DCT

1:24-cv-00272

PACid Tech LLC v. Citibank NA

Log In

I. Executive Summary and Procedural Information

  • Parties & Counsel:
  • Case Identification: 1:24-cv-00272, W.D. Tex., 03/12/2024
  • Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Defendant maintains a regular and established place of business in the district, specifically identifying a location in San Antonio.
  • Core Dispute: Plaintiff alleges that Defendant’s mobile banking applications, which utilize FIDO-compliant biometric authentication systems (passkeys), infringe six patents related to methods for authenticating users and securing communications.
  • Technical Context: The technology at issue addresses methods for authenticating users on computing devices without transmitting traditional credentials like passwords over a network, a critical area of cybersecurity, particularly for the financial services industry.
  • Key Procedural History: The complaint notes that during the prosecution of the ’771 Patent, the patent examiner found the claims allowable over the prior art, highlighting the novelty of retrieving a stored encrypted secret on a mobile phone responsive to a unique user input and a communication from a remote station.

Case Timeline

Date Event
2009-03-25 Earliest Priority Date for all Patents-in-Suit
2014-12-01 FIDO Alliance publishes UAF specification v1.0
2017-02-21 U.S. Patent No. 9,577,993 Issues
2017-09-15 Notice of Allowance for ’771 Patent mentioned in complaint
2018-01-23 U.S. Patent No. 9,876,771 Issues
2018-08-07 U.S. Patent No. 10,044,689 Issues
2019-01-01 U.S. Patent No. 10,171,433 Issues
2019-11-19 U.S. Patent No. 10,484,344 Issues
2021-07-20 U.S. Patent No. 11,070,530 Issues
2024-03-12 Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,577,993

  • Patent Identification: U.S. Patent No. 9,577,993, titled "System and Method for Authenticating Users," issued on February 21, 2017.
  • The Invention Explained:
    • Problem Addressed: The patent describes the vulnerabilities of traditional authentication schemes that require a user to provide credentials, such as a username and password, which are then transmitted across a network and are susceptible to interception (Compl. ¶21; ’993 Patent, col. 1:24-42).
    • The Patented Solution: The invention proposes a method where a "secret" is generated on a user's mobile device based on a "unique user input" and stored locally with an "identifier." When a remote station sends a communication containing this identifier, the device prompts the user to re-enter the unique input. Upon local verification, the device sends a second communication to the remote station that is encoded with the locally stored secret, thereby authenticating the user without transmitting the underlying credentials over the network (Compl. ¶23; ’993 Patent, col. 2:21-32, Abstract).
    • Technical Importance: This approach provides a mechanism for user authentication that avoids exposing sensitive credentials to network-based attacks, enhancing security for communications between devices (Compl. ¶24).
  • Key Claims at a Glance:
    • The complaint asserts independent claim 1 and dependent claims 2-4, 6, and 8-12 (Compl. ¶41, 43).
    • Independent Claim 1 requires the essential elements of:
      • Receiving a "unique user input" on a mobile communication device.
      • Generating a "secret" based on that input.
      • "Storing said secret" on the device with an "identifier".
      • Receiving a "first communication" from a remote station that includes the "identifier".
      • In response, "prompting" the user for the input, "verifying" it, and "transmitting a second communication encoded using the secret".

