DCT
2:23-cv-00067
Dynapass IP Holdings LLC v. First Citizens Bancshares Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Dynapass IP Holdings LLC (Delaware)
- Defendant: First Citizens Bancshares, Inc. (Delaware) and First-Citizens Bank & Trust Company (North Carolina)
- Plaintiff’s Counsel: Williams Simons & Landis PLLC
- Case Identification: 2:23-cv-00067, E.D. Tex., 02/20/2023
- Venue Allegations: Venue is alleged to be proper based on Defendants conducting substantial business in the district, offering services to customers in Texas, and maintaining a regular and established place of business in Frisco, Texas.
- Core Dispute: Plaintiff alleges that Defendants' online banking systems, which utilize two-factor authentication, infringe a patent related to methods for authenticating users via personal communication devices.
- Technical Context: The technology concerns two-factor authentication, which enhances security by requiring a user to provide both something they know (like a password) and something they have (like a temporary code on a mobile phone).
- Key Procedural History: The patent-in-suit was subject to two Inter Partes Review (IPR) proceedings initiated at the U.S. Patent and Trademark Office after the patent issued. The first IPR was filed shortly before this complaint. On September 25, 2024, the USPTO issued an Inter Partes Review Certificate cancelling Claim 5 of the patent. This is significant as Claim 5 is the only claim specifically identified in the complaint's infringement count. Claims 1, 3, 4, and 6 were found patentable and remain in force.
Case Timeline
| Date | Event |
|---|---|
| 2000-03-06 | '658 Patent Priority Date |
| 2006-01-31 | '658 Patent Issue Date |
| 2023-01-06 | IPR2023-00425 Filed |
| 2023-02-20 | Complaint Filing Date |
| 2023-08-16 | IPR2023-01331 Filed |
| 2024-09-25 | IPR Certificate Issued (Cancelling Claim 5) |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,993,658 - "Use of Personal Communication Devices for User Authentication"
The Invention Explained
- Problem Addressed: The patent describes the security risks of traditional password-based authentication, noting that user-created passwords are often easy to guess and that complex, system-generated passwords are often written down, compromising security. (’658 Patent, col. 1:25-41).
- The Patented Solution: The invention proposes a two-factor authentication system that leverages a user's personal communication device, such as a mobile phone. A server generates a temporary, single-use "token" and sends it to the user's device. The user combines this token with a secret, memorized "passcode" to form a new, temporary password for logging into a secure system. (’658 Patent, Abstract; col. 4:52-57; FIG. 1). The system architecture specifies that the token is delivered over a different network (e.g., a cellular network) than the one used to access the secure system (e.g., a computer network), adding a layer of security. (’658 Patent, col. 11:45-50).
- Technical Importance: The described method aimed to provide the security benefits of two-factor authentication without requiring the user to carry a dedicated hardware token, instead utilizing the already-carried mobile phone. (’658 Patent, col. 1:55-59).
Key Claims at a Glance
- The complaint explicitly asserts independent Claim 5. (Compl. ¶26).
- The essential elements of Claim 5 are:
- A computer processor;
- A user database that associates a user with their personal communication device, which communicates over a cell phone network;
- A control module that creates a new password from a passcode (known to the user) and a token (not known to the user);
- A communication module to transmit the token to the device over the cell phone network; and
- An authentication module that receives the password via a secure computer network (different from the cell phone network), activates access, and deactivates access after a predetermined time. (’658 Patent, col. 12:5-48).
- The prayer for relief broadly requests judgment on "one or more claims," which may suggest an intent to assert claims beyond Claim 5. (Compl. p. 10, ¶a).
III. The Accused Instrumentality
Product Identification
- The "Accused Instrumentalities" are identified as the "systems and applications Defendants use for access and authorization to their online banking system," specifically those providing two-factor authentication. (Compl. ¶¶ 20-21).
Functionality and Market Context
- The complaint alleges the accused systems utilize "two-factor authentication" for "Commercial Advantage Transaction Authentication." (Compl. p. 7). This process is described as requiring "1. Something you know (your Commercial Advantage login credentials and password)" and "2. Something you have (the soft token or code generated by the MFA option of your choice)." (Compl. p. 7). The complaint provides a screenshot from Defendants' materials identifying available MFA options, including "Okta Verify®," "Google Authenticator," "Text message," and "Voice call." (Compl. p. 7). The complaint alleges these systems perform the functions of the claimed system, including using a computer processor, a user database, and modules for creating and transmitting tokens. (Compl. ¶¶ 22-24).
IV. Analysis of Infringement Allegations
Claim Chart Summary
- The complaint's infringement allegations for Claim 5 are summarized below. Note: As detailed in Section I, Claim 5 was cancelled by the USPTO in an Inter Partes Review proceeding subsequent to the filing of this complaint.
