DCT
2:23-cv-00064
Dynapass IP Holdings LLC v. Charles Schwab Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: The Charles Schwab Corporation (Delaware) and Charles Schwab Bank, SSB (Texas)
- Plaintiff’s Counsel: WILLIAMS SIMONS & LANDIS PLLC
- Case Identification: 2:23-cv-00064, E.D. Tex., 02/20/2023
- Venue Allegations: Plaintiff alleges venue is proper because Defendants maintain a regular and established place of business in the district and conduct substantial business in Texas.
- Core Dispute: Plaintiff alleges that Defendants’ two-factor authentication system for online banking infringes a patent related to using personal communication devices for user authentication.
- Technical Context: The technology concerns two-factor authentication, a security process where users provide two different authentication factors to verify themselves, commonly used to protect access to sensitive online accounts.
- Key Procedural History: The complaint was filed on February 20, 2023. At the time of filing, the asserted patent was the subject of a pending Inter Partes Review (IPR) proceeding before the Patent Trial and Appeal Board (IPR2023-00425, filed January 6, 2023). A subsequent IPR was also filed (IPR2023-01331). A certificate issued by the USPTO on September 25, 2024, indicates that as a result of the IPR proceedings, the sole independent claim detailed in the complaint, Claim 5, has been cancelled. The continued viability of the complaint's allegations concerning Claim 5 is therefore a central issue.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | ’658 Patent Priority Date |
| 2006-01-31 | ’658 Patent Issue Date |
| 2023-01-06 | IPR proceeding (IPR2023-00425) filed against ’658 Patent |
| 2023-02-20 | Complaint Filing Date |
| 2023-08-16 | IPR proceeding (IPR2023-01331) filed against ’658 Patent |
| 2024-09-25 | IPR Certificate issued cancelling Claim 5 of ’658 Patent |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication" (issued Jan. 31, 2006)
The Invention Explained
- Problem Addressed: The patent identifies the security risks of traditional, static passwords (which are often simple or written down) and the inconvenience of then-existing two-factor authentication methods that required users to carry a separate, dedicated hardware token (e.g., an RSA SecurID fob) (’658 Patent, col. 1:21-53).
- The Patented Solution: The invention proposes using a device that people already carry, such as a mobile phone or pager, as the second authentication factor. The system generates a temporary, one-time "token" and sends it to the user's personal device. The user then combines this token with a secret, memorized "passcode" to create a new, valid password for a single login session, thereby leveraging the user's existing device for enhanced security (’658 Patent, Abstract; col. 4:52-57).
- Technical Importance: The described approach sought to improve both the security and user convenience of authentication systems by replacing a dedicated hardware object with a multi-purpose personal device that was becoming increasingly ubiquitous (’658 Patent, col. 1:56-60).
Key Claims at a Glance
- The complaint asserts direct infringement of at least independent Claim 5 (’658 Patent, col. 12:20-49; Compl. ¶26).
- The essential elements of independent Claim 5 include:
- A user authentication system with a computer processor and a user database that associates a user with their personal communication device.
- The personal communication device communicates with the system over a cell phone network.
- A control module that creates a "new password" based on a "token" (not known to the user) and a "passcode" (known to the user).
- A communication module that transmits the token to the user's device via the cell phone network.
- An authentication module that receives the new password from the user via a "secure computer network" (which is different from the cell phone network).
- The authentication module activates account access in response to the password and deactivates the account within a predetermined time.
III. The Accused Instrumentality
Product Identification
The "systems and applications Defendants use for access and authorization to their online banking system," specifically those that provide two-factor authentication to customers (Compl. ¶¶20-21).
Functionality and Market Context
The complaint describes Defendants' "Two-Step Verification" feature. This feature adds a security layer to the standard login process, which consists of a Login ID and Password as shown in a screenshot of the login page (Compl. p. 6). When a user attempts to log in, the system sends an "Access Code" to a pre-registered device, such as a mobile phone via text message (SMS) (Compl. ¶¶24, 25). The complaint includes a screenshot from an explanatory video describing this process, where a pop-up text box states, "We'll do this by sending an Access Code to one of the methods of contact you previously set up" (Compl. p. 7). The user must then enter this Access Code to complete the login and access their account.