U.S. Patent No. 9,876,771

  • Patent Identification: U.S. Patent No. 9,876,771, titled "System and Method for Authenticating Users," issued on January 23, 2018.
  • The Invention Explained:
    • Problem Addressed: The patent addresses the same security vulnerabilities associated with transmitting user authentication credentials across a network as the ’993 Patent (Compl. ¶21; ’771 Patent, col. 1:24-42).
    • The Patented Solution: The ’771 Patent claims a mobile device configured to perform a similar authentication method. A secret is generated from a unique user input and stored locally with an identifier. When the device receives a communication from a remote station, it provides the user an opportunity to respond. The device then authenticates the user by receiving a "proffered user input," generating a "candidate identifier," and recovering the secret if the candidate identifier matches the stored identifier. A second communication, encoded with the recovered secret, is then sent to the remote station (Compl. ¶23; ’771 Patent, Abstract). The complaint highlights the Notice of Allowance, which noted the novelty of "retrieving a stored encrypted secret generated by a mobile phone application" (Compl. ¶25).
    • Technical Importance: The invention provides a device-centric system for secure authentication that mitigates risks of credential interception during network transit (Compl. ¶24).
  • Key Claims at a Glance:
    • The complaint asserts at least independent claim 9 (Compl. ¶52).
    • Independent Claim 9 requires the essential elements of a mobile communication device comprising a processor and memory, configured to:
      • Receive a "unique user input".
      • Generate and "store a secret" with an "identifier".
      • Upon receiving a "first communication" from a remote station, provide the user an "opportunity to respond".
      • "Authenticate the user" by receiving a "proffered user input", generating a "candidate identifier", and "recovering the secret" if the identifiers match.
      • Verify the user to the remote device via a "second communication encoded using said secret".

Multi-Patent Capsule: U.S. Patent No. 10,044,689

  • Patent Identification: U.S. Patent No. 10,044,689, titled "System and Method for Authenticating Users," issued on August 7, 2018.
  • Technology Synopsis: This patent is part of the same family and addresses the same fundamental problem of insecure credential transmission. The claims are directed to a method for encrypting communication by generating a secret from a unique user input on a local device and using that secret to encode communications with a remote station after local user verification (Compl. ¶21-24; ’689 Patent, Abstract).
  • Asserted Claims: Claims 1-2 and 4-8 are asserted (Compl. ¶61).
  • Accused Features: The complaint alleges infringement by Defendant's "FIDO-Ready Software and FIDO-Ready System" (Compl. ¶61).

Multi-Patent Capsule: U.S. Patent No. 10,171,433

  • Patent Identification: U.S. Patent No. 10,171,433, titled "System and Method for Authenticating Users," issued on January 1, 2019.
  • Technology Synopsis: This patent continues the theme of the asserted patent family, describing a system for user authentication that avoids transmitting credentials. It claims a method where a secret is generated and stored locally on a device, and an invitation to create the secret may be received from a remote station, with the secret later used to encode communications back to that station (Compl. ¶21-24; ’433 Patent, Abstract, Claim 15).
  • Asserted Claims: At least claim 1 is asserted (Compl. ¶70).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶70).

Multi-Patent Capsule: U.S. Patent No. 10,484,344

  • Patent Identification: U.S. Patent No. 10,484,344, titled "System and Method for Authenticating Users," issued on November 19, 2019.
  • Technology Synopsis: This patent relates to a computing device configured to perform secure authentication. An application on the device generates a secret from a user input, and upon receiving a communication from a remote station, prompts the user for the input again to verify their identity before sending an encoded communication back to the station (Compl. ¶21-24; ’344 Patent, Abstract).
  • Asserted Claims: At least claim 1 is asserted (Compl. ¶79).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶79).

Multi-Patent Capsule: U.S. Patent No. 11,070,530

  • Patent Identification: U.S. Patent No. 11,070,530, titled "System and Method for Authenticating Users," issued on July 20, 2021.
  • Technology Synopsis: This patent describes a computing device with an application that generates and stores a secret based on a unique user input. The device is configured to respond to a communication from a remote station by prompting the user for local verification before transmitting a second, encoded communication to authenticate the user to the remote station (Compl. ¶21-24; ’530 Patent, Abstract).
  • Asserted Claims: At least claim 1 is asserted (Compl. ¶88).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶88).

