DCT
1:23-cv-00607
PACid Tech LLC v. Bank Of America Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PACid Technologies, LLC (Texas)
- Defendant: Bank of America Corporation (Delaware) and Bank of America, N.A. (United States)
- Plaintiff’s Counsel: DINOVO PRICE LLP
- Case Identification: 1:23-cv-00607, W.D. Tex., 07/07/2023
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendants maintain regular and established places of business in the district, have transacted business there, and have committed acts of infringement within the district.
- Core Dispute: Plaintiff alleges that Defendants’ mobile banking applications, which utilize FIDO-standard biometric authentication, infringe six patents related to systems and methods for authenticating users without transmitting credentials across a network.
- Technical Context: The patents address security vulnerabilities in traditional user authentication by creating a locally stored "secret" on a user's device, which is accessed via a unique user input (e.g., a biometric scan) to encrypt communications with a remote server.
- Key Procedural History: The complaint alleges that Defendants had pre-suit knowledge of the asserted patent family through their own patent prosecution activities, where a parent of the patents-in-suit was cited as prior art. Plaintiff also alleges notice via a prior complaint filed in March 2023. The complaint further notes that the Examiner for one of the asserted patents found the claims novel over the prior art during prosecution.
Case Timeline
| Date | Event |
|---|---|
| 2009-03-25 | Earliest Priority Date for all Patents-in-Suit |
| 2015-01-01 | Defendants allegedly begin rolling out accused security measures |
| 2017-02-21 | U.S. Patent No. 9,577,993 Issues |
| 2018-01-23 | U.S. Patent No. 9,876,771 Issues |
| 2018-08-07 | U.S. Patent No. 10,044,689 Issues |
| 2019-01-01 | U.S. Patent No. 10,171,433 Issues |
| 2019-02-01 | Plaintiff alleges Defendants learned of the patent family |
| 2019-11-19 | U.S. Patent No. 10,484,344 Issues |
| 2021-07-20 | U.S. Patent No. 11,070,530 Issues |
| 2023-03-07 | Plaintiff files "First-Filed Complaint" against Defendants |
| 2023-07-07 | Plaintiff files current Amended Complaint |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 9,577,993 - “System and Method for Authenticating Users,” issued February 21, 2017
The Invention Explained
- Problem Addressed: The patent describes the security risks of traditional authentication systems that require a user to transmit credentials, such as a username and password, over a network to access confidential information, creating vulnerabilities to interception (Compl. ¶31; ’993 Patent, col. 1:32-42).
- The Patented Solution: The invention proposes a method where a security application on a user's device (e.g., a mobile phone) generates a "secret" based on a unique user input. This secret is stored locally with an identifier. To authenticate, a remote server sends a communication containing this identifier to the user's device. The device then prompts the user for the unique input again; upon local verification, the device uses the retrieved secret to encode a communication back to the server, authenticating the user without ever transmitting the underlying credentials across the network (’993 Patent, Abstract; col. 2:4-17).
- Technical Importance: This approach aimed to enhance security by localizing the verification step and avoiding the transmission of static credentials, a significant concern with the rise of networked computing and mobile devices (Compl. ¶32).
Key Claims at a Glance
- The complaint asserts independent claims 1 and 9 and several dependent claims (Compl. ¶52).
- Essential elements of independent method claim 1 include:
- Receiving a unique user input via an application on a mobile phone.
- Generating a secret based upon the unique user input.
- Storing the secret on the mobile phone with an identifier, making it retrievable upon re-entry of the unique user input.
- Receiving a first communication from a remote station that includes the identifier.
- In response, prompting the user for the unique user input, verifying it, and transmitting a second communication to the remote station that is "encoded using the secret."
U.S. Patent No. 9,876,771 - “System and Method for Authenticating Users,” issued January 23, 2018
The Invention Explained
- Problem Addressed: As a continuation of the '993 Patent, this patent addresses the same problem of securing user authentication and data transmission in a networked environment (Compl. ¶31; ’771 Patent, col. 1:32-42).
- The Patented Solution: The patent claims a mobile phone configured to perform a similar authentication method. It describes generating and storing a secret tied to a unique user input. A key step involves authenticating the user by receiving a "proffered user input," generating a "candidate identifier" from it, and recovering the secret from memory only if this candidate identifier matches the stored identifier (’771 Patent, Abstract; col. 27:8-13).
