DCT
2:23-cv-00066
Dynapass IP Holdings LLC v. Experian Information Services Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: Experian Information Services, Inc. (Ohio)
- Plaintiff’s Counsel: WILLIAMS SIMONS & LANDIS PLLC
- Case Identification: 2:23-cv-00066, E.D. Tex., 02/20/2023
- Venue Allegations: Venue is based on Defendant allegedly maintaining a regular and established place of business in Allen, Texas, within the Eastern District of Texas.
- Core Dispute: Plaintiff alleges that Defendant’s multifactor authentication services infringe a patent related to user authentication systems that use personal communication devices.
- Technical Context: The technology concerns two-factor authentication, a security process where users provide two different authentication factors to verify themselves, commonly used to secure online accounts and transactions.
- Key Procedural History: Subsequent to the filing of this complaint, two petitions for Inter Partes Review (IPR) were filed against the ’658 Patent. These proceedings were joined and resulted in a certificate issued by the U.S. Patent and Trademark Office confirming the cancellation of Claim 5, the sole claim asserted in this litigation.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | ’658 Patent Priority Date (Filing Date) |
| 2006-01-31 | ’658 Patent Issue Date |
| 2023-01-06 | IPR2023-00425 filed against ’658 Patent |
| 2023-02-20 | Complaint Filing Date |
| 2023-08-16 | IPR2023-01331 filed against ’658 Patent |
| 2024-09-25 | IPR Certificate Issued, Cancelling Claim 5 |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication"
- Patent Identification: U.S. Patent No. 6,993,658, "Use of Personal Communication Devices for User Authentication," issued January 31, 2006.
The Invention Explained
- Problem Addressed: The patent identifies the security risks of traditional password systems, such as users choosing easy-to-guess passwords or writing down complex ones, and notes the inconvenience of prior two-factor authentication systems that required users to carry a dedicated, single-purpose hardware token (’658 Patent, col. 1:16-59).
- The Patented Solution: The invention proposes using a device that a person already carries, such as a mobile phone or pager, as the second authentication factor. The system generates a temporary, single-use "token" and transmits it to the user's personal device. The user then combines this received token with a separate, memorized "passcode" to form a complete one-time password to gain access to a secure system (’658 Patent, col. 2:1-16; Fig. 1).
- Technical Importance: This approach aimed to improve the convenience and reduce the cost of implementing two-factor authentication by leveraging the ubiquity of personal mobile devices, thereby removing the need for users to carry an additional dedicated token device (’658 Patent, col. 1:53-59).
Key Claims at a Glance
- The complaint asserts infringement of at least independent Claim 5 (’658 Patent, col. 12:21-50; Compl. ¶25).
- The essential elements of Claim 5, a system claim, include:
- A computer processor.
- A user database associating a user with their personal communication device, which communicates over a cell phone network.
- A control module that creates a new password based on both a "token" (not known to the user) and a "passcode" (known to the user).
- A communication module that transmits the "token" to the user's device via the cell phone network.
- An authentication module that receives the complete password through a separate secure computer network, activates access, and deactivates access after a predetermined time.
III. The Accused Instrumentality
Product Identification
- The "Accused Instrumentalities" are identified as the systems and applications Experian uses to provide "multifactor authentication services to its one-time password ('OTP') customers" (Compl. ¶19).
Functionality and Market Context
- The complaint alleges that Experian's services verify a consumer's identity for remote transactions by combining authentication factors, including something the user knows (e.g., a password) and something the user has (e.g., a mobile phone) (Compl. p. 7). The accused service is alleged to deliver a "unique alphanumeric code," referred to as a one-time password, to a consumer's verified phone via text or voicemail (Compl. p. 7). The complaint includes a screenshot from Defendant's website describing its "Multifactor authentication services" that deliver a "one-time password" to a consumer's mobile phone (Compl. p. 7).
