DCT
2:23-cv-00065
Dynapass IP Holdings LLC v. East West Bancorp Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: East West Bancorp, Inc. (Delaware) and East West Bank (California)
- Plaintiff’s Counsel: WILLIAMS SIMONS & LANDIS PLLC
- Case Identification: 2:23-cv-00065, E.D. Tex., 02/20/2023
- Venue Allegations: Plaintiff alleges venue is proper based on Defendants conducting business in the district and maintaining a "regular and established place of business" at a physical address in Plano, Texas.
- Core Dispute: Plaintiff alleges that Defendants' two-factor authentication system for online banking infringes a patent related to user authentication using personal communication devices.
- Technical Context: The technology at issue is two-factor authentication (2FA), a security process where users provide two different authentication factors to verify themselves, commonly used to secure access to sensitive systems like online banking.
- Key Procedural History: Post-filing, the asserted patent was the subject of an Inter Partes Review (IPR) proceeding at the U.S. Patent and Trademark Office. The IPR certificate, issued September 25, 2024, indicates that Claim 5—the only claim specifically identified in the complaint's infringement allegations—has been cancelled. Claims 1, 3, 4, and 6 were found patentable. This development raises a fundamental question regarding the viability of the complaint as currently pleaded.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | U.S. Patent No. 6,993,658 Priority Date (Filing Date) |
| 2006-01-31 | U.S. Patent No. 6,993,658 Issue Date |
| 2023-01-06 | Inter Partes Review (IPR2023-00425) Filed against '658 Patent |
| 2023-02-20 | Complaint Filing Date |
| 2024-09-25 | IPR Certificate Issued, Cancelling Claim 5 of '658 Patent |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication"
- Patent Identification: U.S. Patent No. 6,993,658, "Use of Personal Communication Devices for User Authentication," issued January 31, 2006.
The Invention Explained
- Problem Addressed: The patent describes the security risks and user inconvenience associated with traditional password-only authentication systems, such as users choosing easily guessed passwords or writing down complex ones, thereby compromising security. (’658 Patent, col. 1:26-41).
- The Patented Solution: The invention proposes a two-factor authentication system that leverages a device most users already carry: a personal communication device like a mobile phone or pager. (’658 Patent, col. 1:55-59). The system generates a temporary, one-time "token" and transmits it to the user's device. The user then combines this token with a pre-memorized, secret "passcode" to form a valid password for accessing a secure system, as illustrated in the system overview. (’658 Patent, Fig. 1; col. 2:2-10). This method aims to provide the security of two-factor authentication without requiring the user to carry a separate, dedicated hardware token generator.
- Technical Importance: The invention's approach of using a general-purpose communication device for the second factor represented a move toward more convenient and integrated security solutions compared to specialized hardware tokens prevalent at the time. (’658 Patent, col. 1:55-59).
Key Claims at a Glance
- The complaint exclusively identifies independent claim 5 in its infringement analysis. (Compl. ¶¶15, 26).
- The essential elements of Claim 5 are:
- A computer processor;
- A user database to associate a user with their personal communication device, which communicates over a cell phone network;
- A control module that creates a new password based on both a "token" (unknown to the user) and a "passcode" (known to the user) and sets this new password for the user's account;
- A communication module to transmit the "token" to the user's device via the cell phone network; and
- An authentication module that receives the password over a secure computer network (different from the cell phone network), activates account access, and then deactivates access after a predetermined time.
III. The Accused Instrumentality
Product Identification
- The "Accused Instrumentalities" are the systems and applications that provide two-factor authentication for Defendants' online banking customers. (Compl. ¶¶20-21).
Functionality and Market Context
- The complaint describes Defendants' "SureKey" enrollment process, where a user can opt to receive a temporary authentication code. (Compl. ¶21). The complaint provides a series of annotated screenshots from the accused online banking system, illustrating a user selecting "Text Message" as the delivery method for a code. (Compl. p. 6, visual step 5). The system then sends a six-digit code via SMS to the user's registered mobile phone. (Compl. ¶22). The user enters this code into the online banking portal to complete authentication. (Compl. p. 6, visual step 9). The complaint does not provide specific details on the market positioning of this feature beyond its function as a security measure for online banking access.
IV. Analysis of Infringement Allegations
Claim Chart Summary
- The complaint alleges that the Accused Instrumentalities infringe at least Claim 5 of the ’658 Patent.
