Privakey Inc v. Cisco Systems Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Privakey, Inc. (Delaware)
  • Defendant: Cisco Systems, Inc. (Delaware)
  • Plaintiff’s Counsel: Brown Rudnick LLP; Scheef & Stone LLP
• Case Identification: 2:25-cv-00984, E.D. Tex., 10/01/2025
• Venue Allegations: Plaintiff asserts venue is proper in the Eastern District of Texas based on Defendant maintaining regular and established places of business in Richardson and Allen, Texas; employing approximately 500 people in the district; and implementing a work-from-home policy that allegedly creates an aggregate network of business locations within the district.
• Core Dispute: Plaintiff alleges that Defendant’s Cisco Duo Product, a user authentication platform, infringes three patents related to device-based, internet-centric authentication systems.
• Technical Context: The lawsuit concerns the field of digital identity and security, specifically multi-factor authentication and single sign-on technologies used to secure access to online applications and services.
• Key Procedural History: The complaint does not mention any prior litigation involving the patents-in-suit, any Patent Office proceedings such as inter partes reviews, or any licensing history. Plaintiff alleges compliance with patent marking requirements by posting the patent numbers on its commercial website.

Case Timeline

Date	Event
2014-11-07	Earliest Priority Date for ’400, ’715, and ’234 Patents
2017-11-07	U.S. Patent No. 9,813,400 Issued
2019-07-09	U.S. Patent No. 10,348,715 Issued
2021-01-26	U.S. Patent No. 10,904,234 Issued
2025-10-01	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,813,400 - "Computer-Implemented Systems and Methods of Device Based, Internet-Centric, Authentication"

The Invention Explained

• Problem Addressed: The patent describes conventional username and password authentication as "notably vulnerable to security breaches" and characterizes both hardware and software-based multi-factor authentication systems as having complicated registration, technical adoption challenges, and security vulnerabilities like social engineering or interception. (’400 Patent, col. 1:24-2:46).
• The Patented Solution: The invention proposes a centralized system managed by a "single identity provider" (IDP) that uses an application on a user's device, such as a smartphone. This application creates and stores a cryptographic authentication token (containing a private key) on the device, which is secured by a user credential (e.g., a PIN). To log in to a third-party service, the user is challenged by the IDP; the user then enters their credential into the device application, which uses the now-decrypted private key to cryptographically approve the authentication request. This process authenticates the user by verifying something they know (the credential) and something they have (the specific device). (’400 Patent, Abstract; col. 4:46-63).
• Technical Importance: This architecture aims to provide a more secure and user-friendly authentication method than passwords by leveraging a device that users already possess, while simplifying the management of multi-factor authentication for numerous online services through a single, brokering IDP. (’400 Patent, col. 2:46-53).

Key Claims at a Glance

• The complaint alleges infringement of one or more claims and refers to an "exemplary claim" in an attached exhibit that was not provided with the complaint. Independent claim 1 is representative of the system described. (Compl. ¶32).
• Independent Claim 1 of the ’400 Patent includes these essential elements:
  • A system comprising a processor at a single identity provider (IDP).
  • A non-transient computer readable storage medium at the IDP encoded with program code.
  • Program code executable by the processor for requiring an identity provider application residing on a user's device to create a respective authentication token.
  • The authentication token is specific to a user identifier, a user credential, a device identifier, and the identity provider application itself.
  • Program code for authorizing access by users to Internet services using the created authentication tokens and identifiers for the requested services.
• The complaint reserves the right to assert additional claims, including dependent claims. (Compl. ¶32).

