Compl. ¶22).
- This code is sent to the user via phone, email, or text message. The user must then enter this code to complete the sign-in process. (Compl. ¶22, ¶25).
- A screenshot from the Chase website, titled "How we protect you," describes this multi-step authentication process for unrecognized devices. (Compl. ¶22).
- The system serves as a critical security feature for the online and mobile banking platforms of a major U.S. financial institution.
IV. Analysis of Infringement Allegations
’658 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network... | The accused system includes a user database associating banking customers with their personal communication devices (e.g., mobile phones) which communicate via a cell phone network. | ¶23 | col. 2:32-36 |
| a control module...configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... | The accused system includes a control module that allegedly "creates new passwords based at least upon a token and a passcode." The complaint equates the "access code" with the claimed "token." | ¶24 | col. 2:3-5 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network; | The accused system includes a communication module that transmits the temporary identification code (the alleged "token") to the user's device via SMS over a cell phone network. | ¶25 | col. 4:15-18 |
| an authentication module configured to receive the password from the user through a secure computer network, said secure computer network being different from the cell phone network... | The accused system includes an authentication module that receives the user's password through a secure computer network (the online banking system), which is distinct from the cell phone network used to transmit the code. | ¶26 | col. 3:23-26 |
| ...wherein the authentication module...deactivates the account within a predetermined amount of time after activating the account... | The complaint alleges the authentication module deactivates the user's account after a predetermined time, rendering it inaccessible. | ¶26 | col. 12:12-18 |
Identified Points of Contention
- Scope Questions: The complaint alleges the accused system "creates new passwords based at least upon a token and a passcode." (Compl. ¶24). A central question may be whether the accused system's handling of a static password and a separate one-time code meets the claim limitation of "creat[ing] a new password." The patent specification describes a specific process of concatenating the passcode and token to form a single new password string ('658 Patent, col. 4:52-57), which may or may not reflect the actual operation of the accused system.
- Technical Questions: It is a question of fact whether the accused Chase system performs the specific function of generating a new password by combining a "passcode" and a "token" on its server, as claimed. The complaint's allegation is conclusory. (Compl. ¶24). An alternative and common implementation in the industry is for a server to verify the static password and the one-time code as two separate, independent factors, which may raise a question of non-infringement.
V. Key Claim Terms for Construction
- The Term: "create a new password based at least upon a token and a passcode"
- Context and Importance: This term is critical to the infringement analysis. The theory of infringement hinges on whether the accused system's server-side operations can be characterized as "creating a new password" from the two components. Practitioners may focus on this term because the specific method of combining authentication factors is a key technical detail distinguishing different 2FA architectures.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The parties could argue that "create a new password based upon" should be interpreted functionally to mean the logical combination of the two factors to grant access for a single session, without being limited to a specific data-handling method like concatenation.
- Evidence for a Narrower Interpretation: The specification provides a specific, narrow example: "the user 108 combines the token 156 with the passcode 154 to form a password 158. For example, the user...can combine a valid, memorized passcode of 'abcd' with a valid token of '1234' to form a valid password of 'abcd1234'." ('658 Patent, col. 4:52-57). This explicit teaching of concatenation could be used to argue for a narrower construction of the term.
VI. Other Allegations
The complaint does not provide sufficient detail for analysis of indirect or willful infringement.
VII. Analyst’s Conclusion: Key Questions for the Case
- Case Viability: The most significant issue is procedural: given that the sole asserted claim (Claim 5) was cancelled in an Inter Partes Review after the complaint was filed, a primary question is whether the lawsuit can proceed. The plaintiff would likely be required to seek leave to amend its complaint to assert one of the surviving patentable claims, which would effectively restart the infringement analysis.
- Technical Equivalence: Should the case proceed on a surviving claim with similar language, a central evidentiary question will be one of operational mechanics: does the accused Chase authentication system perform the specific step of "creat[ing] a new password" by concatenating a passcode and a token, as detailed in the patent? Or does it verify the static password and the temporary code as separate factors, suggesting a fundamental mismatch in the accused technical operation versus the claimed invention?
- Definitional Scope: A core legal issue will be the construction of "password": can the term be defined broadly as the collection of credentials required for an authentication event, or is its meaning constrained by the patent's explicit description to a single data string formed by concatenating the passcode and token?