DCT
2:24-cv-00838
Biogy Inc v. Albertsons Companies Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Biogy, Inc. (Delaware)
- Defendant: Albertsons Companies, Inc. and Albertson's LLC (Delaware)
- Plaintiff’s Counsel: Global IP Law Group, LLC
- Case Identification: 2:24-cv-00838, E.D. Tex., 10/17/2024
- Venue Allegations: Venue is alleged to be proper because Defendant conducts business, commits acts of patent infringement, and has regular and established places of business within the Eastern District of Texas.
- Core Dispute: Plaintiff alleges that Defendant’s customer account services, specifically its system for providing temporary one-time passcodes for password resets, infringes a patent related to secure authentication methods.
- Technical Context: The technology concerns cybersecurity methods for authenticating users, specifically using dynamically generated, temporary passcodes to prevent unauthorized access to accounts and systems.
- Key Procedural History: The complaint states that Plaintiff sent Defendant a notice of infringement letter and a claim chart on April 24, 2024, and followed up in August 2024, but alleges it received no substantive response.
Case Timeline
| Date | Event |
|---|---|
| 2004-12-20 | ’236 Patent Priority Date |
| 2005-04-06 | ’236 Patent Application Filing Date |
| 2010-02-23 | ’236 Patent Issue Date |
| 2024-04-24 | Plaintiff sends pre-suit notice letter to Defendant |
| 2024-04-26 | Defendant receives pre-suit notice letter |
| 2024-08-27 | Defendant requests another copy of the letter and claim chart |
| 2024-10-17 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,669,236 - “Determining Whether to Grant Access to a Passcode Protected System,” issued February 23, 2010
The Invention Explained
- Problem Addressed: The patent background describes the difficulty users have in remembering numerous passwords and the susceptibility of static passwords to theft and fraud, which compromises system security (’236 Patent, col. 1:40-44).
- The Patented Solution: The invention describes a system to overcome these problems by generating temporary, single-use passcodes. A user provides identifying information (e.g., a fingerprint) to a device, which generates a passcode from a "passcode generator." A separate administrator system validates the attempt by independently generating a passcode from its own copy of the generator. Crucially, after a successful authentication, the passcode generator itself is changed or "perturbed" (e.g., via function
f(Gi)=Gi+1), so the next access attempt will require a different passcode derived from a new generator state (’236 Patent, Abstract; col. 13:58-67; FIG. 8). - Technical Importance: This method enhances security by ensuring passcodes are not static or stored long-term, mitigating risks from interception or theft, a significant problem for internet-based systems (’236 Patent, col. 4:5-18).
Key Claims at a Glance
- The complaint asserts at least independent claims 5, 12, and 24, and dependent claim 14 (Compl. ¶22).
- Independent Claim 5 (Method):
- Generating a temporary passcode via a machine, based on user-associated information.
- Determining if the generated passcode matches a received passcode to permit access.
- Wherein the generation step includes generating a "current passcode generator" and then generating the passcode from that generator.
- Upon a match, granting access, applying a function to create a "new passcode generator," and storing the new generator.
- Independent Claim 12 (Method):
- Receiving a passcode from a user at a machine.
- Retrieving a passcode generator.
- Generating a passcode from that generator.
- Determining if the generated passcode matches the received passcode.
- Upon a match, granting access, "perturbing" the generator to create a new one, and storing the new generator.
- Independent Claim 24 (Method):
- After registration, receiving a request for access that includes a "first user-generated passcode."
- Generating an "administrator-generated passcode" from a current passcode generator.
- Determining if the user-generated and administrator-generated passcodes match.
- Upon a match, generating a "new passcode generator" from the current one and storing it.
III. The Accused Instrumentality
Product Identification
The Albertsons website (Albertsons.com) and associated account management systems, specifically the functionality for resetting a forgotten password (Compl. ¶¶ 24, 25).
Functionality and Market Context
The accused functionality allows a customer who has forgotten their password to verify their identity by receiving a temporary, one-time passcode. The system sends a numerical code to the user's registered phone number or email, which the user must then enter on the website to proceed with the password reset (Compl. ¶24). The complaint includes a screenshot from the Albertsons website indicating that the provided "Code expires in 5 minutes," which supports the allegation that the passcode is temporary (Compl. p.9). The complaint alleges, on information and belief, that this system implements the Time-based One-Time Password (TOTP) algorithm (Compl. ¶¶ 24, 26).
