DCT
2:24-cv-00401
Factor2 Multimedia Systems LLC v. Comerica Bank
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Factor 2 Multimedia Systems, LLC (Virginia)
- Defendant: Comerica Bank (Delaware)
- Plaintiff’s Counsel: DNL Zito
- Case Identification: 2:24-cv-00401, E.D. Tex., 06/01/2024
- Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a regular and established place of business in the district and has committed acts of infringement there.
- Core Dispute: Plaintiff alleges that Defendant’s online banking authentication systems infringe six patents related to methods for generating and verifying dynamic, single-use security codes.
- Technical Context: The technology at issue is multi-factor authentication, specifically the use of time-sensitive, one-time passwords to secure access to online systems, a common security feature in the financial services industry.
- Key Procedural History: The complaint notes that all six Patents-in-Suit are members of the same patent family. No other procedural events, such as prior litigation or administrative challenges, are mentioned in the complaint.
Case Timeline
| Date | Event |
|---|---|
| 2004-10-05 | Earliest Priority Date for Patents-in-Suit |
| 2012-10-02 | U.S. Patent No. 8,281,129 Issues |
| 2017-07-11 | U.S. Patent No. 9,703,938 Issues |
| 2017-07-19 | U.S. Patent No. 9,727,864 Issues |
| 2017-12-27 | U.S. Patent No. 9,870,453 Issues |
| 2018-09-05 | U.S. Patent No. 10,083,285 Issues |
| 2020-08-19 | U.S. Patent No. 10,769,297 Issues |
| 2024-06-01 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 10,769,297 - Centralized Identification and Authentication System and Method
The Invention Explained
- Problem Addressed: The patent's background describes the increasing risk of fraud in e-commerce due to customers releasing confidential information (e.g., social security and credit card numbers) to multiple businesses. It notes that this type of identification is unsafe and not "fool proof" in verifying a user's true identity (U.S. Patent No. 10,769,297, col. 1:40-52).
- The Patented Solution: The invention proposes a centralized authentication model where a trusted "Central-Entity" (e.g., a bank) issues a dynamic, non-predictable, and time-dependent "SecureCode" to a user. The user then provides this SecureCode, along with a username, to an "External-Entity" (e.g., a merchant) to prove their identity. The External-Entity verifies the code with the Central-Entity, which confirms the user’s identity without the External-Entity ever handling the user's underlying personal or financial information (’297 Patent, Abstract; col. 3:1-11; Fig. 2).
- Technical Importance: This architecture centralizes user data with a single trusted entity, aiming to reduce the attack surface for fraud by preventing the distribution of sensitive personal information across numerous online merchants and service providers ('297 Patent, col. 3:56-62).
Key Claims at a Glance
- The complaint asserts independent Claim 1 and notes infringement of claims 1-29 (Compl. ¶¶ 20, 122).
- Claim 1 recites an authentication system comprising computing devices configured to perform operations including:
- Electronically receiving a request for a "SecureCode".
- Generating the "SecureCode".
- Electronically providing the "SecureCode" to the user, where the code is invalid after a predetermined time, invalid after one use, and valid only for authenticating that user.
- Electronically receiving a "digital authentication request" that comprises a "digital identity" of the user, which includes the "SecureCode".
- Authenticating the user by evaluating the validity of the "SecureCode" in the request.
U.S. Patent No. 8,281,129 - Direct Authentication System And Method Via Trusted Authenticators
The Invention Explained
- Problem Addressed: The patent addresses the fundamental flaws in knowledge-based authentication, where secrets like SSNs are easily compromised. It also critiques prior art two-factor authentication solutions, such as hardware tokens or smart cards, as being too costly, inconvenient, or difficult for widespread consumer adoption (’285 Patent, col. 5:61-64, col. 6:1-30).
- The Patented Solution: The invention describes a "two-factor" authentication method leveraging an existing "trusted authenticator," such as a bank. An individual requests a "dynamic code" from their trusted authenticator and provides it, along with their "user information" (a static factor), to an "entity" (e.g., a business). The entity sends an authentication request with both factors to the trusted authenticator, which verifies the individual's identity and reports the result back to the entity (’129 Patent, Abstract; col. 4:41-54).
- Technical Importance: The method aims to provide strong, real-time, two-factor authentication for transactions with third parties by utilizing existing, trusted financial relationships, thereby avoiding the need for dedicated hardware tokens or new government-run identity systems ('129 Patent, col. 4:26-40).
Key Claims at a Glance
- The complaint asserts independent Claim 1 and notes infringement of claims 1-52 (Compl. ¶¶ 21, 47).
- Claim 1 recites a computer-implemented method to authenticate an individual, comprising:
- Receiving electronically a request for a "dynamic code" for the individual from the individual by a "trusted-authenticator's computer".
- Calculating by the "trusted-authenticator's computer" the "dynamic code", which is valid for a predefined time and invalid after use.
- Sending the "dynamic code" to the individual.
- Receiving by the "trusted-authenticator's computer" an "authentication request from the entity" based on "user information" and the "dynamic code".