III. The Accused Instrumentality

  • Product Identification: The complaint identifies the accused instrumentalities as Defendant’s "FIDO-Ready Software," such as the "Citi Mobile" application, and related servers, which are collectively termed the "FIDO-Ready System" (Compl. ¶28, 29).
  • Functionality and Market Context: The accused system implements authentication protocols compliant with the FIDO (Fast Identity Online) Alliance's Universal Authentication Framework (UAF) standard (Compl. ¶27). This functionality, marketed as implementing "passkeys," enables customers to log into their bank accounts and authorize transactions using biometric data, such as fingerprints and facial recognition, instead of traditional passwords (Compl. ¶26, 28, 30). The complaint includes a screenshot from the FIDO Alliance's "Passkey Directory" listing Citibank as a provider of such services (Compl. ¶27, p. 7). The complaint also provides screenshots from the Citi Mobile application instructing users on how to enable fingerprint and facial recognition for authentication, referred to as enrolling in "Citi® Trusted Identity" (Compl. ¶34, pp. 9-11).

IV. Analysis of Infringement Allegations

’993 Patent Infringement Allegations

Claim Element (from Independent Claim 1) Alleged Infringing Functionality Complaint Citation Patent Citation
by an application running on a mobile communication device... communicating with a user to receive a unique user input The accused software applications receive biometric inputs from the user, such as fingerprints or facial characteristics, for authentication. ¶26 col. 28:1-5
generating, by said application, a secret based upon said unique user input After receiving the biometric input, the application generates a secret, which corresponds to the private key in the FIDO passkey system. ¶26 col. 28:6-8
storing said secret at said mobile communication device, said secret being stored with an identifier so as to be retrievable when the unique user input is again received at the mobile device The FIDO-compliant system stores the generated private key (secret) locally on the user's device, while a corresponding public key (identifier) is registered with Defendant's remote servers. ¶23 col. 28:8-13
receiving at said mobile communication device from a remote computer-based station a first communication... said first communication including the identifier associated with the secret During a login attempt, the user's device receives a challenge from Defendant's server (the remote station) that is associated with the user's registered public key (identifier). ¶23 col. 28:14-18
responsive to said receiving, prompting a user for the user input... and, upon verifying said unique user input... transmitting from the mobile communication device to the remote computer-based station a second communication encoded using the secret The application prompts the user for a biometric scan, which is verified locally by the device's operating system. The device then uses the locally stored private key (secret) to sign the server's challenge and transmits the signed response back to the server. ¶24 col. 28:19-27

’771 Patent Infringement Allegations

Claim Element (from Independent Claim 9) Alleged Infringing Functionality Complaint Citation Patent Citation
configuring an application... to receive a unique user input The accused Citi Mobile application is configured to receive user biometric data, such as a fingerprint scan or facial recognition. ¶26 col. 28:16-20
upon receipt of said unique user input, generating a secret The FIDO-compliant application generates a cryptographic private key (secret) on the user's device upon successful biometric enrollment. ¶26 col. 28:21-22
storing said secret in said storage device, said secret being stored with an identifier The private key (secret) is stored securely on the user's mobile device, and a corresponding public key (identifier) is registered with Defendant's servers. ¶23 col. 28:23-26
upon receipt... of a first communication from said remote computer-based station, providing the user... an opportunity to respond When a user initiates a login, the device receives a cryptographic challenge from Defendant's server, and the application presents an interface for the user to respond (e.g., a biometric prompt). ¶24 col. 28:27-32
authenticating the user by receiving... a proffered user input, generating a candidate identifier... and recovering the secret... if the candidate identifier matches the identifier The user provides a biometric input, which the device's operating system verifies. Successful verification unlocks the locally stored private key (secret) for use. The "identifier" match corresponds to the public key cryptography process. ¶24 col. 28:33-39
verifying said user to the remote computing device in a second communication encoded using said secret The device uses the unlocked private key (secret) to sign the server's challenge, and this signed response is sent back to the server, authenticating the user without sending the secret itself. ¶24 col. 28:40-42
  • Identified Points of Contention:
    • Scope Questions: The infringement theory rests on equating the patent's term "secret" with the FIDO standard's "private key" and the patent's term "identifier" with the "public key". A central question for the court will be whether the patent's description, which often refers to generating a secret from "user credentials" like a password, can be construed to cover the distinct asymmetric key pair generation process used in the accused FIDO-compliant systems. A screenshot of the Citi Mobile app for enabling "Biometric Authentication" directly supports the use of biometric inputs (Compl. ¶34, p. 9).
    • Technical Questions: The asserted claims describe a sequence where a "first communication" from a remote server initiates the user prompt on the local device. It may be a point of contention whether the accused FIDO workflow, which is often user-initiated from the client device, performs this step in the same manner as claimed. The complaint's screenshots show the user navigating menus to enable features like "Sign on with facial recognition" and toggling "Face ID®," which may suggest a user-initiated process (Compl. ¶34, pp. 10-11).