U.S. Patent No. 10,348,715 - "Computer-Implemented Systems and Methods of Device Based, Internet-Centric, Authentication"

The Invention Explained

• Problem Addressed: The ’715 Patent, which is a continuation of the application that led to the ’400 Patent, addresses the same vulnerabilities of traditional authentication methods, including password theft and the cumbersomeness and security flaws of existing multi-factor authentication schemes. (’715 Patent, col. 1:22-2:53).
• The Patented Solution: The solution is architecturally consistent with the ’400 Patent, detailing the process flow more explicitly. When a user selects a link to access a service, the service provider (relying party) communicates with the single IDP. The IDP then sends a challenge to the user's device application. The application prompts the user for their credential, uses it to decrypt a stored private key, validates an authentication challenge, and communicates approval back to the IDP. The IDP then validates this approval and redirects the user's browser to the requested service. (’715 Patent, Abstract; Fig. 7).
• Technical Importance: The invention provides a detailed method for a centralized, device-based authentication framework that improves security by eliminating the transmission of passwords and tying authentication to a physical device, thereby streamlining access to multiple third-party services. (’715 Patent, col. 2:46-53).

Key Claims at a Glance

• The complaint references an "exemplary claim" in an attached exhibit that was not provided. Independent claim 1 is representative of the method described. (Compl. ¶36).
• Independent Claim 1 of the ’715 Patent includes these essential elements:
  • A system at a single IDP with a processor and storage medium.
  • Program code for requiring a device application to create and store the private key portion of an authentication token.
  • Receiving an API call from a computer server identifying a requested Internet service.
  • Automatically generating and transmitting a web page that requires the device application to prompt for a user credential.
  • Receiving an approved authentication challenge message from the device application.
  • Validating the message using the stored public key portion of the authentication token.
  • Authorizing access by re-directing the user's web browser to a call-back Internet address for the service.
• The complaint reserves the right to assert additional claims. (Compl. ¶36).

U.S. Patent No. 10,904,234 - "Systems and Methods of Device Based Customer Authentication and Authorization"

• Technology Synopsis: Continuing the technology family, this patent describes an "authorization service" (AS) that authenticates users for "remote services." The system involves a mobile device creating an authentication token, the AS server receiving challenge information from a remote service, transmitting that challenge to the user's mobile device, and validating a response from the device using a stored public key portion of the token to authorize the service. (’234 Patent, Abstract; col. 1:30-2:57).
• Asserted Claims: The complaint asserts infringement of one or more claims, including at least one independent claim such as system claims 1 and 16 or method claim 19. (Compl. ¶40).
• Accused Features: The complaint alleges that Cisco's Duo Product, which provides user authentication for applications and networks, infringes the ’234 Patent. (Compl. ¶25).

III. The Accused Instrumentality

Product Identification

• The accused products are Cisco’s Duo Product, also referred to as "Duo" or "Cisco Duo." (Compl. ¶25). This includes a suite of components and services such as the “Duo Mobile App,” “Duo Push Authorizations,” “Duo Push,” “Duo Single Sign-On,” and “Duo Universal Prompt,” among others. (Compl. ¶3).

Functionality and Market Context

• The complaint describes Cisco Duo as a "cloud-based secure access platform that combines multi-factor authentication, single sign-on, device trust, and adaptive policies to enforce zero-trust access to apps and networks." (Compl. ¶25). This functionality involves a mobile application (Duo Mobile App) installed on a user's device that facilitates authentication, often through "push" notifications that the user approves to gain access to a requested service. (Compl. ¶3, ¶25).

IV. Analysis of Infringement Allegations

The complaint does not contain a narrative infringement theory or specific mapping of product features to claim elements in its main body. Instead, it refers to claim chart Exhibits D, E, and F, which were not provided as part of the filed complaint document. (Compl. ¶¶32, 36, 40). The following summary table for the ’400 Patent is constructed based on the general description of the accused product in the complaint and the elements of representative independent claim 1.

’400 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a system comprising... a processor at a single identity provider	Cisco Duo's cloud-based platform, which includes its "core IdP backend" that processes authentication requests.	¶3, ¶25	col. 3:1-4
requiring... an identity provider application residing on each of a plurality of devices to create a respective authentication token	The "Duo Mobile App," which is installed on users' devices and is used to enroll the device and establish authentication credentials.	¶3	col. 4:21-25
wherein the respective authentication token is specific to a respective identifier and user credential of a respective Internet user, a respective device identifier, and the respective identity provider application	The Duo Mobile App's process of linking a user's account and device to the Duo service, thereby creating a device-specific credential for authentication.	¶3, ¶25	col. 4:9-15
authorizing respective access by the plurality of Internet users to a respective requested one of the Internet services... using the respective created authentication tokens	Cisco Duo's use of features like "Duo Push" and the "Duo Universal Prompt" to grant users access to applications and networks after successful authentication via the Duo Mobile App.	¶3, ¶25	col. 4:50-59

