PACid Tech LLC v. Bank Of America Corp

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: PACid Technologies, LLC (Texas)
  • Defendant: Bank of America Corporation (Delaware) and Bank of America, N.A. (United States)
  • Plaintiff’s Counsel: DINOVO PRICE LLP
• Case Identification: 1:23-cv-00251, W.D. Tex., 03/07/2023
• Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendants maintain regular and established places of business in the district, including specific physical locations in Austin, Texas, and have committed the alleged acts of infringement within the district.
• Core Dispute: Plaintiff alleges that Defendant’s mobile banking applications, which utilize FIDO-compliant biometric authentication features, infringe seven patents related to systems and methods for authenticating users.
• Technical Context: The technology at issue involves secure user authentication on computing devices, specifically methods that use a unique user input, like a biometric scan, to generate and manage cryptographic secrets for securing communications with remote servers.
• Key Procedural History: The complaint alleges that Defendant had pre-suit knowledge of the patents-in-suit. This allegation is based on the prosecution history of Defendant's own U.S. patents, wherein Defendant cited a parent application of the patents-in-suit as material prior art, suggesting a basis for a willfulness claim.

Case Timeline

Date	Event
2009-03-25	Earliest Priority Date for all Patents-in-Suit
2015-01-01	Alleged roll-out of Accused biometric security measures
2017-02-21	U.S. Patent No. 9,577,993 Issues
2018-01-23	U.S. Patent No. 9,876,771 Issues
2018-08-07	U.S. Patent No. 10,044,689 Issues
2019-01-01	U.S. Patent No. 10,171,433 Issues
2019-02-28	Date by which Defendant allegedly learned of several patents-in-suit
2019-11-19	U.S. Patent No. 10,484,344 Issues
2021-07-20	U.S. Patent No. 11,070,530 Issues
2023-03-07	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,577,993 - "System and Method for Authenticating Users"

• Patent Identification: U.S. Patent No. 9577993, titled “System and Method for Authenticating Users,” issued on February 21, 2017.

The Invention Explained

• Problem Addressed: The patent family addresses the vulnerabilities of traditional authentication schemes that rely on usernames and passwords at predefined entry points, which can be exploited by malicious actors to create unauthorized access points to confidential information (U.S. Patent No. 10,044,689, col. 1:28-42).
• The Patented Solution: The invention describes a security application on a user's device that generates a "secret" based on a "unique user input" (e.g., credentials). This secret is stored locally with an identifier. When the device receives a communication from a remote server containing that identifier, it prompts the user to provide the unique input again. Upon verification, the application uses the retrieved secret to encode a communication back to the server, thereby authenticating the user without transmitting the secret itself (’993 Patent, Abstract). The system further enhances security by storing the secret file in a directory alongside "decoy files," making the true secret file "indistinguishable" from the others (U.S. Patent No. 10,044,689, col. 3:55-65).
• Technical Importance: This approach purports to improve security by eliminating the need for users to input conventional user IDs and passwords for each access request and by obscuring the location of the stored cryptographic material (Compl. ¶30).

Key Claims at a Glance

• The complaint asserts independent claims 1 and 9, along with several dependent claims (Compl. ¶48).
• Independent Claim 1 is a method claim with the following essential elements:
  • Generating a secret on a computing device according to a unique user input.
  • Storing the secret with an identifier in a directory for later retrieval via the same unique user input.
  • Receiving a first communication from a remote station that includes the identifier.
  • In response, prompting the user for the unique user input.
  • Upon verification of the input, transmitting a second communication to the remote station that is encoded using the secret.

---

U.S. Patent No. 9,876,771 - "System and Method for Authenticating Users"

• Patent Identification: U.S. Patent No. 9876771, titled “System and Method for Authenticating Users,” issued on January 23, 2018.

The Invention Explained

• Problem Addressed: As a member of the same patent family, the ’771 Patent addresses the same security vulnerabilities associated with traditional password-based authentication systems (U.S. Patent No. 10,044,689, col. 1:28-42).
• The Patented Solution: The ’771 Patent describes a substantively identical security architecture. An application on a mobile device generates and stores a secret based on a unique user input, and uses that secret to encode communications with a remote server for authentication after the user is prompted to re-enter the unique input (’771 Patent, Abstract). The specification likewise describes storing the secret file in a directory with decoy files to make it indistinguishable from them (’771 Patent, col. 4:1-5).
• Technical Importance: The technology claims to provide enhanced security and usability by replacing password entry with a unique input and by obscuring stored cryptographic keys (Compl. ¶30).

Key Claims at a Glance

• The complaint asserts at least independent claim 9 (Compl. ¶57).
• Independent Claim 9 is a system claim directed to a mobile phone comprising a processor and memory, configured to perform the following essential steps:
  • Generating a secret according to a unique user input.
  • Storing the secret with an identifier in a directory for later retrieval.
  • Receiving an identifier associated with the secret.
  • Prompting the user for the unique user input.
  • Upon receipt and verification of the input, using the secret to encode a communication with a remote computer-based station.

