DCT
2:22-cv-00216
Dynapass IP Holdings LLC v. Truist Bank
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: Truist Financial Corporation and Truist Bank (North Carolina)
- Plaintiff’s Counsel: Williams Simons & Landis PLLC
- Case Identification: 2:22-cv-00216, E.D. Tex., 06/17/2022
- Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendants maintain a regular and established place of business in the district and conduct substantial business with customers in Texas.
- Core Dispute: Plaintiff alleges that Defendant’s two-factor authentication system for its online banking services infringes a patent related to using personal communication devices for user authentication.
- Technical Context: The technology at issue is two-factor authentication (2FA), which adds a second layer of security to online accounts by requiring a user to provide a time-sensitive code, typically sent to their mobile device, in addition to a password.
- Key Procedural History: The complaint, filed in June 2022, asserts a single patent and infringement of its Claim 5. However, a subsequent Inter Partes Review (IPR) proceeding, concluded in September 2024, resulted in the cancellation of Claim 5. While other claims of the patent survived the IPR, the cancellation of the sole asserted claim fundamentally affects the viability of the complaint as filed.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | U.S. Patent No. 6,993,658 Priority Date |
| 2006-01-31 | U.S. Patent No. 6,993,658 Issue Date |
| 2022-06-17 | Complaint Filing Date |
| 2024-09-25 | IPR Certificate Issued Cancelling Claim 5 |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication"
- Patent Identification: U.S. Patent No. 6,993,658, issued January 31, 2006.
The Invention Explained
- Problem Addressed: The patent identifies the security risks of traditional password systems, where users either choose easily guessed passwords or write down complex ones, compromising security (Compl. ¶13; ’658 Patent, col. 1:31-41). It also notes the inconvenience of prior two-factor authentication systems that required users to carry a separate, dedicated hardware token (Compl. ¶18; ’658 Patent, col. 1:42-59).
- The Patented Solution: The invention proposes using a device that users already carry, such as a mobile phone or pager, as the second authentication factor (’658 Patent, col. 1:56-59). An authentication server generates a temporary "token" and sends it to the user's personal device. The user then combines this token with a secret, memorized "passcode" to form a valid, one-time-use password to access a secure system, as depicted in the patent's Figure 1 (Compl. ¶14; ’658 Patent, col. 4:52-57).
- Technical Importance: The described method sought to improve both the security and convenience of user authentication by leveraging ubiquitous personal devices instead of requiring specialized hardware (’658 Patent, col. 1:56-59).
Key Claims at a Glance
- The complaint asserts independent claim 5 (’658 Patent, col. 12:20-53).
- The essential elements of Claim 5 include:
- A user authentication system with a computer processor and a user database that associates a user with their personal communication device (e.g., mobile phone).
- A "control module" that creates a "new password" based on a "token" (unknown to the user) and a "passcode" (known to the user).
- A "communication module" that transmits the token to the user's personal device over a cell phone network.
- An "authentication module" that receives the password from the user over a separate, secure computer network.
- The authentication module activates access to the user's account and then deactivates access after a predetermined time, such that the account is "not accessible through any password via the secure computer network."
III. The Accused Instrumentality
Product Identification
- The "Accused Instrumentalities" are the systems and applications that provide two-factor authentication for Truist's online banking system (Compl. ¶20-21).
Functionality and Market Context
- The complaint alleges that when a Truist customer signs on, the accused system employs a "two-step sign-in process" (Compl. ¶21). This process involves asking the user to verify their identity by "entering a one-time code you receive through text or email" (Compl. ¶21, p. 6). The complaint includes a screenshot from the Defendant's website describing its "multi-factor authentication" service (Compl. ¶21, p. 6). The complaint does not provide further detail on the product's market positioning.
