DCT
2:25-cv-00452
BrowserKey LLC v. UBS AG
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: BrowserKey, LLC (Texas)
- Defendant: UBS AG (Switzerland) and UBS Financial Services Inc. (Delaware)
- Plaintiff’s Counsel: Fabricant LLP
- Case Identification: 2:25-cv-00452, E.D. Tex., 04/30/2025
- Venue Allegations: Venue is alleged to be proper because Defendant UBS AG is a foreign corporation, which may be sued in any judicial district. For Defendant UBS Financial Services Inc., venue is based on its alleged regular and established places of business within the district, including an office in Plano, Texas.
- Core Dispute: Plaintiff alleges that Defendant’s mobile and web banking applications, which use biometric and token-based authentication, infringe a patent related to methods for restricting access to a website by tying authentication to a specific user device.
- Technical Context: The lawsuit concerns client-server authentication technology, specifically methods intended to enhance security beyond traditional username/password systems by generating and verifying a unique, device-specific identifier.
- Key Procedural History: The complaint does not mention any prior litigation, Inter Partes Review (IPR) proceedings, or licensing history related to the patent-in-suit.
Case Timeline
| Date | Event |
|---|---|
| 2002-05-06 | ’262 Patent Priority Date |
| 2007-07-24 | ’262 Patent Issued |
| 2019-01-01 | Alleged start of infringement by Accused Products |
| 2025-04-30 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 7,249,262 - "Method For Restricting Access To A Web Site By Remote Users," Issued July 24, 2007
The Invention Explained
- Problem Addressed: The patent addresses the security vulnerabilities of then-common authentication methods. It notes that user names and passwords can be easily shared or stolen, allowing unauthorized access from any computer, while hardware-based solutions like "dongles" are often lost, stolen, or inconvenient for genuine users (U.S. Patent No. 7,249,262, col. 1:29-56).
- The Patented Solution: The invention proposes a software-based method to tie access to a specific, authorized client machine. A client-side program generates a "machine-specific identifier" based on the unique characteristics of that machine. A server then provides a corresponding password. To gain access, the client-side software must be able to re-generate the same unique identifier and verify it corresponds to the password, effectively creating a device-specific lock and key system without requiring dedicated hardware (U.S. Patent No. 7,249,262, Abstract; col. 2:25-45).
- Technical Importance: This approach aimed to provide the security benefit of device-specific authentication without the logistical and cost burdens of distributing and managing physical hardware tokens.
Key Claims at a Glance
- The complaint asserts independent claims 1, 11, and 14.
- Independent Claim 1 (Method):
- installing a client-side software program on the client machine for generating a client machine-specific identifier...
- operating the client-side software program... to generate the client machine-specific identifier
- generating a password remote from the client machine... derived from the client machine-specific identifier...
- issuing a request by the client machine to the server computer for access...
- responding to the request... by having the client machine re-generate its machine-specific identifier
- verifying on the client machine whether the client machine-specific identifier re-generated... uniquely corresponds with the password...
- recognizing the client machine as being authorized if the verification is true...
- Independent Claim 11 (Method):
- creating a session identifier in a computer remote from the client machine...
- transmitting to the client machine the session identifier...
- storing the session identifier... within the client machine
- verifying, on the client machine, that the client machine is authorized...
- obtaining the session identifier... and storing such session identifier within a storage table remote from the client machine...
- transmitting a request by the client machine for access... such request including the session identifier...
- comparing the session identifier transmitted... with the session identifier stored in the storage table...
- permitting access... if the comparison... shows that the request for access is authorized...
- Independent Claim 14 (Computer Program Product):
- A computer program product with instructions that, when executed, perform a method comprising:
- receiving a request from a client machine...
- generating a password remote from the client machine... derived from... a client machine-specific identifier...
- transmitting to the client machine instructions to re-generate the password and to verify... whether the client machine-specific identifier uniquely corresponds with the password...
- allowing access to the data if the verification... is true...
- The complaint does not explicitly reserve the right to assert dependent claims.