- Technical Importance: The claimed system provides a device-centric framework for biometric or other unique-input-based authentication that strengthens security by keeping the core verification logic on the user's device (Compl. ¶34).
Key Claims at a Glance
- The complaint asserts at least independent system claim 9 (Compl. ¶61).
- Essential elements of independent claim 9 include:
- A mobile phone with a processor and memory storing instructions to perform steps.
- Configuring an application to receive a unique user input and generate a secret.
- Storing the secret with an identifier.
- Receiving a first communication from a remote station including the identifier.
- "Authenticating the user by receiving... a proffered user input," "generating a candidate identifier using the proffered user input," and "recovering the secret from said memory if the candidate identifier matches the identifier."
- Verifying the user to the remote device in a second communication "encoded using said secret."
Multi-Patent Capsule: U.S. Patent No. 10,044,689
- Patent Identification: U.S. Patent No. 10,044,689, “System and Method for Authenticating Users,” issued August 7, 2018.
- Technology Synopsis: This patent, from the same family, is also directed to improving computer and network functionality for user authentication. The invention allows a secret to be generated from a unique user input and stored locally, enabling secure communication with a remote station without transmitting credentials over a network (Compl. ¶¶31-34).
- Asserted Claims: Claims 1-2, 4-8, with claim 1 being an independent method claim (Compl. ¶70).
- Accused Features: Defendants' FIDO-compliant software, such as the Bank of America Mobile Banking app, which uses biometric features like fingerprints for user authentication (Compl. ¶¶36-38).
Multi-Patent Capsule: U.S. Patent No. 10,171,433
- Patent Identification: U.S. Patent No. 10,171,433, “System and Method for Authenticating Users,” issued January 1, 2019.
- Technology Synopsis: A continuation in the same family, this patent discloses methods for authenticating users that avoid exposing credentials to third-party attacks. The technology involves prompting a user for a unique input upon receiving a communication from a remote station, verifying the input, and using a locally stored secret to encode a responsive communication (Compl. ¶¶33-34).
- Asserted Claims: At least claim 1, which is an independent method claim (Compl. ¶79).
- Accused Features: The infringing functionality is alleged to be the FIDO-based authentication in Defendants' mobile applications, such as CashPro and MyHealth BofA, that use facial recognition or fingerprints (Compl. ¶¶37-38).
Multi-Patent Capsule: U.S. Patent No. 10,484,344
- Patent Identification: U.S. Patent No. 10,484,344, “System and Method for Authenticating Users,” issued November 19, 2019.
- Technology Synopsis: This patent is also directed to user authentication systems that improve security over prior art methods. The claims describe a system where a secret is generated in response to a unique user input and used to encode communications, thereby preventing the transmission of vulnerable credentials like passwords across a network (Compl. ¶¶31-32).
- Asserted Claims: At least claim 1, which is an independent method claim (Compl. ¶88).
- Accused Features: Defendants' "FIDO-Ready System," which includes mobile applications and servers that enable users to log into their bank accounts using biometric authentication (Compl. ¶¶36, 38).
Multi-Patent Capsule: U.S. Patent No. 11,070,530
- Patent Identification: U.S. Patent No. 11,070,530, “System and Method for Authenticating Users,” issued July 20, 2021.
- Technology Synopsis: The most recent patent in the asserted family, it continues to claim improvements in computer functionality for secure authentication. The technology centers on generating a secret tied to a unique user input (e.g., biometric data) and storing it on the user's device to facilitate secure, encrypted communications without exposing credentials (Compl. ¶¶32, 34).
- Asserted Claims: At least claim 1, which is an independent system claim (Compl. ¶97).
- Accused Features: The accused features are Defendants' software applications and systems that are compliant with the FIDO (Fast Identity Online) Alliance standard for biometric authentication (Compl. ¶¶37, 40).
III. The Accused Instrumentality
Product Identification
The accused instrumentalities are Defendants' software applications ("FIDO-Ready Software") and associated servers ("FIDO-Ready System") that implement the FIDO authentication protocol (Compl. ¶37). Specific examples cited include Bank of America Mobile Banking, BofA Point of Sale-Mobile, CashPro, MyHealth BofA, and BofA Global Card Access (Compl. ¶37).