---

U.S. Patent No. 10,044,689 - "System and Method for Authenticating Users"

• Patent Identification: U.S. Patent No. 10044689, titled “System and Method for Authenticating Users,” issued August 7, 2018.
• Technology Synopsis: This patent, from the same family, describes a security application that generates a secret based on a unique user input. The secret is stored locally and used to encode communications for authentication after the user is prompted to verify their input in response to a challenge from a remote server.
• Asserted Claims: Claims 1-2 and 4-8 are asserted (Compl. ¶66). Independent claim 1 is a method claim.
• Accused Features: The accused features are the FIDO-compliant biometric authentication systems within Defendant's mobile banking applications (Compl. ¶66).

U.S. Patent No. 10,171,433 - "System and Method for Authenticating Users"

• Patent Identification: U.S. Patent No. 10171433, titled “System and Method for Authenticating Users,” issued January 1, 2019.
• Technology Synopsis: This patent describes the same user authentication technology, where a secret is generated from a user's unique input, stored with an identifier, and used to encode a communication after the user is prompted to re-supply the input.
• Asserted Claims: At least claim 1 is asserted (Compl. ¶75). Independent claim 1 is a method claim.
• Accused Features: The accused features are the FIDO-compliant biometric authentication systems within Defendant's mobile banking applications (Compl. ¶75).

U.S. Patent No. 10,484,344 - "System and Method for Authenticating Users"

• Patent Identification: U.S. Patent No. 10484344, titled “System and Method for Authenticating Users,” issued November 19, 2019.
• Technology Synopsis: This patent describes the same user authentication system, which uses a locally stored secret generated from a unique user input to handle authentication challenges from a remote server.
• Asserted Claims: At least claim 1 is asserted (Compl. ¶84). Independent claim 1 is a system claim.
• Accused Features: The accused features are the FIDO-compliant biometric authentication systems within Defendant's mobile banking applications (Compl. ¶84).

U.S. Patent No. 11,070,530 - "System and Method for Authenticating Users"

• Patent Identification: U.S. Patent No. 11070530, titled “System and Method for Authenticating Users,” issued July 20, 2021.
• Technology Synopsis: This patent describes the same user authentication system, where a secret tied to a unique user input is used to encode a response to an authentication challenge from a remote server.
• Asserted Claims: At least claim 1 is asserted (Compl. ¶93). Independent claim 1 is a system claim.
• Accused Features: The accused features are the FIDO-compliant biometric authentication systems within Defendant's mobile banking applications (Compl. ¶93).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are Defendant's mobile applications, including "Bank of America Mobile Banking," "BofA Point of Sale-Mobile," "CashPro," "MyHealth BofA," and "BofA Global Card Access" (Compl. ¶34). The complaint collectively refers to these as the "FIDO-Ready Software" operating as part of a "FIDO-Ready System" (Compl. ¶33).

Functionality and Market Context

• The accused applications allow customers to access their bank accounts and conduct transactions (Compl. ¶32). They support the FIDO (Fast IDentity Online) authentication standard, which enables users to log in with biometrics such as a fingerprint or facial recognition instead of a traditional password (Compl. ¶33, ¶35). The complaint includes a screenshot from Defendant's website instructing users on how to set up fingerprint sign-in for the mobile banking app (Compl. p. 9). This functionality is alleged to provide "secure and seamless online and mobile" transactions (Compl. ¶36). The complaint alleges Defendant began rolling out these biometric features in 2015 (Compl. ¶37).

IV. Analysis of Infringement Allegations

'993 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
generating, by an application running on a computing device and according to a unique user input, a secret,	The accused applications generate a secret (a cryptographic key under the FIDO standard) after receiving a biometric input like a fingerprint or facial scan.	¶32	col. 27:44-48
said secret stored at the computing device with an identifier and in a directory so as to be retrievable when the unique user input is applied...	The generated secret is stored on the user's device and associated with an identifier, such that it can be used for authentication when the user provides the same biometric input again.	¶31	col. 27:49-54
receiving at the computing device from a remote computer-based station a first communication...including the identifier associated with the secret;	When a user initiates a login, the device receives an authentication challenge from Defendant's servers, which corresponds to the stored secret's identifier.	¶31	col. 27:55-58
responsive to said receiving, prompting a user for the user input...verifying said unique user input...transmitting...a second communication encoded using the secret.	The application prompts the user to "Verify your fingerprint" or "Verify your Face ID"; upon successful verification, it uses the secret to encode a response to the server's challenge. A screenshot from Defendant's website shows a prompt to "verify your fingerprint" (Compl. p. 10).	¶31, ¶39	col. 27:59-67

'771 Patent Infringement Allegations

Claim Element (from Independent Claim 9)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
generating, according to a unique user input, a secret, and storing said secret with an identifier and in a directory...	The accused mobile phone applications are configured to generate and store a cryptographic secret tied to a user's biometric input (e.g., fingerprint).	¶32, ¶33	col. 28:5-10
responsive to receiving the identifier associated with the secret, prompting, via a user interface, entry of the unique user input; and	When challenged by a remote server, the application prompts the user to provide their biometric input. The complaint includes an image from Defendant's website instructing users to "Set up Touch ID" (Compl. p. 9).	¶31, ¶38	col. 28:11-14
upon receipt of the unique user input, verifying said unique user input, and using said secret to encode a first communication with a remote computer-based station.	After the user provides the biometric, the application verifies it and uses the unlocked secret to encode and transmit an authentication response to Defendant's servers.	¶31	col. 28:15-18

