DCT

2:22-cv-00214

Dynapass IP Holdings LLC v. Bbva

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:22-cv-00214, E.D. Tex., 06/17/2022
  • Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendants conduct business in the district, offer services to customers there, and maintain a regular and established place of business within the district.
  • Core Dispute: Plaintiff alleges that Defendants’ online banking systems, which use two-factor authentication, infringe a patent related to user authentication via personal communication devices.
  • Technical Context: The technology at issue is two-factor authentication (2FA), a security process where users provide two different authentication factors, commonly a password ("something you know") and a code sent to a mobile device ("something you have").
  • Key Procedural History: The complaint was filed on June 17, 2022. Subsequently, U.S. Patent No. 6,993,658 was the subject of Inter Partes Review (IPR) proceedings IPR2023-00425 and IPR2023-01331. An IPR Certificate issued on September 25, 2024, confirmed that Claim 5—the sole claim specifically identified in the complaint’s infringement count—has been cancelled. Claims 1, 3, 4, and 6 were found patentable.

Case Timeline

Date Event
2000-03-06 ’658 Patent Priority Date (Filing Date)
2006-01-31 ’658 Patent Issue Date
2021-06-01 PNC Financial Services Group acquires BBVA Inc Bancshares
2021-10-08 BBVA Inc merges into PNC Financial Services Group
2022-06-17 Complaint Filing Date
2023-01-06 IPR proceeding (IPR2023-00425) filed against the ’658 Patent
2023-08-16 IPR proceeding (IPR2023-01331) filed against the ’658 Patent
2024-09-25 IPR Certificate issues, cancelling Claim 5 of the ’658 Patent

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,993,658 - “Use of Personal Communication Devices for User Authentication,” issued January 31, 2006

The Invention Explained

  • Problem Addressed: The patent identifies weaknesses in traditional authentication methods. User-created passwords are often simple and easily guessed, while complex, system-enforced passwords are forgotten and written down, compromising security. Existing two-factor solutions, like the SecurID hardware token, require users to carry a dedicated, single-purpose device. (’658 Patent, col. 1:12-42, 1:53-56).
  • The Patented Solution: The invention proposes leveraging a device that users already possess, such as a mobile phone or pager, as the second authentication factor. An authentication server generates a temporary "token" and sends it to the user's personal device. The user then combines this token with a secret, memorized "passcode" to form a one-time password, which is used to access a secure system. (’658 Patent, Abstract; col. 4:52-58). This system architecture, depicted in Figure 1, centralizes token generation and delivery while using the existing cellular network as the transport medium. (’658 Patent, Fig. 1).
  • Technical Importance: The described method sought to improve security by implementing two-factor authentication without imposing the cost and inconvenience of a separate hardware token, capitalizing on the increasing prevalence of personal mobile devices. (’658 Patent, col. 1:56-60).

Key Claims at a Glance

  • The complaint asserts direct infringement of at least independent Claim 5. (Compl. ¶28).
  • The essential elements of independent Claim 5 are:
    • A user authentication system comprising a computer processor, a user database, a control module, a communication module, and an authentication module.
    • The user database associates a user with a personal communication device that communicates over a cell phone network.
    • The control module creates a "new password" based on a token (not known to the user) and a passcode (known to the user).
    • The communication module transmits the token to the user's device via the cell phone network.
    • The authentication module receives "the password" from the user over a secure computer network (different from the cell phone network), activates account access, and then "deactivates the account within a predetermined amount of time."

III. The Accused Instrumentality

Product Identification

  • The "systems and applications Defendants use for access and authorization to their online banking system," specifically the two-factor authentication functionality referred to as "Additional Sign On Security (part of Two-Step Verification)." (Compl. ¶¶ 22-23).

Functionality and Market Context

  • The complaint alleges that Defendants’ online banking system provides an optional security feature for account access. (Compl. ¶23). A visual in the complaint describes this feature as "Additional Sign On Security (part of Two-Step Verification)," which "adds a layer of security using your enrolled mobile device every time you sign-on." (Compl. ¶23). According to a diagram provided in the complaint, the process involves the user first entering their standard User ID and password, after which the system generates and sends a "one-time passcode" via text message to the user's phone; the user then enters this code on the computer to complete the sign-on. (Compl. ¶26). This infographic illustrates the accused multi-step login process. (Compl. ¶26, Figure).

IV. Analysis of Infringement Allegations

As noted in Section I, Claim 5 has been cancelled in an Inter Partes Review proceeding that concluded after the complaint was filed. The following analysis reflects the allegations as pleaded.

