DCT

2:23-cv-00063

Dynapass IP Holdings LLC v. Amazon.com Inc

I. Executive Summary and Procedural Information

Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: Amazon.com, Inc. (Delaware)
- Plaintiff’s Counsel: WILLIAMS SIMONS & LANDIS PLLC
Case Identification: 2:23-cv-00063, E.D. Tex., 02/20/2023
Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant maintains regular and established places of business within the district, including facilities in Fort Worth and Carrollton, Texas.
Core Dispute: Plaintiff alleges that Defendant’s multi-factor authentication systems, used to secure customer accounts, infringe a patent related to user authentication via personal communication devices.
Technical Context: The technology at issue is two-factor or multi-factor authentication (MFA), a widely used security method that requires users to provide two or more verification factors to gain access to a resource, such as an online account.
Key Procedural History: While not mentioned in the complaint, public records indicate that the patent-in-suit, U.S. Patent No. 6,993,658, was the subject of inter partes review (IPR) proceedings filed at the U.S. Patent and Trademark Office (IPR2023-00425, IPR2023-01331). A certificate issued on September 25, 2024, confirmed that Claim 5—the only claim specifically asserted in this complaint—was cancelled. The cancellation of the sole asserted claim raises a potentially dispositive issue for the litigation.

Case Timeline

Date	Event
2000-03-06	’658 Patent Priority Date
2006-01-31	’658 Patent Issue Date
2023-01-06	IPR proceeding (IPR2023-00425) filed against ’658 Patent
2023-02-20	Complaint Filing Date
2023-08-16	IPR proceeding (IPR2023-01331) filed against ’658 Patent
2024-09-25	IPR Certificate issued, cancelling Claim 5

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 6,993,658: "Use of Personal Communication Devices for User Authentication" (Issued Jan. 31, 2006)

The Invention Explained:
- Problem Addressed: The patent identifies deficiencies in then-current user authentication methods. Simple password systems were vulnerable because users chose memorable (and thus guessable) passwords or wrote down complex ones, compromising security. Meanwhile, existing two-factor systems, such as RSA's SecurID, required users to carry a dedicated, single-purpose hardware token, which was inconvenient. (Compl. ¶12; ’658 Patent, col. 1:15-59).
- The Patented Solution: The invention proposes using a device that users already possess—a personal communication device like a mobile phone or pager—as the second authentication factor. In this system, a server generates a temporary, one-time "token" and transmits it (e.g., via SMS) to the user's device. The user then combines this received token with a pre-memorized, secret "passcode" to form a new, temporary password, which is used to log in to a secure system. The architecture explicitly separates the login network from the token delivery network (e.g., a computer network vs. a cell phone network). (Compl. ¶13-16; ’658 Patent, col. 2:1-16, Fig. 1).
- Technical Importance: The described method aimed to provide the security benefits of two-factor authentication without the cost and inconvenience of a separate hardware token by leveraging the widespread availability of mobile phones. (’658 Patent, col. 1:56-59).
Key Claims at a Glance:
- The complaint explicitly asserts infringement of independent Claim 5. (Compl. ¶25).
- The essential elements of Claim 5 are:
  - A user authentication system comprising a computer processor, a user database, a control module, a communication module, and an authentication module.
  - The user database associates a user with their personal communication device, which communicates over a cell phone network.
  - The control module creates a "new password" based on a "token" (unknown to the user) and a "passcode" (known to the user).
  - The communication module transmits the "token" to the user's device via the cell phone network.
  - The authentication module receives the "password" from the user via a secure computer network (different from the cell phone network), activates account access, and then "deactivates the account within a predetermined amount of time."
- The complaint makes a general prayer for relief regarding "one or more claims" but only identifies Claim 5 in its substantive allegations. (Compl. ¶25, 10a).

III. The Accused Instrumentality

Product Identification: The accused instrumentalities are the "systems and applications Defendant uses to provide two-factor authentication services to its customers," specifically identified as Amazon's "Multi-Factor Authentication" and "Two-Step Verification" features. (Compl. ¶19-20).
Functionality and Market Context: The complaint alleges that when a user attempts to sign in from a new device or location, Amazon's system requires an extra verification step. (Compl. ¶20, p. 6). This involves sending a "six-digit verification passcode" to the user's pre-registered email or mobile phone. The user must then enter this code on the website or mobile app to complete the sign-in process. (Compl. ¶20, p. 6). An included screenshot from an Amazon help page describes this as a feature that "adds an extra layer of security to your account log-in." (Compl. ¶21, p. 7).