Identified Points of Contention

• Scope Questions: A primary question may be whether the FIDO standard's process, where a biometric input typically unlocks a pre-generated cryptographic key stored in a secure element, meets the claim language "generating... a secret... according to a unique user input." The construction of "according to" may be central to determining if there is a mismatch in technical operation.
• Technical Questions: The complaint asserts the claimed inventions are "unconventional" (Compl. ¶31). A likely point of contention will be whether the specific sequence of claimed steps is distinct from, or merely an abstract description of, the public and widely adopted FIDO authentication standard. The evidentiary burden will be on the Plaintiff to demonstrate how the accused FIDO-compliant systems practice the specific, claimed method.
• Joint Infringement: The infringement theory relies on actions taken by both the Defendant (providing the app and server infrastructure) and the end-user (providing the biometric input). The complaint alleges Defendant directs and controls its customers' actions (Compl. ¶50, ¶59). The analysis will question whether this direction and control meets the legal standard for joint infringement liability.

V. Key Claim Terms for Construction

• The Term: "unique user input"

• Context and Importance: This term is the foundational element that triggers both the initial generation and subsequent retrieval of the "secret." The complaint equates this term with biometric data like fingerprints and facial scans (Compl. ¶32). Practitioners may focus on this term because its construction will determine whether a simple password, a passphrase, or only a non-replicable physical characteristic falls within the claim scope, and how that maps to the accused FIDO systems.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification refers to "user credentials" as an example of a "unique user input," which could be argued to encompass more than just biometrics ('993 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The overall context of the invention is presented as an improvement over traditional "username and password" systems (U.S. Patent No. 10,044,689, col. 1:28-32). This context may support an interpretation that limits the term to inputs that are functionally different from conventional credentials, such as biometrics.

• The Term: "generating...a secret...according to a unique user input"

• Context and Importance: This phrase defines the relationship between the user's action and the creation of the cryptographic material. The infringement allegation hinges on this claimed act being equivalent to how the accused FIDO-compliant apps operate. Practitioners may focus on this term because a key technical dispute could arise over whether the accused systems "generate" a key from the biometric data, or whether they use the biometric data merely to unlock a key that was generated independently.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The patent states the security application "allows generation of a secret according to a unique user input" ('993 Patent, Abstract), which could be interpreted broadly to mean the input is simply a required precondition for the generation process to proceed.
  • Evidence for a Narrower Interpretation: The phrase could be construed to require the "unique user input" to be a direct mathematical input into the "n-bit generator" that creates the secret. If the accused FIDO system generates its keys separately and only uses the biometric as a gatekeeper to access them, it may not meet this narrower construction.

VI. Other Allegations

• Indirect Infringement: The complaint alleges both induced and contributory infringement. The inducement allegation is supported by claims that Defendant provides instructions and materials on its website that "encourage, direct, and/or control customers to use the infringing authentication functionality" (Compl. ¶38). The complaint provides screenshots of these instructions for setting up fingerprint and face-based sign-in (Compl. pp. 9-11). The contributory infringement allegation is based on the assertion that the accused "FIDO-Ready System" has no substantial non-infringing uses and is a material part of the invention especially adapted for infringement (Compl. ¶43, ¶53).
• Willful Infringement: The complaint alleges pre-suit willfulness, asserting that Defendant gained knowledge of the patent family during the prosecution of its own patents (U.S. Patent Nos. 10,326,588 and 10,613,777), which cited a parent of the patents-in-suit (Compl. ¶22-24, ¶101). The complaint alleges that through this activity, Defendant learned of the asserted patents no later than February 2019 (Compl. ¶28). In the alternative, willfulness is alleged based on knowledge acquired upon the filing of the complaint (Compl. ¶101).

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of technical operation and claim scope: Does the FIDO authentication protocol, where a biometric input typically serves to unlock a pre-existing, securely stored private key, fall within the scope of claims requiring the "generating" of a "secret" according to that same biometric input? The case may turn on whether these two processes are functionally equivalent under the doctrine of equivalents or if there is a fundamental mismatch.
• A second central question will be one of invalidity: Are the asserted claims, which describe a multi-step authentication process, patentably distinct from the prior art and the concepts embodied in public industry standards like FIDO? The court will need to determine whether the claims recite a specific, unconventional technological improvement or an abstract and obvious application of using biometrics for authentication.
• A key evidentiary question for damages will be one of willfulness: Does a defendant's citation to a plaintiff's patent family during its own patent prosecution, without more, constitute the knowledge and intent required to establish willful infringement, or is it merely a routine procedural step taken by patent counsel without broader corporate awareness of infringement?