'658 Patent Infringement Allegations
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a user database configured to associate a user with a personal communication device possessed by the user, said personal communication device configured to communicate over a cell phone network... | Defendants' systems include a database associating users with their mobile phones, which communicate via a cell phone network. | ¶22 | col. 2:32-35 |
| a control module...configured to create a new password based at least upon a token and a passcode, wherein the token is not known to the user and wherein the passcode is known to the user... | Defendants' systems include a control module that creates a new password based on a token (the "access code") and a passcode. | ¶23 | col. 9:28-32 |
| a communication module configured to transmit the token to the personal communication device through the cell phone network; | Defendants' systems use a communication module to transmit the token to the user's device via SMS (text messaging). | ¶24 | col. 5:29-31 |
| an authentication module configured to receive the password from the user through a secure computer network, said secure computer network being different from the cell phone network... | Defendants' online banking system (a secure computer network) receives the password from the user and is different from the cell phone network used for token delivery. | ¶25 | col. 5:1-11 |
| ...wherein the authentication module activates access to the account in response to the password and deactivates the account within a predetermined amount of time after activating the account... | The authentication module activates account access upon receiving the password and deactivates access after a set time. | ¶25 | col. 9:57-60 |
Identified Points of Contention
- Claim Viability: The primary issue is that the complaint's infringement theory is based exclusively on Claim 5, which is no longer a valid patent claim. The case, as pleaded, may not be viable without amendment.
- Scope Questions: Had the claim survived, a key question would be whether the accused system's use of a standard password followed by a separate one-time code constitutes the "creat[ion of] a new password based at least upon a token and a passcode" as required by the claim. The claim language may suggest the creation of a single, new password string.
- Technical Questions: The complaint alleges the system "deactivates the account" after a predetermined time. A central technical question for the court would be to determine if the accused system's functionality (e.g., a session timeout) meets this specific limitation, which the patent specification links to deactivating the user account in the user database. (Compl. ¶25; ’658 Patent, col. 9:57-60).
V. Key Claim Terms for Construction
The cancellation of Claim 5 reduces the immediate need for claim construction. However, had the claim remained, the following terms would likely be central to the dispute.
The Term: "new password"
- Context and Importance: The claim requires a control module to "create a new password" from a token and passcode. The accused system is described as requiring login credentials and then a "soft token or code." Practitioners may focus on this term because the infringement analysis depends on whether entering two separate factors sequentially is equivalent to creating and submitting a single, combined "new password."
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent’s general description of two-factor authentication could be argued to support a construction where any process requiring both a passcode and a token for a single login event results in a "new password," even if the components are entered separately.
- Evidence for a Narrower Interpretation: The specification provides a specific example of concatenating a passcode ("abcd") and a token ("1234") to form a "valid password of 'abcd1234.'" (’658 Patent, col. 4:52-57). This suggests the term requires a single, combined data string.
The Term: "deactivates the account"
- Context and Importance: This limitation requires a specific action by the authentication module. Its construction is critical because a standard session timeout may not meet the claimed functionality.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The term could be interpreted to encompass any mechanism that terminates the user’s authorized access after a set time, such as invalidating a session cookie.
- Evidence for a Narrower Interpretation: The patent's process flow describes this step as "DEACTIVATE USER ACCOUNT IN USER DATABASE." (’658 Patent, FIG. 5, step 520). This language supports a narrower construction requiring a modification to the user's permanent account status in the system's backend database, not just the termination of a temporary session.
VI. Other Allegations
Willful Infringement
- The complaint does not include a formal count for willful infringement. However, the prayer for relief asks the Court to "declare this an exceptional case and award Plaintiff its reasonable attorneys' fees and costs in accordance with 35 U.S.C. § 285." (Compl. p. 10, ¶d). Such a finding can be predicated on various forms of litigation misconduct or, in some cases, willful infringement, though the factual basis for willfulness (e.g., pre-suit knowledge of the patent and infringement) is not explicitly pleaded in the complaint.
VII. Analyst’s Conclusion: Key Questions for the Case
- A threshold issue is one of procedural viability: given that Claim 5—the only claim specifically asserted in the complaint—was cancelled by the USPTO, can the plaintiff amend its complaint to state a plausible infringement claim based on one of the surviving patent claims (1, 3, 4, or 6)?
- A central question of claim scope will be whether the surviving claims can be construed to cover the accused functionality. For instance, do Defendants' systems, which require a user to enter a static password and then a separate one-time code, practice the method of creating and using a single "new password" as potentially required by the patent?
- Should the case proceed, a key evidentiary question will be one of functional operation: does the accused system's session management perform the specific function of "deactivat[ing] the account within a predetermined amount of time" in the manner described and claimed in the patent, or is there a fundamental mismatch in the technical operation?