IV. Analysis of Infringement Allegations
’658 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a computer processor; | The accused systems include a computer processor. | ¶21 | col. 4:28-31 |
| a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network with the user authentication system; | The accused systems include a user database that associates users with their personal communication device (e.g., mobile phone), which communicates via a cell phone network. | ¶21 | col. 2:32-35 |
| a control module ... configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... | The accused systems include a control module that creates new passwords based upon a token (the access code provided by the system) and a passcode (known to the user). | ¶22 | col. 2:35-38 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network; | The accused systems include a communication module that transmits the token to the user's personal device via SMS ("text") messaging over a cell phone network. The complaint reproduces a patent figure showing this architecture (Compl. p. 4). | ¶23 | col. 2:39-43 |
| an authentication module configured to receive the password from the user through a secure computer network, said secure computer network being different from the cell phone network... wherein the authentication module activates access ... and deactivates the account within a predetermined amount of time... | The accused systems include an authentication module that receives the password through a secure computer network different from the cell phone network, activates the user's account, and deactivates it after a predetermined time. | ¶24 | col. 7:59-62 |
- Identified Points of Contention:
- Scope Questions: A central question for infringement is whether the accused system's "one-time password" or "access code" functions as the claimed "token", which the patent describes as a component used to create a final password. The patent's embodiment describes concatenating a "token" and a "passcode" ('658 Patent, col. 4:52-56), whereas the accused functionality appears to send a complete, ready-to-use password to the user. This raises the question of whether the accused system actually performs the claimed step of "creat[ing] a new password based at least upon a token and a passcode."
- Technical Questions: The complaint alleges the accused system "deactivates the account within a predetermined amount of time" (Compl. ¶24). The case would require evidence demonstrating that the accused system performs this specific deactivation function as required by the claim, rather than simply having the one-time password itself expire.
V. Key Claim Terms for Construction
The Term: "passcode"
- Context and Importance: The claim requires the password to be based on both a "token" and a "passcode". The definition of "passcode" is critical because if the accused system only uses a single factor sent to the user's phone (the OTP), it may not meet this limitation. Practitioners may focus on this term to determine if a separate, user-memorized secret is a required element.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent states the "passcode" is "secret and only known to the user" (’658 Patent, col. 4:40-41), which could be argued to encompass any form of pre-existing secret user knowledge.
- Evidence for a Narrower Interpretation: The specification's primary embodiment explicitly describes the passcode as a distinct piece of information that the user combines with the token, stating "the user 108 can combine a valid, memorized passcode of 'abcd' with a valid token of '1234' to form a valid password of 'abcd1234'" (’658 Patent, col. 4:52-56).
The Term: "create a new password based at least upon a token and a passcode"
- Context and Importance: This phrase defines the core inventive act. The infringement analysis depends on whether the accused system's act of generating an OTP and sending it to a user can be characterized as "creating" a password from two separate components as claimed.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The phrase "based at least upon" could be argued to allow for logical combinations other than simple concatenation, potentially giving the plaintiff more latitude in its infringement theory.
- Evidence for a Narrower Interpretation: The patent’s abstract and detailed description consistently frame the creation process as an explicit combination of the two elements. The abstract states the server "creates a new password by concatenating a secret passcode that is known to the user with the token" (’658 Patent, Abstract).
VI. Other Allegations
The complaint contains a single count for direct infringement and does not include specific factual allegations to support claims of indirect or willful infringement.
VII. Analyst’s Conclusion: Key Questions for the Case
- A dispositive threshold issue is one of mootness: given that the sole asserted claim, Claim 5, was cancelled in an Inter Partes Review proceeding subsequent to the filing of the complaint, the central question for the court is whether Plaintiff’s claim for infringement can survive.
- The key technical question at the time of filing was one of mechanistic correspondence: does the accused service, which appears to generate and deliver a complete one-time password to a user, practice the claimed system of "creating" a password by combining a separate, user-memorized "passcode" with a system-generated "token", or is there a fundamental difference in the operational mechanism?