V. Key Claim Terms for Construction

  • The Term: "secret"

  • Context and Importance: This term's construction is fundamental to the infringement analysis. The complaint's theory requires this term to be broad enough to encompass the cryptographic "private key" generated and stored locally in the accused FIDO-compliant systems. Practitioners may focus on whether the patent's disclosure limits the "secret" to a data structure derived directly from user credentials, as opposed to one part of an asymmetric key pair.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The term "secret" is not explicitly defined in the claims and could be argued to encompass any piece of confidential information used for authentication, including a private key.
    • Evidence for a Narrower Interpretation: The patent specification describes generating a "secrets file" using inputs like "user credentials" and a "group agreed connect name" into an "n-bit generator" (’993 Patent, col. 5:20-27). This language may support an argument that the "secret" is a specific type of symmetrically-derived data, distinct from an asymmetrically generated private key.

  • The Term: "unique user input"

  • Context and Importance: The plaintiff's case relies on this term covering biometric data like fingerprints and facial scans. The defendant may argue that the term, in the context of the patent, should be limited to alphanumeric credentials.

  • Intrinsic Evidence for Interpretation:

    • Evidence for a Broader Interpretation: The claim language "unique user input" is facially broad and does not contain express limitations to passwords or PINs. A biometric scan is inherently a unique user input.
    • Evidence for a Narrower Interpretation: The patent's abstract and detailed description frequently use "user credentials" as the primary example of the input, which may be argued to limit the term's scope to traditional credentials known at the time of the invention (’993 Patent, Abstract).

VI. Other Allegations

  • Indirect Infringement: The complaint alleges active inducement, stating that Defendant instructs and encourages customers to use the accused biometric authentication functionality through user instructions and software-implemented prompts (Compl. ¶45, 46, 54, 55). It also alleges contributory infringement, arguing the FIDO-Ready Software is a material part of the invention, is especially adapted for infringement, and has no substantial non-infringing uses (Compl. ¶48, 57).
  • Willful Infringement: Willfulness is alleged based on knowledge of the patents acquired "at least through the filing and service of the Complaint" (Compl. ¶19, 96). The complaint also pleads willful blindness as an alternative basis (Compl. ¶96).

VII. Analyst’s Conclusion: Key Questions for the Case

  • A core issue will be one of technical and definitional scope: can the term "secret," which the patent specification describes as being generated from "user credentials" through an "n-bit generator," be construed to cover the "private key" in the accused FIDO system, which is part of an asymmetric key pair generated through a distinct cryptographic process?
  • A second key question will concern claim construction and prosecution history: how will the statements made to the patent office to distinguish the invention from prior art, as alluded to in the complaint’s reference to the ’771 Patent's Notice of Allowance, affect the scope of the asserted claims? These arguments may limit the patentee's ability to assert a broad interpretation of the claims that covers the accused technology.
  • A third central issue may be one of divided infringement: given that the claimed methods involve actions performed by both the user on their device and by Defendant's remote servers, the court will need to determine whether Plaintiff can prove Defendant "directs or controls" its customers' actions sufficiently to establish liability for direct infringement under current legal standards.