IV. Analysis of Infringement Allegations
’658 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a user database configured to associate a user with a personal communication device possessed by the user... | The accused system includes a user database associating banking customers with their mobile phones, which communicate via a cell phone network. | ¶22 | col. 5:15-21 |
| a control module... configured to create a new password based at least upon a token and a passcode... | The accused system has a control module that creates a new password based on a token (the "access code" sent to the user) and a passcode. | ¶23 | col. 6:59-63 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network... | The system includes a communication module that transmits the token to the user's device via SMS/text message. The complaint provides a screenshot describing receipt of a "one-time code you receive through text or email" (p. 7). | ¶24 | col. 5:32-40 |
| an authentication module configured to receive the password from the user through a secure computer network... | The system has an authentication module (the online banking system) that receives the user's password through a secure network different from the cell phone network. | ¶25 | col. 5:1-15 |
| wherein the authentication module activates access to the account... and deactivates the account within a predetermined amount of time... such that said account is not accessible through any password... | The authentication module allegedly activates access and then deactivates the account after a set time, rendering it inaccessible. | ¶25 | col. 7:51-53 |
- Identified Points of Contention:
- Scope Questions: The complaint alleges the accused system creates a "new password based at least upon a token and a passcode" (Compl. ¶23). A central question is whether the accused system's process—where a user typically enters a standing password and a separate one-time code—meets this limitation, which the patent specification exemplifies as a single, concatenated string (e.g., "abcd1234") (’658 Patent, col. 4:52-57).
- Technical Questions: Claim 5 requires that the system "deactivates the account... such that said user account is not accessible through any password" (Compl. ¶25). This raises the evidentiary question of whether the accused system performs this specific function. It is unclear if the system merely invalidates the one-time code for that session or renders the entire user account inaccessible for a period, as the claim language may require.
V. Key Claim Terms for Construction
The Term: "a new password based at least upon a token and a passcode"
Context and Importance: The construction of this term is fundamental to the infringement analysis. Practitioners may focus on this term because the accused instrumentality appears to use a one-time code as a second, separate factor, whereas the patent's primary embodiment describes combining the passcode and token into a single password string for submission.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The phrase "based at least upon" could be argued to encompass more than simple concatenation, potentially covering any authentication scheme that logically depends on both a passcode and a token for a successful login.
- Evidence for a Narrower Interpretation: The specification's most detailed example describes forming the password "abcd1234" by combining a passcode "abcd" and a token "1234" (’658 Patent, col. 4:52-57). The abstract also describes creating a password by "concatenating a secret passcode... with the token." This may support a narrower construction limited to creating a single, combined data string.
The Term: "deactivates the account... such that said user account is not accessible through any password"
Context and Importance: This limitation describes a specific functional outcome that may not be present in all 2FA systems. The infringement determination will depend on whether the accused system performs this precise deactivation function.
Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A party could argue this refers to the deactivation of the specific login credential (the combined password) after its one-time use, effectively making the account inaccessible via that specific password, without requiring a total account lockout.
- Evidence for a Narrower Interpretation: The plain language suggests a more stringent condition: the entire account becomes inaccessible for a period. The patent links this deactivation to the expiration of the token, stating that upon expiration, the control module "deactivates the user account in the user database" (’658 Patent, col. 7:51-53), which could imply a temporary lock on the account itself.
VI. Other Allegations
- Indirect Infringement: The complaint alleges only "Direct Infringement" and does not plead facts to support claims for induced or contributory infringement (Compl. ¶9).
- Willful Infringement: The complaint does not contain a specific count for willful infringement or allege facts regarding pre- or post-suit knowledge of the patent by the Defendants. The prayer for relief includes a request for a declaration of an exceptional case under 35 U.S.C. § 285, but does not explicitly request enhanced damages for willfulness under § 284 (Compl. p. 9).
VII. Analyst’s Conclusion: Key Questions for the Case
- A threshold issue is the viability of the litigation itself. The complaint’s sole asserted claim, Claim 5, was cancelled in an Inter Partes Review after the case was filed. The primary question is whether Plaintiff will be permitted to amend its complaint to assert one of the surviving patent claims and, if so, whether its infringement theory remains viable under the language of those different claims.
- Assuming the case proceeds, a central question will be one of definitional scope: can the claim term "new password based at least upon a token and a passcode," which the patent describes as a concatenated string, be construed to read on the accused system where a user enters a permanent password and a separate one-time code?
- Finally, if a surviving claim with similar language is asserted, a key evidentiary question will be one of functional operation: does the accused system's deactivation of a one-time code meet the potentially stringent requirement that the system "deactivates the account... such that said user account is not accessible through any password," or is there a mismatch in the technical function performed?