IV. Analysis of Infringement Allegations
’236 Patent Infringement Allegations (Claim 5)
| Claim Element (from Independent Claim 5) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| generating, via a machine, a passcode that is valid temporarily... | Albertsons' system generates a verification code that it states "expires in 5 minutes." A screenshot from an Albertsons-brand app flow shows a prompt to send an "OTP (One time Passcode)." | ¶24, ¶25, p.8, p.9 | col. 27:14-17 |
| determining whether an attempted access is permitted... by at least determining whether the passcode generated matches a passcode received | The Albertsons website requires the user to enter the received code to verify their identity, thereby comparing it to the code the system generated. | ¶24, p.9 | col. 27:18-24 |
| generating a current passcode generator based on the information... | The complaint alleges on "information and belief" that the system uses a TOTP algorithm, which relies on a shared secret (the generator) associated with the user account. | ¶26 | col. 27:50-57 |
| generating the passcode from the current passcode generator | The TOTP algorithm, which the complaint alleges is used, generates the passcode from the shared secret generator. | ¶26 | col. 27:50-57 |
| applying a function to the current passcode generator to generate a new passcode generator; and storing the new passcode generator... | The complaint makes a general allegation that Albertsons performs all claimed limitations but does not provide specific facts regarding how the passcode generator is changed or perturbed after use. | ¶22 | col. 27:60-65 |
Identified Points of Contention
- Scope Questions: Claim 24 requires receiving a request for access that includes a "first user-generated passcode." The complaint describes a system where a user clicks a link to request a passcode, which is then sent to them. A question for the court will be whether this accused process can meet the "user-generated passcode" limitation as recited in the claim.
- Technical Questions: The asserted independent claims (5, 12, 24) all require a step of "perturbing," "changing," or "generating a new" passcode generator after an access attempt. The complaint alleges this occurs by stating that Albertsons performs every limitation and by referencing the TOTP standard on "information and belief" (Compl. ¶¶ 22, 26). A key technical question is what evidence exists that the accused system's underlying "passcode generator" (e.g., a shared secret in a TOTP system) is actually changed or updated after each use, as opposed to being a static secret used to generate time-variant codes.
V. Key Claim Terms for Construction
"passcode generator"
- Context and Importance: This term is the core of the claimed invention's stateful security model. Its definition, and particularly how it is "changed" or "perturbed," will be central to the dispute. Practitioners may focus on this term because the infringement allegation appears to depend on whether the static shared secret of a standard TOTP system qualifies as a "passcode generator" that is "perturbed" as the patent describes.
- Intrinsic Evidence for a Broader Interpretation: The patent specification refers to the generator as a "seed" or a "string of characters," which could be argued to encompass a static secret key (’236 Patent, col. 9:11-13).
- Intrinsic Evidence for a Narrower Interpretation: The specification repeatedly describes a process where the generator itself is updated to a new value after use, for example,
Gi+1=f(Gi)(’236 Patent, col. 13:58-62, FIG. 8). An embodiment is described where the generator is "discarded" after a single use, suggesting it is not a long-term static secret (’236 Patent, col. 3:25-28). This may support a narrower construction requiring a state change in the generator itself, not just a change in the output passcode.
"user-generated passcode" (in Claim 24)
- Context and Importance: The viability of the infringement theory for Claim 24 hinges on this term. The claim requires the initial access request to include a passcode generated by the user. The accused system, as described, does not appear to operate this way.
- Intrinsic Evidence for a Broader Interpretation: The complaint does not provide a basis from the patent for a broad interpretation. A plaintiff might argue it refers to any user-initiated data that triggers authentication.
- Intrinsic Evidence for a Narrower Interpretation: The patent describes a "passcode device" that "generates a passcode" which is then used to "submit a request for access" (’236 Patent, col. 3:22-35; FIG. 8, step 808). This language suggests the user actively generates and provides a passcode in the request, contrasting with the accused system where the user requests a code to be sent to them.
VI. Other Allegations
Indirect Infringement
While the complaint’s jurisdictional allegations mention inducement, the sole count for relief is for direct infringement under 35 U.S.C. § 271(a) (Compl. ¶¶ 8, 21-23). The complaint does not plead specific facts to support a claim for indirect infringement.
Willful Infringement
Willfulness is alleged based on pre-suit knowledge of the ’236 Patent. The complaint alleges that Defendant had knowledge of the patent and the infringement allegations as of April 26, 2024, the date it received a notice letter from Plaintiff, and that Defendant's continued infringement is therefore willful and deliberate (Compl. ¶¶ 17, 29).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the claim 24 limitation "receiving a request... including a first user-generated passcode" be construed to read on an accused system where a user's initial request does not contain a passcode, but rather prompts the system to send one to the user?
- A key evidentiary question will be one of functional proof: does the accused system's use of a TOTP algorithm, which typically relies on a static shared secret, meet the claims' requirement of "perturbing" or "generating a new passcode generator" after each authentication, or is there a fundamental mismatch in technical operation?