DCT
2:22-cv-00217
Dynapass IP Holdings LLC v. Wells Fargo
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: Wells Fargo & Company and Wells Fargo Bank, N.A. (Delaware)
- Plaintiff’s Counsel: Williams Simons & Landis PLLC
- Case Identification: 2:22-cv-00217, E.D. Tex., 06/17/2022
- Venue Allegations: Venue is based on allegations that Defendants conduct substantial business in the district and maintain a regular and established place of business in Plano, Texas.
- Core Dispute: Plaintiff alleges that Defendant’s two-factor authentication system for online banking infringes a patent related to using personal communication devices for user authentication.
- Technical Context: The technology concerns two-factor authentication (2FA), which adds a second layer of security for accessing digital accounts and is a widely adopted practice in the financial services industry and beyond.
- Key Procedural History: The complaint was filed in June 2022 asserting a single patent. Subsequently, inter partes review (IPR) proceedings were initiated against the patent-in-suit. An IPR certificate issued in September 2024 indicates that the sole claim asserted in this complaint, Claim 5, was cancelled. This post-filing development fundamentally affects the viability of the complaint as pled.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | '658 Patent Priority Date |
| 2006-01-31 | '658 Patent Issue Date |
| 2022-06-17 | Complaint Filing Date |
| 2023-01-06 | IPR Proceeding (IPR2023-00425) Filed Against '658 Patent |
| 2023-08-16 | IPR Proceeding (IPR2023-01331) Filed Against '658 Patent |
| 2024-09-25 | IPR Certificate Issued Cancelling Claim 5 of '658 Patent |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication"
- Issued: January 31, 2006
The Invention Explained
- Problem Addressed: The patent identifies the insecurity of traditional user-created passwords and the inconvenience of then-existing two-factor authentication methods, which required users to carry a separate, dedicated hardware token to generate access codes (’658 Patent, col. 1:36-52).
- The Patented Solution: The invention proposes a two-factor authentication system that leverages a device most users already carry: a personal communication device like a mobile phone or pager. The system generates a temporary, one-time "token" and transmits it to the user's device over a cellular network. To log in, the user combines this received token with a memorized "passcode" to form a new, valid password, which is then submitted to the secure system over a separate computer network (e.g., the internet) (’658 Patent, Abstract; Fig. 1; col. 4:52-58).
- Technical Importance: This approach sought to provide the enhanced security of two-factor authentication without the cost and user burden associated with single-purpose hardware tokens by utilizing the existing infrastructure of cellular networks and the increasing prevalence of mobile devices (’658 Patent, col. 1:53-59).
Key Claims at a Glance
- The complaint asserts independent claim 5 of the ’658 Patent (’658 Patent, Compl. ¶26).
- Essential elements of independent claim 5 include:
- A computer processor and a user database that associates a user with their personal communication device (e.g., mobile phone).
- A control module that creates a "new password" based on a token (not known to the user) and a passcode (known to the user).
- A communication module that transmits the token to the user's device over a cell phone network.
- An authentication module that receives the password over a secure computer network (different from the cell phone network) to grant access.
- The authentication module "deactivates the account within a predetermined amount of time after said activating."
- The complaint’s prayer for relief references "one or more claims" but the infringement count is specific to Claim 5 (Compl. ¶26, ¶a p. 8).
III. The Accused Instrumentality
Product Identification
- The Accused Instrumentalities are the systems and applications that provide two-factor authentication for Defendants' online banking system, specifically the feature identified as "2-Step Verification at Sign-On" (Compl. ¶¶ 20-21).
Functionality and Market Context
- The accused feature is an optional security layer for customer accounts. When activated, the system requires a user to enter an "access code" in addition to their standard password to sign on to mobile or online banking (Compl. ¶21). A screenshot from Defendant's website describes its "2-Step Verification at Sign-On" feature, explaining that it uses an access code sent to a mobile device to enhance security (Compl. p. 6). The system can deliver this access code via text (SMS), email, phone call, or push notification (Compl. p. 7).