- Authenticating by the "trusted-authenticator's computer" the individual's identity based on the user information and dynamic code, and providing the result to the entity.
U.S. Patent No. 9,703,938 - Direct Authentication System and Method Via Trusted Authenticators
- Patent Identification: U.S. Patent No. 9,703,938, "Direct Authentication System and Method Via Trusted Authenticators," issued July 11, 2017 (Compl. ¶14).
- Technology Synopsis: As a continuation of the '129 patent family, this patent refines the method for authenticating a user via an electronic transaction by having a trusted authentication system generate and validate a time-sensitive dynamic code requested by the user.
- Asserted Claims: Claims 1-26 (Compl. ¶62).
- Accused Features: The complaint accuses the "Comerica Bank Apparatus" generally of infringement (Compl. ¶¶ 3, 22).
U.S. Patent No. 9,727,864 - Centralized Identification and Authentication System and Method
- Patent Identification: U.S. Patent No. 9,727,864, "Centralized Identification and Authentication System and Method," issued July 19, 2017 (Compl. ¶15).
- Technology Synopsis: As a continuation of the '297 patent family, this patent further describes a centralized system where a central entity provides a secure, dynamic code to a user, which the user provides to an external entity for authentication, centralizing the verification process.
- Asserted Claims: Claims 1-15 (Compl. ¶77).
- Accused Features: The complaint accuses the "Comerica Bank Apparatus" generally of infringement (Compl. ¶¶ 3, 22).
U.S. Patent No. 9,870,453 - Direct Authentication System and Method Via Trusted Authenticators
- Patent Identification: U.S. Patent No. 9,870,453, "Direct Authentication System and Method Via Trusted Authenticators," issued December 27, 2017 (Compl. ¶16).
- Technology Synopsis: This patent is another continuation in the '129 patent family, further detailing the two-factor authentication method that uses a trusted authenticator to issue and verify a single-use dynamic code for a user's transaction with another entity.
- Asserted Claims: Claims 1-26 (Compl. ¶92).
- Accused Features: The complaint accuses the "Comerica Bank Apparatus" generally of infringement (Compl. ¶¶ 3, 22).
U.S. Patent No. 10,083,285 - Direct Authentication System and Method Via Trusted Authenticators
- Patent Identification: U.S. Patent No. 10,083,285, "Direct Authentication System and Method Via Trusted Authenticators," issued September 5, 2018 (Compl. ¶17).
- Technology Synopsis: This patent continues the family of the '129 patent, describing a two-factor authentication system where user-authentication information, including a time-limited and single-use code, is provided to an online system and verified by a separate authentication system.
- Asserted Claims: Claims 1-30 (Compl. ¶107).
- Accused Features: The complaint accuses the "Comerica Bank Apparatus" generally of infringement (Compl. ¶¶ 3, 22).
III. The Accused Instrumentality
Product Identification
The "Comerica Bank System and Apparatus" (the "Accused Product"), which includes the internet website www.comerica.com as well as the associated "back end systems and backbone" (Compl. ¶22).
Functionality and Market Context
The Accused Product provides online banking services to customers of Comerica Bank, a financial institution (Compl. ¶29). The complaint alleges that the product's authentication functionality uses multi-factor authentication, where a user attempting to log in is given the option to receive a "SecureCode," referred to as a "code from a text" or a "one-time password," via SMS or email (Compl. ¶30). The user is then prompted to enter this code on the Comerica Bank website to authenticate and gain access to their account. A screenshot in the complaint illustrates a step in the enrollment process: "Step 4 Enter the one-time password that was sent to your email" (Compl. p. 9). The complaint alleges this functionality is part of Comerica's stated investment in "advanced encryption methods, multi-factor authentication, and secure online banking systems" (Compl. ¶30).