III. The Accused Instrumentality
Product Identification
- The Accused Products include "all versions and variants of the UBS Web and Mobile Applications since 2019," specifically naming the UBS Financial Services Application, UBS Mobile Pass, UBS Neo, and UBS Neo FX for iOS, iPadOS, and Android, along with their supporting server infrastructure (Compl. ¶12).
Functionality and Market Context
- The complaint focuses on the authentication functionality of the Accused Products, particularly methods that allow a user to sign in to access "protected URLs" and account data on UBS servers (Compl. ¶¶19, 23). The primary accused functionality is biometric login, where a user authenticates via Apple's Touch ID or Face ID, which the complaint alleges is a process that "authorizes the client machine to access restricted data on UBS server(s)" (Compl. ¶19). The complaint includes a diagram illustrating the user flow for biometric login to the "Access App," showing prompts for facial or fingerprint recognition to access the mobile banking service (Compl., p. 9).
IV. Analysis of Infringement Allegations
7,249,262 Infringement Allegations (Claim 1)
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a. installing a client-side software program on the client machine for generating a client machine-specific identifier... | The UBS Mobile Application is installed on a client machine like a smartphone. | ¶20 | col. 12:16-21 |
| b. operating the client-side software program on the client machine to generate the client machine-specific identifier | The UBS Mobile Application generates a "device key, certificate, public/private key pair, and/or other cryptographic material" alleged to be a client machine-specific identifier. | ¶20 | col. 12:22-24 |
| c. generating a password remote from the client machine... the password being derived from the client machine-specific identifier... | UBS servers allegedly generate a password, such as a "nonce, token, cryptographic key, certificate, [or] cryptogram," derived from the client-generated identifier. | ¶22 | col. 12:25-31 |
| e. responding to the request for access... by having the client machine re-generate its machine-specific identifier | When biometric authentication is enabled, UBS servers allegedly transmit instructions to the client machine to re-generate the password/identifier. | ¶24 | col. 12:35-38 |
| f. verifying on the client machine whether the client machine-specific identifier re-generated... uniquely corresponds with the password... | The client machine allegedly verifies the identifier corresponds with the password by using biometrics (fingerprint, face) to authenticate a user and grant access to a "secure element-protected password." | ¶24 | col. 12:39-44 |
7,249,262 Infringement Allegations (Claim 11)
| Claim Element (from Independent Claim 11) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a. creating a session identifier in a computer remote from the client machine for a current browsing session... | UBS servers allegedly create session identifiers (e.g., session ID, token, certificate) when a user agent on the client machine requests a protected URL. | ¶28 | col. 13:40-43 |
| b. transmitting to the client machine the session identifier created in step a. | UBS servers transmit the session identifier to the client machine via the internet, for example, in HTTP response headers or bodies. | ¶29 | col. 13:44-45 |
| c. storing the session identifier transmitted in step b. within the client machine | The UBS Mobile App stores the session identifier in secure memory on the client device. | ¶30 | col. 13:45-47 |
| d. verifying, on the client machine, that the client machine is authorized to access data maintained on the server computer | The UBS Mobile Application allegedly verifies authorization by locally authenticating the user's biometric information when using Apple Touch ID or Face ID. | ¶31 | col. 13:48-50 |
| g. comparing the session identifier transmitted in step f. with the session identifier stored in the storage table... | UBS servers allegedly compare the session identifier transmitted in a request from the mobile app with the corresponding identifier stored in a remote table. | ¶34 | col. 13:57-64 |
The complaint also alleges infringement of computer program product claim 14. The allegations for this claim largely mirror the method steps of claim 1, but frame the infringement from the perspective of the server-side software (e.g., computer program product instructions for receiving a request, generating a password, and transmitting instructions for verification) (Compl. ¶¶ 36-41).
Identified Points of Contention
- Technical Question: The complaint's theory for claim 1 relies on the client machine verifying "whether the client machine-specific identifier re-generated in step e. uniquely corresponds with the password generated in step c." (Compl. ¶18). It alleges this occurs via local biometric authentication that grants access to a "secure element-protected password" (Compl. ¶24). This raises the question of whether a biometric check to unlock a local credential performs the specific comparison of a re-generated identifier against a remotely-generated password as required by the claim language.