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a user authentication system comprising: a computer processor; | The Accused Instrumentalities include a computer processor. | ¶22 | col. 3:26-31 |
| a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network with the user authentication system; | The system includes a user database associating banking customers with their mobile phones, which communicate with the system via a cell network. | ¶22 | col. 2:32-42 |
| a control module executed on the computer processor configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... | The system is alleged to have a control module that creates new passwords based on a token (the access code sent to the user) and a passcode known to the user. | ¶23 | col. 2:2-5 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network; and | The system includes a communication module for transmitting the token (access code) to the user's mobile phone via SMS text messaging. | ¶24 | col. 9:14-20 |
| an authentication module configured to receive the password from the user through a secure computer network...wherein the authentication module activates access to the account...and deactivates the account within a predetermined amount of time after activating... | The system's authentication module receives the password through the online banking system (a secure computer network), activates access, and deactivates access after a set time. A screenshot shows a countdown timer for code expiration. (Compl. p. 6, visual). | ¶25 | col. 9:57-60 |
Identified Points of Contention
- Scope Questions: A central question may arise from the patent's distinction between a "passcode" (a secret known by the user) and a "token" (a temporary code sent to the user). The complaint alleges the accused system uses both to create a new password (Compl. ¶23), but the provided screenshots only depict the entry of a single, temporary code sent via SMS. The infringement analysis may turn on whether Defendants' system requires a separate, static "passcode" in the manner claimed by the patent, or if the complaint conflates the patent's terminology with the accused system's functionality.
- Technical Questions: Claim 5 requires the control module to "create a new password" and "set a password associated with the user to be the new password." A technical question is whether the accused system performs this specific server-side function. The complaint does not provide direct evidence of this internal mechanism, raising the possibility that the accused system may operate differently, for instance by validating two separate authentication factors (a static password and a one-time code) without ever combining them to "create" and "set" a new password entry in a database.
V. Key Claim Terms for Construction
The Term: "passcode"
- Context and Importance: The definition of "passcode" is critical because Claim 5 requires the creation of a new password from a combination of both a "token" and a "passcode." If the accused system does not use a "passcode" as defined by the patent, the infringement argument may fail. Practitioners may focus on this term because the complaint's factual allegations appear to use terminology inconsistently with the patent's specific descriptions.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent does not contain an explicit definition of "passcode" in a lexicographical sense, which a party might argue leaves the term open to its plain and ordinary meaning.
- Evidence for a Narrower Interpretation: The specification consistently describes the passcode as a secret, memorized value distinct from the transmitted token. It states, "The passcode 154 is preferably secret and only known to the user 108" and is something the user "commits to memory." (’658 Patent, col. 3:38-41). This supports an interpretation that "passcode" refers to a static, memorized secret, not the temporary code sent to the user's phone.
The Term: "create a new password based at least upon the token and a passcode"
- Context and Importance: This term defines the core inventive process. The infringement analysis depends on whether the accused server-side system actually generates a single, new password credential from the two claimed inputs.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: A party could argue that any server-side validation logic that requires both factors to grant access effectively "creates" a valid password for that session, even if not stored long-term.
- Evidence for a Narrower Interpretation: The patent specification describes a specific sequence where the server "generates a new password by concatenating a secret passcode that is known to the user with the token" (’658 Patent, col. 2:3-5) and then "updates the user database 114 with the new password 158" (’658 Patent, col. 6:63-65). This language suggests a literal creation and storage of a new data string, rather than a more abstract, temporary validation process.
VI. Other Allegations
The complaint does not allege indirect or willful infringement.
VII. Analyst’s Conclusion: Key Questions for the Case
Viability of the Asserted Claim: The primary question facing this litigation is procedural and existential: given that the sole asserted claim (Claim 5) was cancelled in a subsequent IPR proceeding, on what basis can the lawsuit proceed? The case appears to be untenable without an amendment to the complaint to assert one of the surviving, patentable claims.
Definitional and Factual Congruence: Should the case proceed on other claims, a core issue will be one of definitional scope: does the term "passcode," as described in the patent as a static, memorized secret, read on the functionality of the accused system? The plaintiff will need to provide evidence that the accused system utilizes both a memorized secret and a transmitted one-time code in the manner claimed.
Evidentiary Proof of Mechanism: A key evidentiary question will be one of technical operation: what proof can be shown that the Defendants' server-side architecture actually "creates" and "sets" a new password by combining two factors, as opposed to a system that separately validates a user's primary password and a second-factor one-time code? The resolution will depend on evidence of the internal workings of the Accused Instrumentalities, which is not detailed in the complaint.