IV. Analysis of Infringement Allegations
'297 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| An authentication system for enhancing computer network security by authenticating a user... comprising one or more computing devices configured to perform operations comprising: | Comerica Bank provides financial services through a website that allows users to log into accounts (Compl. ¶29). | ¶29 | col. 5:1-11 |
| while the online computer system is connected to the computing device of the user via a communication network, electronically receiving a request for a SecureCode; | After a user clicks the "Login" button, the Comerica system allegedly receives a request for a SecureCode (Compl. ¶30). | ¶30 | col. 5:12-21 |
| generating the SecureCode; | The Comerica system generates a "SecureCode," which it refers to as a "one-time password" (Compl. ¶31). | ¶31 | col. 5:31-34 |
| electronically providing to the user the SecureCode... wherein: the SecureCode is invalid after a predetermined time passes, the SecureCode is invalid after one use... and the SecureCode is only valid for authenticating the user; | The system sends the code to the user, and the complaint alleges it is rejected if not used in time, is valid for only one use, and is generated for the particular user attempting to log in (Compl. ¶¶ 32-35). | ¶¶32-35 | col. 5:35-42 |
| electronically receiving from the online computer system a digital authentication request for authenticating the user, wherein: the digital authentication request comprises a digital identity of the user, and the digital identity includes the SecureCode; | The authentication system receives a request that includes the user's username and the SecureCode, which together allegedly form the user's digital identity (Compl. ¶¶ 36-38). | ¶¶36-38 | col. 5:43-50 |
| authenticating the user by evaluating a validity of the SecureCode included in the digital authentication request. | The system validates the login if the SecureCode is valid for that particular username, allowing the user to access the application (Compl. ¶39). | ¶39 | col. 5:51-55 |
'129 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| receiving electronically a request for a dynamic code for the individual, which request is received from the individual by a trusted-authenticators computer... | The user initiates the login process, which the complaint alleges constitutes a request for a dynamic code received by Comerica's system (Compl. ¶30). | ¶30 | col. 8:15-20 |
| calculating by the trusted-authenticators computer the dynamic code... wherein the dynamic code is valid for a predefined time and becomes invalid after being used; | Comerica's system generates a one-time password that allegedly expires after a set time and is invalid after one use (Compl. ¶¶ 31, 33, 34). | ¶¶31, 33, 34 | col. 8:21-27 |
| sending by the trusted-authenticator's computer electronically the dynamic code to the individual... | The system sends the generated code to the user via text or email (Compl. ¶30). | ¶30 | col. 8:28-31 |
| receiving by the trusted-authenticator's computer electronically an authentication request from the entity to authenticate the individual based on a user information and the dynamic code... | Comerica's system receives the user's credentials (e.g., username) and the entered one-time code for validation (Compl. ¶¶ 37, 38). | ¶¶37, 38 | col. 8:32-38 |
| authenticating by the trusted-authenticator's computer an identity of the individual based on the user information and the dynamic code... wherein the result of the authentication is provided to the entity. | The system validates the login if the username and code match, which authenticates the user and grants access (provides the result) (Compl. ¶39). | ¶39 | col. 8:39-45 |
Identified Points of Contention
- Scope Questions: Both the '297 and '129 Patents describe architectures that can be interpreted as involving three parties: a user, an entity/online system (like a merchant), and a trusted authenticator (like a bank). The accused Comerica system appears to be a two-party system where Comerica Bank acts as both the "online computer system" (the entity being accessed) and the "Central-Entity" or "trusted-authenticator" (the one issuing and checking the code). This raises the question of whether the claims, which recite receiving requests "from the entity" or "from the online computer system," can read on an architecture where these functions are performed by the same organization.
- Technical Questions: What evidence does the complaint provide that the accused product's one-time password system satisfies all claimed properties, such as being strictly "invalid after one use" and "invalid after a predetermined time passes" as required by both asserted independent claims? The complaint makes these allegations on "information and belief" without providing technical evidence beyond the product's marketing name ("one-time password").
V. Key Claim Terms for Construction
Key Terms: "online computer system" ('297 Patent) / "entity" ('129 Patent)
Context and Importance
The definition of these terms is critical because in the accused system, the party being accessed (Comerica's online banking) and the party authenticating the user (Comerica's backend) are the same. Practitioners may focus on whether these terms require a party that is separate and distinct from the "authentication system" or "trusted-authenticator". The claim language "receiving from the online computer system a digital authentication request" ('297 Patent, Claim 1) and "receiving... an authentication request from the entity" ('129 Patent, Claim 1) may suggest that the sender and receiver are different systems or legal entities.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The claims themselves do not explicitly state that the "online computer system" and the "authentication system" must be operated by different legal entities. They could be read to cover different computer modules or servers within a single organization's infrastructure.
- Evidence for a Narrower Interpretation: The specifications of both patent families frequently use examples involving a user, a third-party merchant ("External-Entity" or "business"), and a trusted financial institution ("Central-Entity" or "trusted-authenticator"), suggesting a three-party model was contemplated ('297 Patent, Fig. 2; '285 Patent, Fig. 1b). This context may support a narrower construction where the "entity" is external to the "authenticator."
VI. Other Allegations
Indirect Infringement
The complaint alleges inducement by providing software and instructions for its customers to use the infringing authentication methods (Compl. ¶24). It also alleges contributory infringement, asserting that with knowledge of the patents, Defendant supplies a material, non-staple part of the infringing system (Compl. ¶25).
Willful Infringement
The complaint alleges that Defendant's infringement "has been willful since at least as early as they became aware of the Patents-in-Suit" (Compl. ¶43). This allegation appears to be based on post-suit knowledge, as no facts supporting pre-suit knowledge are pleaded.
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of architectural scope: Can the claims of the Patents-in-Suit, which often describe a three-party authentication framework (user, merchant, authenticator), be construed to cover the two-party architecture of the accused online banking system, where Comerica Bank serves as both the entity being accessed and the trusted authenticator?
- A key question of claim construction will be whether internal software communications within Comerica Bank’s integrated system can satisfy claim limitations such as receiving a request "from the entity" ('129 Patent) or "from the online computer system" ('297 Patent), language which may imply communication between distinct systems or entities.