IV. Analysis of Infringement Allegations

’658 Patent Infringement Allegations

Claim Element (from Independent Claim 5)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network...	Amazon's system includes a user database that associates customers with their personal mobile phone, which is configured to communicate via a cell phone network. (Compl. p. 6).	¶21	col. 12:7-13
a control module...configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user...	The complaint alleges Amazon's system includes a control module that creates new passwords based on a token (the access code) and a passcode.	¶22	col. 12:22-30
a communication module configured to transmit the token to the personal communication device through the cell phone network...	Amazon's system sends a "six-digit verification passcode" (the alleged token) to the user's mobile phone via SMS. The screenshot on page 8 acknowledges sending a passcode to a mobile phone number.	¶23	col. 12:31-34
an authentication module configured to receive the password from the user through a secure computer network...said secure computer network being different from the cell phone network...	Amazon's authentication module receives the user's password through its secure two-step verification services, which is a computer network different from the cell phone network.	¶24	col. 12:35-42
...wherein the authentication module...deactivates the account within a predetermined amount of time after activating the account, such that said account is not accessible through any password via the secure computer network.	The complaint alleges the authentication module deactivates the user's account after a predetermined time.	¶24	col. 12:46-52

Identified Points of Contention:
- Scope Questions: A central question is whether Amazon’s system, which appears to require a user’s static password plus a separate one-time code, meets the claim limitation of creating and receiving a single "new password based at least upon a token and a passcode." The patent specification heavily favors an interpretation where the token and passcode are concatenated to form a single password string prior to submission. (’658 Patent, col. 4:52-58).
- Technical Questions: The complaint alleges the accused system "creates new passwords" and "deactivates the account." (Compl. ¶22, 24). A key technical question is whether Amazon's system actually generates and sets a new, temporary password in its database for each login, or if it simply validates two separate credentials (the static password and the one-time code) independently. Further, it raises the question of whether the system "deactivates the account" itself, or merely causes the one-time code to expire, which appears to be a functionally distinct operation.

V. Key Claim Terms for Construction

The Term: "a new password based at least upon a token and a passcode"
- Context and Importance: The construction of this term is critical to determining infringement. The dispute may turn on whether this language requires the creation of a single, combined password string, or if it can read on a system where a static password and a separate one-time code are entered and validated as distinct factors.
- Intrinsic Evidence for Interpretation:
  - Evidence for a Broader Interpretation: Plaintiff may argue that "based upon" is a broad term that does not strictly mandate concatenation and can cover any logical combination of the two elements for authentication.
  - Evidence for a Narrower Interpretation: The specification provides a specific example: "the user 108 can combine a valid, memorized passcode of 'abcd' with a valid token of '1234' to form a valid password of 'abcd1234'." (’658 Patent, col. 4:52-58). The abstract also describes creating a new password by "concatenating a secret passcode that is known to the user with the token." This provides strong support for a narrower construction requiring a single, concatenated password.
The Term: "deactivates the account... such that said user account is not accessible through any password"
- Context and Importance: This limitation appears to describe a system where, after a set time, the entire user account becomes inaccessible until a new token/password is generated. Practitioners may focus on this term because modern MFA systems typically cause the one-time code to expire, not the user's account itself.
- Intrinsic Evidence for Interpretation:
  - Evidence for a Broader Interpretation: Plaintiff might argue this language refers to the deactivation of the specific authenticated session, rendering that session's access invalid.
  - Evidence for a Narrower Interpretation: The claim language is explicit: "deactivates the account... such that said user account is not accessible." The specification reinforces this, stating that upon token expiration, "the control module 402 deactivates the user account in the user database 114." (’658 Patent, col. 9:62-65). This suggests a complete deactivation of the account's entry in the database, not merely the invalidation of a temporary code.

VI. Other Allegations

Indirect Infringement: The complaint does not contain allegations of indirect or induced infringement.
Willful Infringement: The complaint does not allege willful infringement or provide facts to support a claim for enhanced damages under 35 U.S.C. § 284. It does request that the case be declared "exceptional" for the purpose of recovering attorneys' fees under § 285. (Compl. ¶d, p. 11).

VII. Analyst’s Conclusion: Key Questions for the Case

Procedural Viability: The foremost question is whether this case can proceed, given that the sole claim asserted in the complaint, Claim 5, has been cancelled in a post-filing IPR proceeding. The cancellation of the only asserted claim presents a potentially insurmountable, case-dispositive barrier for the plaintiff.
Definitional Scope: Should the case proceed on other, un-asserted claims, a core issue will be one of claim scope: can the term "new password based at least upon a token and a passcode" be construed to cover an authentication system that validates a static password and a separate one-time code, rather than a single, concatenated password as described in the patent's preferred embodiment?
Functional Mismatch: A key evidentiary question will be one of technical operation: does the accused Amazon system perform the specific function of "deactivat[ing] the account," as required by Claim 5, or does it merely invalidate the temporary code while the underlying account remains active? The claim language appears to require a function that may be fundamentally different from how modern MFA systems operate.