DCT
1:24-cv-00271
PACid Tech LLC v. PNC Bank NA
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PACid Technologies, LLC (Texas)
- Defendant: PNC Bank, N.A. (United States)
- Plaintiff’s Counsel: DINOVO PRICE LLP
- Case Identification: 1:24-cv-00271, W.D. Tex., 03/12/2024
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant maintains regular and established places of business in the district, specifically in Austin, Texas.
- Core Dispute: Plaintiff alleges that Defendant’s mobile banking applications, which utilize FIDO-compliant biometric authentication features, infringe six patents related to systems and methods for authenticating users.
- Technical Context: The technology concerns secure user authentication on computing devices, a foundational element of digital security, particularly significant in the financial services industry where protecting user accounts from unauthorized access is critical.
- Key Procedural History: The complaint alleges that Plaintiff sent a "Notice Letter" to Defendant on May 11, 2023, informing Defendant of its patent portfolio and the alleged infringement. Defendant’s counsel allegedly responded on August 24, 2023. The complaint also references the prosecution history of one of the asserted patents, quoting from the Notice of Allowance to support the novelty of the claimed invention.
Case Timeline
| Date | Event |
|---|---|
| 2009-03-25 | Earliest Priority Date for all Patents-in-Suit |
| 2017-02-21 | U.S. Patent No. 9,577,993 Issues |
| 2017-09-15 | Notice of Allowance for U.S. Patent No. 9,876,771 |
| 2018-01-23 | U.S. Patent No. 9,876,771 Issues |
| 2018-08-07 | U.S. Patent No. 10,044,689 Issues |
| 2019-01-01 | U.S. Patent No. 10,171,433 Issues |
| 2019-11-19 | U.S. Patent No. 10,484,344 Issues |
| 2019-12-31 | End of Year PNC Achieved FIDO UAF Certification |
| 2021-07-20 | U.S. Patent No. 11,070,530 Issues |
| 2023-05-11 | Plaintiff Sends Notice Letter to Defendant |
| 2023-08-24 | Defendant’s Counsel Responds to Notice Letter |
| 2024-03-12 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 9,577,993 - System and Method for Authenticating Users (’993 Patent)
(Issued Feb. 21, 2017)
The Invention Explained
- Problem Addressed: The patent’s background section describes the vulnerabilities of traditional authentication schemes that require transmitting credentials like a username and password across a network, which creates opportunities for interception and unauthorized access (Compl. ¶22; ’993 Patent, col. 1:29-41).
- The Patented Solution: The invention proposes a system where a user's device generates a "secret" based on a "unique user input." This secret is stored locally on the device along with an identifier. When a remote computer requests authentication, it sends the identifier to the user's device, which then prompts the user for the same unique input. If the input is verified locally, the device uses the stored secret to encode a communication back to the remote computer, thereby authenticating the user without ever transmitting the secret or the user's input over the network (Compl. ¶24-25; ’993 Patent, Abstract).
- Technical Importance: This method aims to enhance security by localizing the core authentication secret, making it less susceptible to network-based attacks that target credentials in transit (Compl. ¶23).
Key Claims at a Glance
- The complaint asserts independent claims 1 and 9 (Compl. ¶45).
- Claim 1 (System Claim) essential elements:
- A mobile device with a processor and memory storing instructions to:
- Configure an application for communication with a remote station.
- Receive a unique user input via a user interface.
- Generate a secret based on the unique user input.
- Store the secret with an identifier on the device.
- Receive a first communication from the remote station that includes the identifier.
- Prompt the user for the unique user input.
- Verify the proffered user input.
- Transmit a second communication to the remote station, encoded using the secret.
- The complaint also asserts dependent claims 2-4, 6, and 8, and reserves the right to assert others (Compl. ¶45).