Functionality and Market Context
The complaint alleges that these applications allow customers to log into their bank accounts and authorize transactions using biometric features such as fingerprints and facial recognition instead of passwords (Compl. ¶¶36, 39). This functionality is described as a key security measure that provides secure and seamless online transactions (Compl. ¶40). The complaint includes a screenshot from the FIDO Alliance website identifying Bank of America as a commercial deployment of the FIDO UAF standard (Compl. p. 9). The complaint also includes screenshots from Defendants' website instructing users how to set up and use "fingerprint sign-in" and "Face ID" for their mobile banking apps (Compl. pp. 11-13). For example, a screenshot shows the "One-time setup" steps, which include using a finger-enabled device and checking a box to "Set up fingerprint sign-in" (Compl. p. 11).
IV. Analysis of Infringement Allegations
’993 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| ...communicating with a user to receive a unique user input; | A user provides a unique biometric input, such as a fingerprint or facial scan, to enroll in the authentication service on their mobile device. | ¶¶36, 43 | col. 27:45-47 |
| ...generating, by said application, a secret based upon said unique user input; | The mobile application generates a secret, such as a private key in a cryptographic key pair, after receiving the user's biometric input. | ¶36 | col. 27:48-49 |
| ...storing said secret at said mobile phone, said secret being stored with an identifier so as to be retrievable... | The generated secret is stored securely on the user's mobile device. | ¶34 | col. 27:50-54 |
| ...receiving at the mobile phone from a remote computer-based station a first communication, said first communication including the identifier... | The user attempts to log in, and the mobile application receives a communication (e.g., a cryptographic challenge) from Bank of America's remote servers which initiates the authentication process. | ¶33 | col. 27:55-58 |
| ...prompting a user via the user interface for the unique user input, verifying said unique user input, and transmitting... a second communication encoded using the secret. | The application prompts the user for their fingerprint or Face ID, verifies it locally to access the secret, and uses the secret to encode and transmit a responsive communication back to the Bank of America server. | ¶¶33, 43 | col. 27:59-65 |
Identified Points of Contention
- Scope Questions: A central question may be whether the phrase "communication... encoded using the secret" can be construed to read on the FIDO standard's use of a private key to sign a cryptographic challenge received from a server. The parties may dispute whether "encoding" is limited to encryption for confidentiality or also covers creating a cryptographic signature for authentication.
- Technical Questions: The complaint alleges the system functions according to the patent claims but provides limited technical detail on how the FIDO protocol maps to specific limitations like the "identifier associated with the secret." The court may need to examine what technical evidence supports the allegation that the communication from the server includes an "identifier" that corresponds directly to the locally stored secret in the manner described by the patent.
’771 Patent Infringement Allegations
| Claim Element (from Independent Claim 9) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A mobile phone... storing instructions... [to] configure an application... to receive a unique user input... [and] generating a secret; | The user's mobile device (e.g., an iPhone or Android phone) runs the Bank of America application, which is configured to accept a biometric input (fingerprint/face scan) and generate a corresponding secret key. | ¶¶36, 37 | col. 28:15-23 |
| ...storing said secret... with an identifier so as to be retrievable when the unique user input is again received; | The secret key is stored in secure storage on the mobile device. | ¶34 | col. 28:24-26 |
| ...upon receipt... of a first communication from a remote computer-based station that includes the identifier, providing the user... an opportunity to respond... | When a user initiates a login, the application receives a challenge from the server and prompts the user for their biometric input via the device's user interface. | ¶33 | col. 28:27-32 |
| ...authenticating the user by receiving... a proffered user input, generating a candidate identifier... and recovering the secret from said memory if the candidate identifier matches the identifier; | The user provides their fingerprint or face scan. The system allegedly uses this input to generate a "candidate identifier" and, if it matches a stored identifier, recovers the secret key. | ¶33 | col. 28:33-38 |
| ...verifying said user to the remote computing device in a second communication encoded using said secret. | The recovered secret key is used to sign the server's challenge, and this signed response is sent back to the server, thereby verifying the user. | ¶34 | col. 28:39-41 |
Identified Points of Contention
- Scope Questions: The construction of "generating a candidate identifier... and recovering the secret... if the candidate identifier matches the identifier" will be a primary focus. Does the FIDO process—which typically involves the operating system verifying a biometric match to grant an application access to a key stored in a secure enclave—meet this specific claim language? The defense may argue that the biometric input itself is not used to generate an "identifier" for comparison, but rather acts as a gatekeeper to unlock a pre-existing key.
