DCT

2:22-cv-00212

Dynapass IP Holdings LLC v. JPMorgan Chase & Co

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:22-cv-00212, E.D. Tex., 03/20/2023
  • Venue Allegations: Plaintiff alleges venue is proper because Defendants conduct substantial business in the district, maintain a regular and established place of business in Plano, Texas, and at least a portion of the alleged infringements occurred in the district.
  • Core Dispute: Plaintiff alleges that Defendants’ online banking systems, which use two-factor authentication, infringe a patent related to user authentication via personal communication devices.
  • Technical Context: The technology at issue is two-factor authentication (2FA), a security process where users provide two different authentication factors to verify themselves, commonly used to secure online accounts.
  • Key Procedural History: The complaint is a First Amended Complaint. Plaintiff notes that Defendant PNC Financial Services Group, Inc. acquired Defendant BBVA USA Bancshares, Inc. on June 1, 2021. An Inter Partes Review (IPR) certificate, issued after the complaint was filed, indicates that Claim 5 of the asserted patent—the only claim for which specific infringement allegations are made—has been cancelled.

Case Timeline

Date Event
2000-03-06 ’658 Patent Priority Date
2006-01-31 ’658 Patent Issue Date
2021-06-01 PNC acquires BBVA USA Bancshares, Inc.
2021-10-08 BBVA Inc merges into PNC Bank, N.A.
2023-03-20 Complaint Filing Date
2024-09-25 IPR Certificate issues cancelling Claim 5 of the ’658 Patent

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,993,658 - Use of Personal Communication Devices for User Authentication, issued January 31, 2006

The Invention Explained

  • Problem Addressed: The patent describes the security weaknesses of traditional authentication systems that rely solely on a user ID and password. Such systems are vulnerable because users often choose easily guessed passwords or write down complex ones, compromising security (’658 Patent, col. 1:29-42).
  • The Patented Solution: The invention proposes a two-factor authentication system that leverages a device most users already carry, such as a mobile phone or pager. A server generates a temporary, one-time "token" and sends it to the user's personal device. The user then combines this token with a secret, memorized "passcode" to form a valid password for accessing a secure system (’658 Patent, Abstract; col. 3:52-62). This method aims to enhance security by requiring both something the user knows (the passcode) and something the user possesses (the personal device receiving the token).
  • Technical Importance: The approach sought to improve user convenience and adoption of two-factor authentication by eliminating the need for a dedicated, single-purpose hardware token, such as the RSA SecurID card, which was a common solution at the time (’658 Patent, col. 1:43-59).
  • Analogy: The system functions like a two-key safe deposit box at a bank. The user holds one key (the secret passcode), and the bank provides the second key (the temporary token) only when the user properly identifies themselves. Both keys are required to open the box (access the secure system).

Key Claims at a Glance

  • The complaint asserts independent claim 5 of the ’658 Patent (Compl. ¶¶28, 35).
  • The essential elements of independent claim 5 are:
    • A user authentication system comprising a computer processor.
    • A user database that associates a user with their personal communication device, which communicates with the system over a cell phone network.
    • A control module that creates a new password based on a token (unknown to the user) and a passcode (known to the user) and sets this new password for the user.
    • A communication module that transmits the token to the user's device via the cell phone network.
    • An authentication module that receives the password from the user over a secure computer network (different from the cell phone network), activates account access in response to the password, and deactivates the account after a predetermined time.

III. The Accused Instrumentality

Product Identification

The systems and applications used by PNC and the formerly separate BBVA for customer access and authorization to their online banking platforms (the "PNC Accused Instrumentalities" and "BBVA Accused Instrumentalities") (Compl. ¶¶22, 29).

Functionality and Market Context

The complaint alleges that Defendants' online banking platforms offer an optional "Additional Sign On Security" feature, described as a form of "Two-Step Verification" (Compl. ¶23). This feature is presented as an "Added Layer of Security" for customer accounts (Compl. ¶23). A visual in the complaint depicts this as a three-step process: (1) the user enters their standard online banking credentials, (2) the system generates and sends a one-time passcode to the user's phone via text, and (3) the user enters that code to complete the sign-on (Compl. ¶26).