U.S. Patent No. 9,876,771 - System and Method for Authenticating Users (’771 Patent)
(Issued Jan. 23, 2018)
The Invention Explained
- Problem Addressed: As a continuation in the same family, the ’771 Patent addresses the same vulnerabilities of transmitting authentication credentials across a network as the ’993 Patent (Compl. ¶22; ’771 Patent, col. 1:30-42).
- The Patented Solution: The invention describes a method where a mobile phone application generates an encrypted secret, stores it with an identifier, and uses it to encode communications after receiving a challenge from a remote station containing the identifier and verifying a unique user input. The complaint highlights the patent's prosecution history, quoting a Notice of Allowance that states the prior art fails to disclose this combination of steps (Compl. ¶26; ’771 Patent, Abstract).
- Technical Importance: The solution provides for user authentication and encrypted communication without exposing authentication credentials to third-party attacks during transmission (Compl. ¶25).
Key Claims at a Glance
- The complaint asserts at least independent claim 9 (Compl. ¶54).
- Claim 9 (Method Claim) essential elements:
- Running an application on a mobile phone.
- Receiving a unique user input.
- Generating an encrypted secret.
- Storing the encrypted secret with an identifier.
- Responsive to receiving a first communication from a remote station that includes the identifier, and responsive to receiving a unique user input from the user, retrieving the stored encrypted secret.
- Encoding communication between the remote station and the mobile phone using the secret.
U.S. Patent No. 10,044,689 - System and Method for Authenticating Users (’689 Patent)
(Issued Aug. 7, 2018)
- Technology Synopsis: This patent continues the family's focus on improving security by replacing traditional credential transmission with a system of local secret generation and verification. The invention allows a user's device to authenticate to a remote system by verifying a user input locally and using a locally-stored secret, thereby avoiding network exposure of sensitive credentials (Compl. ¶21-25; ’689 Patent, Abstract).
- Asserted Claims: Claims 1-2 and 4-8 (Compl. ¶63). Independent claims are 1 and 6.
- Accused Features: Defendant's "FIDO-Ready Software" and "FIDO-Ready System" that implement biometric authentication (Compl. ¶63).
U.S. Patent No. 10,171,433 - System and Method for Authenticating Users (’433 Patent)
(Issued Jan. 1, 2019)
- Technology Synopsis: This patent describes a user authentication method where a secret is generated on a mobile device from a unique user input and stored locally with an identifier. Authentication is performed by prompting the user for the input in response to a communication from a remote station, verifying it, and using the local secret to encode a reply, which enhances security over systems that transmit credentials (Compl. ¶21-25; ’433 Patent, Abstract).
- Asserted Claims: At least claim 1 (Compl. ¶72). Claim 1 is independent.
- Accused Features: Defendant's "FIDO-Ready Software" and "FIDO-Ready System" that utilize FIDO-compliant biometric login features (Compl. ¶72).
U.S. Patent No. 10,484,344 - System and Method for Authenticating Users (’344 Patent)
(Issued Nov. 19, 2019)
- Technology Synopsis: This patent details a system for authenticating users that avoids transmitting credentials over a network. It involves generating a secret on a user's device, storing it locally, and using it to encode communications with a remote server after the user provides a unique input for local verification, a process initiated by a challenge from the server (Compl. ¶21-25; ’344 Patent, Abstract).
- Asserted Claims: At least claim 1 (Compl. ¶81). Claim 1 is independent.
- Accused Features: Defendant's "FIDO-Ready Software" and "FIDO-Ready System" which provide for biometric user authentication (Compl. ¶81).
U.S. Patent No. 11,070,530 - System and Method for Authenticating Users (’530 Patent)
(Issued Jul. 20, 2021)
- Technology Synopsis: This patent describes a secure authentication framework where a secret, generated from a unique user input, is stored on the user's device. When a remote station initiates contact, the user is prompted for their input, which is verified locally to unlock the secret for encoding a secure communication back to the station, thereby strengthening security by keeping credentials off the network (Compl. ¶21-25; ’530 Patent, Abstract).