’658 Patent Infringement Allegations

Claim Element (from Independent Claim 5) Alleged Infringing Functionality Complaint Citation Patent Citation
a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network with the user authentication system The accused system includes a user database that associates banking customers with their mobile phones, which communicate with the system via a cell phone network. ¶24 col. 12:26-31
a control module executed on the computer processor configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... The accused system includes a control module that creates new passwords based on a token (the access code) and a passcode known to the user. ¶25 col. 12:32-39
a communication module configured to transmit the token to the personal communication device through the cell phone network The accused system includes a module to transmit the token (one-time passcode) to the user’s device via SMS/text message. A provided diagram depicts this transmission. (Compl. ¶26). ¶26 col. 12:40-42
an authentication module configured to receive the password from the user through a secure computer network...wherein the authentication module activates access to the account...and deactivates the account within a predetermined amount of time after activating the account The accused system includes an authentication module that receives the password, activates account access, and deactivates it after a predetermined time. ¶27 col. 12:43-53
  • Identified Points of Contention:
    • Claim Validity: The primary and likely dispositive issue is the post-filing cancellation of Claim 5 by the U.S. Patent and Trademark Office, which renders the infringement allegation moot.
    • Scope Questions: Had the claim remained valid, a question would arise regarding the term "password." The claim requires the control module to "create a new password" and the authentication module to "receive the password." The complaint alleges the accused system does this (Compl. ¶¶ 25, 27), but the provided diagram shows a two-step process: (1) enter User ID and password, then (2) enter the received code. (Compl. ¶26, Figure). This raises the question of whether receiving two separate inputs (the user's static password and a one-time code) meets the limitation of receiving a single, combined "password" as described in the patent's preferred embodiment.
    • Technical Questions: The complaint alleges the system "deactivates the account within a predetermined amount of time" (Compl. ¶27), but provides no technical evidence for how this specific function is performed beyond a standard session timeout. The case may turn on whether a session expiration is technically equivalent to the "deactivation" contemplated by the patent, which the specification suggests prevents access "through any password" until a new token is requested. (’658 Patent, col. 12:12-14).

V. Key Claim Terms for Construction

  • The Term: "password"

    • Context and Importance: The definition of "password" is critical. If construed narrowly to mean a single, concatenated string of the user's passcode and the system-generated token, the accused system's two-step entry process may not infringe. If construed more broadly to mean the complete set of authentication credentials, infringement may be easier to argue. Practitioners may focus on this term because the accused functionality appears to separate the static credential from the dynamic token.
    • Intrinsic Evidence for a Broader Interpretation: The term itself is not explicitly defined, which could support an argument for applying its plain and ordinary meaning, potentially encompassing a multi-step authentication sequence.
    • Intrinsic Evidence for a Narrower Interpretation: The specification repeatedly describes a process where the user or system actively forms a password by combining or concatenating the passcode and token into a single entity before submission. For example, it states "the user 108 combines the token 156 with the passcode 154 to form a password 158." (’658 Patent, col. 4:52-54).

  • The Term: "deactivates the account"

    • Context and Importance: The meaning of this term is central to the final limitation of Claim 5. Whether a standard session timeout, common in all secure online systems, meets this limitation is a key question.
    • Intrinsic Evidence for a Broader Interpretation: A party could argue that any mechanism that terminates access after a period of time, such as a session timeout, constitutes "deactivating the account" in a general sense.
    • Intrinsic Evidence for a Narrower Interpretation: The claim specifies deactivation "such that said user account is not accessible through any password via the secure computer network." (’658 Patent, col. 12:12-14). This language may support a narrower construction requiring a more fundamental account state change that prevents any new login, rather than just ending an active session.

VI. Other Allegations

  • Indirect Infringement: The complaint does not include counts for indirect infringement, nor does it plead specific facts to support the knowledge and intent elements required for induced or contributory infringement.
  • Willful Infringement: The complaint does not allege pre- or post-suit knowledge of the patent or other facts to support a claim for willful infringement. The prayer for relief includes a request for attorneys' fees under 35 U.S.C. § 285 but does not provide a factual basis for why the case should be deemed "exceptional." (Compl. ¶d, p. 8).

VII. Analyst’s Conclusion: Key Questions for the Case

Given the procedural history, the litigation as pleaded faces a significant, likely insurmountable, challenge. The key questions are:

  1. Viability of the Infringement Claim: The central and dispositive issue is the effect of the IPR Certificate that cancelled U.S. Patent No. 6,993,658, Claim 5. With the sole claim specifically asserted in the complaint now invalid, can the lawsuit proceed as currently pleaded?
  2. Definitional Scope: Assuming the case were to proceed on other, un-pleaded claims, a core issue would be one of definitional scope: can the term "password", described in the patent as a single string formed by concatenating a passcode and token, be construed to cover the accused system’s two-step process of entering a static password and then a separate one-time code?
  3. Functional Equivalence: A key evidentiary question would be one of functional equivalence: does the accused system's session-timeout mechanism perform the specific function of "deactivating the account" as required by the claim, or is there a fundamental mismatch between a temporary session expiration and the more permanent account inactivation described in the patent?