IV. Analysis of Infringement Allegations
’658 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a computer processor; | The Accused Instrumentalities include a computer processor. | ¶22 | col. 3:28-31 |
| a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network with the user authentication system; | The accused system includes a user database associating banking customers with their mobile phones, which communicate with the system via a cell phone network. | ¶22 | col. 2:32-35 |
| a control module executed on the computer processor configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... | The accused system is alleged to have a control module that creates new passwords based on a token (the "access code") and a passcode (the user's standard password). | ¶23 | col. 2:35-38 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network; | The accused system transmits the access code (token) to the user's mobile device via methods including SMS text messaging over the cell phone network. A snippet from Defendant's website lists the delivery options (Compl. p. 7). | ¶24 | col. 2:39-43 |
| an authentication module configured to receive the password from the user through a secure computer network...said secure computer network being different from the cell phone network...wherein the authentication module activates access...and deactivates the account within a predetermined amount of time after activating the account... | The accused system's authentication module receives the user's password through the online banking system (a secure computer network), which is distinct from the cell network, and allegedly activates and then deactivates access. | ¶25 | col. 9:58-62 |
- Identified Points of Contention:
- Scope Questions: The claim recites creating and receiving "a new password" that is "based at least upon the token and a passcode." The patent specification describes concatenating these two components into a single new string for submission (’658 Patent, col. 4:52-58). The complaint alleges the accused system meets this limitation, but it appears to accept a user's static password and a separate one-time "access code" as two distinct factors. This raises the question of whether receiving two separate inputs is equivalent to receiving the single, combined "password" recited in the claim.
- Technical Questions: Claim 5 requires that the authentication module "deactivates the account within a predetermined amount of time." The complaint makes a conclusory allegation that this occurs (Compl. ¶25). The patent specification links this deactivation to the expiration of the token, after which the "user account in the user database" is deactivated (’658 Patent, col. 9:58-62). A key question is what evidence exists that the accused system performs a "deactivation" of the user's account, as opposed to the temporary access code simply becoming invalid for a single login session.
V. Key Claim Terms for Construction
- The Term: "a new password based at least upon a token and a passcode"
- Context and Importance: The construction of this term is critical to determining whether the accused system's process of accepting two separate authentication factors (static password and one-time code) falls within the claim's scope. Practitioners may focus on this term because the patent's primary embodiment describes a single, concatenated password.
- Intrinsic Evidence for a Broader Interpretation: Plaintiff may argue that the phrase "based at least upon" does not strictly require concatenation, but only that the authentication logic relies on both the token and the passcode, regardless of how they are entered.
- Intrinsic Evidence for a Narrower Interpretation: Defendant may point to the specification, which explicitly describes combining a passcode and token to "form a password" (e.g., "abcd1234") and shows a login screen with a single field for this combined "password" (’658 Patent, col. 4:52-58; Fig. 2A). This suggests the "password" is a single data entity.
- The Term: "deactivates the account"
- Context and Importance: Infringement of this limitation hinges on whether the expiration of the accused one-time code constitutes "deactivating the account."
- Intrinsic Evidence for a Broader Interpretation: A party could argue that from a user's perspective, once the token expires, access is denied, which is functionally equivalent to the account being "deactivated" for that login attempt.
- Intrinsic Evidence for a Narrower Interpretation: The specification describes a specific process where, upon token expiration, the system "deactivates the user account in the user database 114" (’658 Patent, col. 9:60-62). This implies a change to the status of the account record itself, a more significant action than a temporary code merely losing its validity.
VI. Other Allegations
- Indirect Infringement: The complaint does not allege indirect infringement; it contains a single count for direct infringement (Compl. p. 2).
- Willful Infringement: The complaint does not contain a specific count for willful infringement or allege facts supporting pre-suit knowledge. The prayer for relief includes a standard request for a finding of an exceptional case under 35 U.S.C. § 285 (Compl. ¶d, p. 9).
VII. Analyst’s Conclusion: Key Questions for the Case
- A dispositive procedural question now overshadows the technical merits: what is the legal status of this complaint given that its sole asserted claim, Claim 5, was cancelled in an inter partes review proceeding that concluded after the case was filed? A case cannot be maintained on a patent claim that has been judged invalid and cancelled by the USPTO.
- Had the claim survived, a core issue would have been one of definitional scope: can the term "new password," which the patent describes as a single string formed by concatenating a passcode and a token, be construed to cover an authentication system that accepts a static password and a one-time code as two separate and distinct inputs?
- A second central question would have been one of functional equivalence: does the accused system's invalidation of a temporary access code perform the specific function of "deactivat[ing] the account" as recited in the claim, which the patent specification links to altering the status of the user account in a database?