- Asserted Claims: At least claim 1 (Compl. ¶90). Claim 1 is independent.
- Accused Features: Defendant's "FIDO-Ready Software" and "FIDO-Ready System" that employ FIDO-compliant authentication protocols (Compl. ¶90).
III. The Accused Instrumentality
Product Identification
- Defendant’s "FIDO-Ready Software" and "FIDO-Ready System," which includes mobile applications such as PNC Mobile Banking (Compl. ¶30).
Functionality and Market Context
- The accused instrumentality provides software applications that enable customers to access bank accounts and conduct transactions (Compl. ¶27). The functionality at issue is the use of "passkeys" and compliance with the FIDO (Fast Identity Online) Alliance authentication protocol, specifically the FIDO Universal Authentication Framework (UAF) (Compl. ¶28). This allows users to authenticate using biometrics such as fingerprints or facial recognition instead of traditional passwords (Compl. ¶30, ¶32). The complaint includes a screenshot from the FIDO Alliance's "Passkey Directory" listing PNC as a consumer implementation, providing context for Defendant's adoption of the accused technology (Compl. p. 7). The complaint alleges that Defendant achieved FIDO UAF certification in 2019 (Compl. ¶29). A screenshot from the PNC Mobile Banking app shows a "Sign-in & Biometrics" menu, which leads to options for enabling features like Face ID (Compl. p. 10).
IV. Analysis of Infringement Allegations
’993 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a mobile device comprising: a processor... and a memory storing processor-executable instructions... | The end-user's mobile device (e.g., smartphone) running Defendant's PNC Mobile Banking application. | ¶30, ¶47 | col. 27:45-51 |
| to configure an application... for communication with at least one remote computer-based station... | The PNC Mobile Banking app is configured to communicate with Defendant’s FIDO servers for authentication. | ¶31, ¶47 | col. 27:52-55 |
| to receive a unique user input... | The application receives a user's biometric input, such as a fingerprint or facial scan, to enable the authentication feature. A screenshot depicts the user interface for enabling Face ID (Compl. p. 11). | ¶27, ¶30 | col. 27:55-57 |
| to generate a secret based upon said unique user input... | Defendant's software, compliant with the FIDO standard, generates a secret (e.g., a cryptographic key or passkey) after receiving the biometric input. | ¶27 | col. 27:57-58 |
| to store said secret with an identifier... | The generated secret is stored locally on the user's device, a core function of the FIDO UAF protocol. | ¶25, ¶28 | col. 27:59-62 |
| to receive... a first communication from said remote computer-based station, said first communication including said identifier... | During a login attempt, Defendant's servers send an authentication challenge to the user's mobile device. | ¶25, ¶31 | col. 27:63-66 |
| to prompt the user... for the unique user input... | The application prompts the user to provide their fingerprint or facial scan for verification to complete the login. | ¶25, ¶47 | col. 28:1-3 |
| to transmit to the remote computer-based station a second communication encoded using said secret. | Upon successful biometric verification, the locally-stored secret is used to sign and encode a response to the server's challenge, which is then transmitted back to Defendant's servers. | ¶25, ¶31 | col. 28:6-9 |
’771 Patent Infringement Allegations
| Claim Element (from Independent Claim 9) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| a method... comprising: by an application running on a mobile phone... receiving a unique user input... | The PNC Mobile Banking app on a user's phone receives biometric data (e.g., facial scan) to set up the authentication feature. | ¶27, ¶30 | col. 27:47-51 |
| generating... an encrypted secret... | The FIDO-compliant software generates a cryptographic secret or passkey based on the biometric input. | ¶27 | col. 27:51-52 |
| storing said encrypted secret with an identifier... | The generated secret is stored locally on the user's mobile device as part of the FIDO protocol implementation. | ¶25, ¶28 | col. 27:53-54 |
| responsive to said application receiving a first communication from a remote computer-based station that includes the identifier, and responsive to said application receiving the unique user input from the user... | In response to a login challenge from PNC's servers and the user providing their biometric input, the application proceeds to the next step. | ¶25, ¶31 | col. 27:55-61 |
| retrieving the stored encrypted secret... | The application retrieves the locally stored secret after the user's biometric input is successfully verified. | ¶26 | col. 27:61-62 |
| encoding communication between the remote station and the mobile phone using the secret. | The retrieved secret is used to encode the response to the server's challenge, completing the authentication process. | ¶25, ¶31 | col. 27:63-65 |
Identified Points of Contention
- Scope Questions: The patents’ specifications frequently describe the "unique user input" in the context of user credentials like usernames and passwords. A central question may be whether this term, in light of the specification, can be construed broadly enough to encompass the physiological characteristics (biometrics) used by the accused FIDO-compliant systems.
