DCT

2:25-cv-00445

BrowserKey LLC v. JPMorgan Chase & Co

Log In
Key Events
Complaint
complaint

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 2:25-cv-00445, E.D. Tex., 04/28/2025
  • Venue Allegations: Venue is alleged to be proper based on Defendant maintaining regular and established places of business within the Eastern District of Texas.
  • Core Dispute: Plaintiff alleges that Defendant’s mobile banking applications, which use biometric and other modern authentication methods, infringe a patent related to methods for restricting access to a web site by tying authentication to a specific client machine.
  • Technical Context: The lawsuit concerns client-server authentication technology, a foundational component for securing access to sensitive data, particularly in the financial services industry where robust security for mobile applications is critical.
  • Key Procedural History: The complaint does not reference any prior litigation involving the patent-in-suit, any post-grant proceedings before the USPTO, or any prior licensing activities.

Case Timeline

Date Event
2002-05-06 ’262 Patent Priority Date
2007-07-24 ’262 Patent Issue Date
2019-01-01 Accused JPMorgan Mobile Applications available (earliest date alleged)
2025-04-28 Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,249,262 - “Method For Restricting Access To A Web Site By Remote Users” (issued July 24, 2007)

The Invention Explained

  • Problem Addressed: The patent addresses the security vulnerabilities of then-common authentication methods. It notes that username/password systems are easily defeated if the credentials are stolen, and hardware-based tokens ("dongles") can be lost, stolen, or shared, allowing unauthorized access from any computer (’262 Patent, col. 1:29-58).
  • The Patented Solution: The invention proposes a software-based method to tie access rights to a specific, pre-authorized client machine. It describes installing a client-side program that generates a "machine-specific identifier" based on the unique hardware characteristics of that machine. A password, derived from this identifier, is provided to the user. To gain access, the client machine must re-generate the identifier and verify that it corresponds to the password, a check that can only succeed on the original, authorized machine (’262 Patent, Abstract; col. 2:25-45). This creates a security layer that depends not just on what the user knows (password) but on the specific device they are using.
  • Technical Importance: This approach represented an effort to move beyond simple knowledge-based authentication toward a system that incorporates a factor tied to the physical device itself, thereby increasing security by preventing valid credentials from being used on an unauthorized machine (’262 Patent, col. 1:59-67).

Key Claims at a Glance

  • The complaint asserts independent claims 1, 11, and 14.
  • Independent Claim 1 (Method): Essential elements include (a) installing client-side software to generate a unique machine-specific identifier; (b) operating it to generate the identifier; (c) generating a password remote from the client that is derived from the identifier; (d) requesting access; (e) responding by having the client re-generate the identifier; (f) verifying on the client machine that the re-generated identifier corresponds to the password; and (g) granting or denying access based on the verification.
  • Independent Claim 11 (Method): Essential elements describe a session-based authentication method, including (a) creating a session identifier on a remote computer; (b, c) transmitting it to and storing it on the client machine; (d) verifying authorization on the client; (e) storing the session ID in a remote table if the client is verified; (f) including the session ID in subsequent requests; (g) comparing the transmitted ID with the stored ID; and (h) permitting or denying access based on the comparison.
  • Independent Claim 14 (Computer Program Product): A claim for a computer program product with instructions to perform a method comprising (a) receiving an access request; (b) generating and providing a password derived from a client machine-specific identifier; (c) transmitting instructions to the client to re-generate the password and verify correspondence; and (d) allowing or denying access based on the verification.

III. The Accused Instrumentality

Product Identification

  • The accused products are the "JPMorgan Mobile Applications," which include the Chase Mobile, Chase Pay, JPMorgan Mobile, and Nutmeg applications for iOS, iPadOS, and Android, along with all supporting servers and infrastructure (Compl. ¶9).

Functionality and Market Context

  • The complaint alleges that these applications implement biometric (e.g., Apple's Face ID/Touch ID), token-based, and/or passwordless authentication systems (Compl. ¶9). The core accused functionality is the method by which a user's mobile device (the client machine) authenticates itself with JPMorgan's servers to gain access to sensitive financial data (Compl. ¶16). This authentication process allegedly involves generating and verifying device-specific cryptographic material to ensure that access is granted only from an authorized and recognized device (Compl. ¶17, ¶19). A screenshot provided in the complaint shows a marketing message for the Chase Mobile app, stating it "supports Apple's Face ID and Touch ID and Google's Fingerprint Login for quick and secure account access," thereby highlighting the biometric feature (Compl. p. 6).

IV. Analysis of Infringement Allegations

’262 Patent Infringement Allegations (Claim 1)

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
a. installing a client-side software program on the client machine for generating a client machine-specific identifier, the client machine-specific identifier being substantially unique... The Chase Mobile app is installed on a client device (e.g., a smartphone) and generates a unique identifier such as a device key, certificate, or key pair. ¶17 col. 7:25-31
c. generating a password remote from the client machine... the password being derived from the client machine-specific identifier... JPMorgan's servers allegedly generate a password (e.g., a token, nonce, or cryptogram) that is derived from the identifier generated on the client device. ¶19 col. 8:20-33
e. responding to the request for access... by having the client machine re-generate its machine-specific identifier; JPMorgan's servers allegedly transmit instructions to the client app to re-generate the password or identifier. ¶21 col. 2:60-63
f. verifying on the client machine whether the client machine-specific identifier re-generated in step e. uniquely corresponds with the password generated in step c.; The complaint alleges verification occurs on the client device, for example, when a user's biometric data (fingerprint, face) unlocks a secure element-protected password/key for comparison. ¶21 col. 3:6-9
g. recognizing the client machine as being authorized... if the verification performed by step f. is true... If the sign-in on the client machine is successful, JPMorgan's servers authorize access to the user's account data. ¶22 col. 3:1-4