Identified Points of Contention

• Technical Questions: A primary question may be whether the authentication credentials created and used by the "Duo Mobile App" meet the specific definition of an "authentication token" as claimed, which the patent specifies is tied to a user identifier, user credential, device identifier, and the application itself. (Compl. ¶3; ’400 Patent, col. 8:56-62). Evidence will be needed to show how Duo's internal technology operates.
• Scope Questions: The claim requires a "single identity provider." A potential point of contention may be whether the Cisco Duo platform, when used as an MFA layer on top of a customer’s primary identity provider (e.g., Microsoft Azure AD), functions as the "single identity provider" contemplated by the patent, or merely as a component in a larger identity system. (Compl. ¶25; ’400 Patent, col. 3:1-2).

V. Key Claim Terms for Construction

• The Term: "single identity provider"

• Context and Importance: This term defines the core architecture of the claimed system. Its construction is critical because the infringement analysis depends on whether the accused Cisco Duo platform, which can integrate with other identity systems, qualifies as a "single identity provider." Practitioners may focus on whether "single" implies a monolithic, standalone system or if it can refer to a primary authentication broker in a federated environment.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification describes the IDP as an "authentication broker between a plurality of Relying Parties... and respective Internet user devices," suggesting its functional role as a central mediator is key, which could support a broader definition. (’715 Patent, col. 14:19-24).
  • Evidence for a Narrower Interpretation: Figures in the patents consistently depict a single "IDP Service Core" as the central hub of the system, which could suggest a more limited interpretation as one distinct, self-contained entity. (’715 Patent, Fig. 1, element 150).

• The Term: "authentication token"

• Context and Importance: Infringement hinges on whether the security credentials used by the Duo Mobile App constitute the claimed "authentication token." The patent describes a specific structure comprising public and private key portions, where the private key is stored on the device and encrypted with a user credential.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The term is used generally to refer to the credential that enables the device-based authentication, which might support a construction covering functionally similar cryptographic keys, even if their generation or structure differs from the described embodiments. (’715 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The detailed description specifies that the method includes creating a token with a private key portion, "encrypting the private key portion using the user credential," and storing it on the device. This language may support a narrower construction requiring this exact encryption and storage mechanism. (’715 Patent, col. 5:1-6).

VI. Other Allegations

• Indirect Infringement: The complaint alleges that Defendant knowingly and actively induced infringement by others, "such as its customers," to directly infringe the patents-in-suit. (Compl. ¶¶27-28). This allegation may be based on Defendant providing the Cisco Duo platform along with instructions and user manuals that direct customers to use the system in an allegedly infringing manner.
• Willful Infringement: The complaint asserts that Defendant has willfully infringed "since at least the date of this Complaint." (Compl. ¶¶27-28). This establishes a claim for post-filing willfulness, where the complaint itself serves as notice of the alleged infringement. No facts suggesting pre-suit knowledge of the patents are alleged.

VII. Analyst’s Conclusion: Key Questions for the Case

This case will likely center on the specific technical implementation of the accused Cisco Duo platform and how it maps to the language of the asserted patent claims. Two central questions are apparent:

1. A key evidentiary question will be one of technical operation: Does the mechanism within the Cisco Duo Mobile App for creating credentials and approving authentication requests (e.g., via "Duo Push") meet the specific claim requirements for an "authentication token" and an "approved authentication challenge message," which the patent specifications describe as involving a private key encrypted by a user credential and used for digital signing?
2. A core issue will be one of definitional scope: Can the term "single identity provider," rooted in the patent’s description of a centralized authentication broker, be construed to cover the accused Cisco Duo platform, which often functions as a multi-factor authentication component that integrates with a customer’s pre-existing primary identity provider?