- Technical Questions: The complaint's infringement theory rests heavily on the Defendant’s use of the FIDO UAF standard. A key technical question will be whether the specific cryptographic operations of the FIDO protocol—which typically involve generating a public/private key pair and using the private key to sign a challenge from a server—perform the same function in substantially the same way as the claimed steps of "generating a secret" and "encoding a communication" with that secret.
V. Key Claim Terms for Construction
The Term: "secret"
- Context and Importance: This term is the central element of the claimed security architecture. Its construction will determine whether the cryptographic keys generated and used by the FIDO UAF protocol, which the complaint accuses, fall within the scope of the claims. Practitioners may focus on whether a FIDO private key is a "secret" as contemplated by the patent.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent abstract states the invention allows "generation of a secret according to a unique user input," without limiting the secret's form ('993 Patent, Abstract). The term is used broadly to refer to the data that secures the communication (Compl. ¶25).
- Evidence for a Narrower Interpretation: The specification describes embodiments where "secrets" are derived from "message digests" generated from user credentials and other inputs ('993 Patent, FIG. 2A, Step 223). A defendant could argue this context limits the term "secret" to data derived in this manner, as opposed to a standard cryptographic private key.
The Term: "unique user input"
- Context and Importance: The infringement allegation depends on this term covering biometric data like fingerprints and facial scans. The dispute will likely center on whether the patent's disclosure supports such a broad reading.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself is broad. The abstract provides "user credentials" as an example ("e.g."), which suggests it is not an exhaustive list ('993 Patent, Abstract). The complaint alleges biometrics are a form of unique user input (Compl. ¶27).
- Evidence for a Narrower Interpretation: The detailed description repeatedly discusses receiving "new user credentials," "username," and "password" as the inputs for the system ('993 Patent, FIG. 2A, Step 203; col. 13:21-25). A defendant may argue that the invention is taught in the context of alphanumeric inputs, not physiological ones.
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement, stating that Defendant instructs its customers on how to enable and use the accused biometric authentication features through its software and user-facing prompts (Compl. ¶35, ¶47-48). It further alleges contributory infringement, asserting that the FIDO-Ready Software constitutes a material part of the invention, is not a staple article of commerce, and is especially adapted for infringement (Compl. ¶50).
- Willful Infringement: Willfulness is alleged based on Defendant’s purported knowledge of the patents since at least the date it received the Plaintiff’s notice letter on May 11, 2023 (Compl. ¶19, ¶98). The complaint also asserts that Defendant continued its allegedly infringing conduct despite this notice (Compl. ¶99).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term “unique user input,” which is described in the patent specifications primarily through examples of alphanumeric credentials, be construed to cover the biometric data (e.g., fingerprints, facial scans) used by Defendant’s FIDO-compliant authentication system?
- A central technical question will be one of functional mapping: does the FIDO UAF protocol's process of generating a public/private key pair and using the private key to sign a server challenge constitute the claimed method of “generating a secret” and “encoding a communication” with that secret, or does it represent a distinct, non-infringing security architecture?