’262 Patent Infringement Allegations (Claim 11)

Claim Element (from Independent Claim 11) Alleged Infringing Functionality Complaint Citation Patent Citation
a. creating a session identifier in a computer remote from the client machine... JPMorgan server computers are alleged to create one or more session identifiers (e.g., a session ID, token) when a user initiates a session. ¶25 col. 3:13-20
d. verifying, on the client machine, that the client machine is authorized to access data maintained on the server computer; The Chase Mobile App allegedly verifies that a user is authorized by using local biometric authentication (e.g., Face ID) to validate that the session ID shows a logged-in user. The complaint includes a screenshot of a prompt asking the user to enable Face ID for faster sign-in (Compl. p. 12). ¶28 col. 9:8-15
e. obtaining the session identifier stored in step c., and storing such session identifier within a storage table remote from the client machine if such client machine was verified... Once the user logs in via biometric authentication, the JPMorgan server system obtains the session identifier from the client and stores it in a remote table. A screenshot shows a "My devices" page that tracks active devices that have accessed the user's account (Compl. p. 14). ¶29 col. 3:45-54
g. comparing the session identifier transmitted in step f. with the session identifier stored in the storage table... to determine whether the request for access... is authorized; JPMorgan's servers are alleged to remotely compare the session identifier transmitted from the client app with the corresponding identifier stored in its server-side table. ¶31 col. 4:45-54

Identified Points of Contention

  • Scope Questions: A central dispute may arise over whether the term "password," as used in the patent, can be construed to encompass the modern cryptographic constructs (e.g., tokens, nonces, signed keys) that the complaint alleges are used by the Accused Products (Compl. ¶19). The patent specification describes a user entering a password, which may suggest a narrower scope than what Plaintiff alleges (’262 Patent, col. 8:62-65).
  • Technical Questions: Claim 1 requires "verifying on the client machine." The complaint maps this to the use of biometrics to unlock a secure key on the device (Compl. ¶21). A key technical question will be what evidence supports that this local action constitutes the claimed "verification," as opposed to a server-side comparison of cryptographic material being the dispositive verification step. Similarly, for Claim 11, the complaint alleges "verifying, on the client machine" (step d) and later "comparing" on the server (step g), raising the question of whether these are distinct actions and if the local verification meets the specific requirements of the claim.

V. Key Claim Terms for Construction

The Term: "password" (Claim 1)

  • Context and Importance: This term's construction is critical because the infringement theory depends on it covering modern authentication data like cryptographic tokens, nonces, and keys, not just a traditional, human-memorable string (Compl. ¶19). Practitioners may focus on this term because its scope will determine whether the patent, filed in 2002, can read on the accused 2019-era technology.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent's objective is to provide secure access tied to a machine. The claims use the general term "password" without further qualification, which could be argued to cover any secret data derived from the machine identifier and used for authentication.
    • Evidence for a Narrower Interpretation: The specification repeatedly refers to a user entering a password, and the figures depict a step where a user would "Enter password into DLL" (’262 Patent, col. 8:62-65; Fig. 2B, block 50). This may support an interpretation limited to a user-entered value.

The Term: "verifying on the client machine" (Claim 1)

  • Context and Importance: The location of the verification step is a specific limitation. The complaint alleges this is met by the local biometric authentication process that grants the app access to a secure key (Compl. ¶21). The defense may argue the final, determinative verification occurs on the server.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The patent states that the comparison of the re-generated identifier to the password is "preferably by the client-side software itself" (’262 Patent, col. 2:61-63). This suggests the patent contemplates the verification logic residing on the client.
    • Evidence for a Narrower Interpretation: The claim requires verifying that the re-generated identifier "uniquely corresponds" with the password. An argument could be made that a biometric scan merely unlocks a stored credential, and that the actual cryptographic comparison of correspondence happens elsewhere, potentially on the server, after the unlocked credential is used.

VI. Other Allegations

  • Indirect Infringement: The complaint alleges induced infringement, stating that JPMorgan provides instructions, documentation, and marketing materials that encourage customers to use the accused mobile applications in an infringing manner (Compl. ¶40). It also pleads contributory infringement, alleging the accused components are material, not staple articles of commerce, and are known by JPMorgan to be specially adapted for infringing use (Compl. ¶41).
  • Willful Infringement: Willfulness is alleged based on JPMorgan's purported knowledge of the patent since its issuance, or alternatively, on willful blindness (Compl. ¶11). The complaint asserts that JPMorgan has a policy of not reviewing patents of others and lacks internal mechanisms for employees to report potential infringement, thereby deliberately avoiding knowledge (Compl. ¶11, ¶42).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of definitional scope: can the term "password", originating in a 2002 patent application that describes user-entered data, be construed to cover the machine-to-machine exchange of cryptographic tokens, nonces, and keys used in modern mobile banking authentication?
  • A key evidentiary question will be one of functional locus: does the local biometric process on the accused mobile apps—which unlocks a secure credential—constitute "verifying on the client machine" as required by the claims, or is the dispositive authentication check a "comparison" that occurs on JPMorgan's servers, potentially creating a mismatch with the patent's claimed method?
  • A third question concerns the interplay between different claim limitations and the accused system's workflow: how does the "verifying on the client machine" required by Claim 11, step (d) relate to the remote "comparing" in step (g), and what evidence will show that both distinct steps are performed as claimed?