IV. Analysis of Infringement Allegations
’658 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network with the user authentication system; | Defendants' systems include a user database associating banking customers with their mobile phones, which communicate with the system via a cell phone network (Compl. p. 7). | ¶22 | col. 12:23-27 |
| a control module executed on the computer processor configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user...; | Defendants' system includes a control module that allegedly creates a new password based on an "access code" (the token) and the user's password (the passcode) (Compl. p. 8). | ¶23 | col. 12:28-34 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network; and | Defendants' system includes a communication module for transmitting the "access code" (token) to the customer's mobile device via SMS over a cell phone network (Compl. p. 8). | ¶24 | col. 12:36-39 |
| an authentication module configured to receive the password from the user through a secure computer network... wherein the authentication module activates access to the account... and deactivates the account within a predetermined amount of time after activating the account... | Defendants' system includes an authentication module (the online banking system) that receives the password, activates account access, and deactivates it after a set time (Compl. pp. 8-9). | ¶25 | col. 12:40-49 |
Identified Points of Contention
- Scope Questions: The complaint alleges the user's pre-existing password serves as the claimed "passcode" and is combined with the SMS "access code" (the "token") to form a "new password." A central question is whether Defendants' system actually creates a single "new password" from these two components, or if it validates two separate and independent factors—the static password and the one-time access code.
- Technical Questions: Claim 5 requires the system to "deactivate the account within a predetermined amount of time... such that said user account is not accessible through any password." The infringement analysis may turn on whether a standard session timeout in the accused system meets this specific functional limitation, or if the claim requires a more specific deactivation mechanism tied to the temporary password's lifecycle.
V. Key Claim Terms for Construction
Term for Construction: "a new password based at least upon the token and a passcode"
- Context and Importance: The construction of this phrase is fundamental to the infringement theory. The case may depend on whether "based at least upon" requires a literal combination of the passcode and token into a single data string that is then validated, or if it can be interpreted more broadly to cover a system that validates the two factors in separate logical steps.
- Intrinsic Evidence for a Broader Interpretation: The phrase "based at least upon" could be argued by a plaintiff to encompass any form of logical dependency, not just concatenation.
- Intrinsic Evidence for a Narrower Interpretation: The specification provides a clear example of concatenation: "the user 108 can combine a valid, memorized passcode of 'abcd' with a valid token of '1234' to form a valid password of 'abcd1234'" (’658 Patent, col. 4:52-57). The patent abstract and figures consistently illustrate a process where the two components are merged before authentication, which may support a narrower construction.
Term for Construction: "passcode"
- Context and Importance: Practitioners may focus on this term because its definition determines what serves as the first authentication factor. The complaint equates the user's primary, static login password with the claimed "passcode" (Compl. ¶23). The defense may argue that the patent envisions the "passcode" as a component of a temporary password, not as a standalone, persistent password.
- Intrinsic Evidence for a Broader Interpretation: The patent states the "passcode" is "secret and only known to the user 108," a general description that could apply to a standard password (’658 Patent, col. 4:40-41).
- Intrinsic Evidence for a Narrower Interpretation: Figure 2A includes the note: "Your password is your passcode followed by a valid token," explicitly defining the "passcode" as a sub-part of the final password submitted for authentication, not the password itself (’658 Patent, Fig. 2A).
VI. Other Allegations
Willful Infringement
The complaint does not contain an explicit count or allegation of willful infringement. It does, however, request that the court declare the case "exceptional" and award attorneys' fees pursuant to 35 U.S.C. § 285 (Compl. Prayer for Relief ¶d).
VII. Analyst’s Conclusion: Key Questions for the Case
- A threshold, and potentially dispositive, issue for the case is one of claim viability: given that a USPTO IPR Certificate indicates the cancellation of Claim 5—the only independent claim for which the complaint provides detailed infringement allegations—what basis, if any, remains for the lawsuit to proceed?
- A core question of operational mechanism will be central to any technical analysis: does the accused two-factor authentication system function by creating a single "new password" from the user's static password and a one-time code, as described in the patent, or does it operate by validating two separate authentication factors independently?
- The dispute may also turn on a definitional scope question: can the term "passcode", as defined and used within the patent, be construed to read on a user's persistent, primary login password in the accused system, or does the patent limit the term to a component specifically intended for combination with a token?