IV. Analysis of Infringement Allegations

’658 Patent Infringement Allegations

Claim Element (from Independent Claim 5) Alleged Infringing Functionality Complaint Citation Patent Citation
a user authentication system comprising: a computer processor; a user database configured to associate a user with a personal communication device... said personal communication device configured to communicate over a cell phone network... The accused systems include a computer processor and a user database associating banking customers with their mobile phones, which communicate via a cell phone network. ¶24 col. 11:5-24
a control module... configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... The accused systems allegedly include a control module that creates new passwords based on a token (the one-time access code sent to the user) and a passcode (the user's standard password). ¶25 col. 12:25-36
a communication module configured to transmit the token to the personal communication device through the cell phone network; The accused systems include a communication module that transmits the token (access code) to the user's mobile phone via SMS text message. A visual in the complaint shows a phone receiving a one-time passcode via text. ¶26 col. 12:37-40
an authentication module configured to receive the password from the user through a secure computer network, said secure computer network being different from the cell phone network... The accused systems allegedly include an authentication module that receives the user's password through the secure online banking system, which is distinct from the cell phone network used for token delivery. ¶27 col. 12:41-48
...wherein the authentication module activates access to the account in response to the password and deactivates the account within a predetermined amount of time after activating the account... The authentication module allegedly activates account access upon receipt of the password and deactivates the account after a predetermined time, rendering it inaccessible. ¶27 col. 12:48-55

Identified Points of Contention

  • Technical Questions: A primary question is whether the accused system creates a "new password" by combining a passcode and token, as recited in the claim. The complaint alleges this occurs (Compl. ¶25), but the provided visual evidence suggests a sequential, two-step verification process: authenticating a static password first, then authenticating a separately entered one-time code (Compl. ¶26). This raises the question of whether there is a technical mismatch between the claimed creation of a single, new, combined password and the accused system's apparent operation.
  • Scope Questions: The complaint alleges that the system "deactivates the account within a predetermined amount of time" (Compl. ¶27). A point of contention may be whether a standard session timeout, common in online banking, meets this limitation, or if the claim requires a more formal deactivation of the user's credentials in the system database, as described in the patent's specification (’658 Patent, col. 9:59-62). The complaint does not provide specific factual support for the latter interpretation.

V. Key Claim Terms for Construction

The Term: "password"

Context and Importance

The construction of "password" is critical. Claim 5 requires the control module to "create a new password" from the token and passcode, and the authentication module to "receive the password from the user." The infringement analysis hinges on whether "the password" must be a single, combined data string submitted by the user, or if it can be construed more broadly to cover the separate, sequential submission of the user's static password and the one-time token.

Intrinsic Evidence for Interpretation

  • Evidence for a Broader Interpretation: The specification discloses an alternative embodiment where "the passcode 154 and the token 156 are submitted separately" (’658 Patent, col. 3:60-62). This disclosure, illustrated in Figure 2B, may support an argument that "receiving the password" does not strictly require receiving a pre-combined string.
  • Evidence for a Narrower Interpretation: The patent’s abstract and preferred embodiment describe the user combining the passcode and token to "form a valid password" (’658 Patent, Abstract; col. 3:52-57). The claim language itself, which recites creating "a new password" and then receiving "the password," suggests an antecedent relationship where the received item is the single, newly created entity.

The Term: "deactivates the account"

Context and Importance

This term's meaning will determine what level of proof is required to show infringement of the final limitation. Practitioners may focus on this term because the plaintiff must show that the accused system does more than simply end a user session.

Intrinsic Evidence for Interpretation

  • Evidence for a Broader Interpretation: A party could argue the term encompasses any action that terminates access, including a standard, time-based session logout, which is a common and inherent feature of secure online systems.
  • Evidence for a Narrower Interpretation: The specification describes a process where, upon token expiration, "the control module 402 deactivates the user account in the user database 114" (’658 Patent, col. 9:59-62). This implies a specific change to the account's status in a database, which must be affirmatively reactivated, rather than just a transient session termination. The complaint appears to adopt this narrower view by alleging the account becomes "not accessible through any password" (Compl. ¶27).

VI. Other Allegations

The complaint does not contain counts for indirect or willful infringement.

VII. Analyst’s Conclusion: Key Questions for the Case

Key Questions for the Case

  • Case Viability Post-IPR: The most significant issue is the cancellation of Claim 5, the sole claim asserted in the complaint, by the U.S. Patent and Trademark Office in an IPR proceeding. A central question is purely procedural: how, or if, the case can proceed given that its entire asserted legal basis has been invalidated after the complaint was filed.
  • Claim Scope vs. Accused Functionality: Should the case proceed on other claims, a core issue will be one of infringement mismatch. Does the accused two-step verification process, which appears to validate two separate factors sequentially, meet the claim limitation of "creat[ing] a new password" from a token and passcode that is then submitted by the user?
  • Evidentiary Sufficiency: A key evidentiary question will be one of functional proof. Can the plaintiff provide evidence that the accused system "deactivates the account" in the specific manner suggested by the patent specification—by altering the account status in a database—or will the court find that a standard session timeout is sufficient to meet this limitation?