- Scope Question: A central dispute may concern the definition of "client machine-specific identifier." The patent specification suggests an identifier determined by "particular characteristics of the particular computer" (e.g., hardware details) (’262 Patent, col. 2:34-36), while the complaint alleges it is cryptographic material like a "device key, certificate, [or] public/private key pair" (Compl. ¶20). The scope of this term will be critical to determining infringement.
V. Key Claim Terms for Construction
Term: "client machine-specific identifier" (Claim 1)
- Context and Importance: This term is the foundation of the patented invention, as its uniqueness to a device is what creates the security. The infringement case depends on whether the accused "device key, certificate, [or] public/private key pair" (Compl. ¶20) falls within the term's scope. Practitioners may focus on this term because its construction could either confine the claim to identifiers based on physical hardware traits or broaden it to cover software-based cryptographic keys.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claims themselves do not specify how the identifier is generated, only that it is "substantially unique to the particular machine" (Claim 1). This lack of limitation may support an interpretation that includes any method of generating a unique device identifier, including cryptographic ones.
- Evidence for a Narrower Interpretation: The detailed description explains that an associated software package "analyzes hardware characteristics of a particular local computer, or client machine (including hard drive characteristics, RAM characteristics, input/output device parameters and other hardware specific details)" to generate the identifier (’262 Patent, col. 10:62-col. 11:1). This explicit link to hardware characteristics could be used to argue for a narrower construction that excludes purely software-generated keys.
Term: "verifying on the client machine" (Claim 1)
- Context and Importance: The location and nature of the "verifying" step is a critical limitation. The complaint alleges this is met by local biometric authentication (Compl. ¶24). The viability of this infringement theory hinges on whether this action constitutes the verification required by the claim.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim requires verification "on the client machine" without specifying the precise mechanism. Plaintiff may argue that any on-device process that confirms authorization, such as a biometric check, satisfies this element.
- Evidence for a Narrower Interpretation: Claim 1 requires verifying "whether the client machine-specific identifier re-generated... uniquely corresponds with the password generated in step c." The specification clarifies this, stating "the client-side software verifies that the re-generated machine-specific identifier properly corresponds with the unique password" (’262 Patent, col. 2:65-col. 3:2). This language suggests a direct comparison between two specific data elements (the identifier and the password), which may be a more specific operation than the general user authentication performed by a biometric system.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement by asserting that UBS provides instructions, product manuals, and online documentation that encourage customers and end-users to use the Accused Products in an infringing manner (Compl. ¶¶ 42-43). Contributory infringement is alleged on the basis that the accused components are not staple articles of commerce and are known by UBS to be especially adapted for infringement (Compl. ¶44).
- Willful Infringement: Willfulness is alleged based on "information and belief" that UBS has had knowledge of the patent since its issuance, or was willfully blind. The complaint further alleges that UBS maintains a policy of not reviewing the patents of others to avoid knowledge of infringement (Compl. ¶¶ 14, 45).
VII. Analyst’s Conclusion: Key Questions for the Case
- A key evidentiary question will be one of functional operation: Does the accused system's use of biometric authentication to unlock a locally stored credential perform the specific function required by Claim 1—namely, a direct comparison on the client device between a re-generated "machine-specific identifier" and a "password" provided by a remote server? Or is there a fundamental mismatch in the technical steps of the authentication process?
- The case will also turn on a question of definitional scope: Can the term "client machine-specific identifier," which the patent specification ties to a device's hardware characteristics, be construed broadly enough to encompass the purely cryptographic keys and certificates allegedly generated by the accused UBS applications?
- A third central issue will be one of causal linkage: Can the Plaintiff establish that the "password" (e.g., a token or nonce) allegedly generated by UBS servers is "derived from," as required by Claim 1, the client-side identifier, or are the two elements generated independently in the accused system?