- Technical Questions: What, in the accused FIDO system, is the "candidate identifier" and the "identifier" it is matched against? The complaint does not specify the technical nature of these alleged elements. The factual question will be whether the accused system performs the specific conditional recovery process recited in the claim or operates in a fundamentally different manner.
V. Key Claim Terms for Construction
’993 Patent
The Term
"communication... encoded using the secret" (Claim 1)
Context and Importance
The viability of the infringement theory may depend on whether this term is broad enough to cover the creation of a digital signature, which is central to the FIDO authentication protocol. If "encoded" is construed narrowly to mean only "encrypted" for confidentiality, it could create a mismatch with the accused functionality, which focuses on signing for authentication.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The patent's abstract states the invention provides the secret "for use in encoding a communication," without specifying the purpose as confidentiality or authentication, which may support a broader reading that includes signing (’993 Patent, Abstract).
- Evidence for a Narrower Interpretation: The background section contrasts the invention with traditional encryption technology, discussing both symmetric and asymmetric encryption for transforming clear text into an "unreadable" format, suggesting the term's focus may be on confidentiality (’993 Patent, col. 1:43-58).
’771 Patent
The Term
"generating a candidate identifier using the proffered user input" and recovering the secret "if the candidate identifier matches the identifier" (Claim 9)
Context and Importance
This sequence describes the core logic of the authentication step. The infringement case against the FIDO-based system depends on whether its process of biometric verification and key access can be characterized as generating and matching identifiers. Practitioners may focus on this term because it appears to be a specific mechanism of action that may or may not be present in the accused FIDO standard.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The patent does not appear to provide an explicit definition for "candidate identifier," which may allow for a broader interpretation that encompasses any data derived from the user input that is used in the verification process.
- Evidence for a Narrower Interpretation: The claim structure requires a specific sequence: (1) generate a candidate identifier from the input, (2) compare it to a stored identifier, and (3) recover the secret if they match. This explicit conditional logic may support a narrower construction that requires evidence of a direct comparison of generated data, not merely the unlocking of a key upon a successful biometric match determined by the operating system.
VI. Other Allegations
- Indirect Infringement: The complaint alleges inducement of infringement by asserting that Defendants provide the accused mobile applications and instruct their customers on how to set up and use the allegedly infringing biometric authentication features through materials on their website (Compl. ¶¶42, 55, 64). It further alleges contributory infringement, stating that the accused software is a material part of the invention, is especially adapted for infringement, and has no substantial non-infringing uses (Compl. ¶¶57, 66).
- Willful Infringement: Willfulness is alleged based on two grounds. First, the complaint alleges pre-suit knowledge because Defendants cited a parent of the patents-in-suit during the prosecution of their own patents, and therefore knew or should have known of the patent family no later than February 2019 (Compl. ¶¶22-28, 105). Second, it alleges knowledge based on the service of a prior complaint on March 13-14, 2023, after which Defendants allegedly continued their infringing conduct (Compl. ¶¶29, 106).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: Can claim terms such as "communication... encoded using the secret" and "generating a candidate identifier" be construed broadly enough to cover the technical operations of the accused FIDO security standard, which relies on public-key cryptography and challenge-response signatures rather than direct encoding of communications or identifier matching as literally described?
- A key evidentiary question will be one of functional operation: Does the accused system perform the specific, conditional logic required by claims like Claim 9 of the ’771 patent—namely, generating an identifier from a biometric input and recovering a secret only if that identifier matches a stored value—or does it use a fundamentally different mechanism, such as an operating system-level biometric verification that simply unlocks access to a pre-existing cryptographic key?
- A third central question relates to knowledge and intent: What evidence will demonstrate that Defendants, in providing FIDO-compliant security features common in the banking industry, possessed the specific intent required for induced infringement and acted with the requisite culpability for willful infringement, particularly based on knowledge allegedly derived from their own patent prosecution activities?