PACid Tech LLC v. USAA Federal Savings Bank

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: PACid Technologies, LLC (Texas)
  • Defendant: USAA Federal Savings Bank (Texas)
  • Plaintiff’s Counsel: DINOVO PRICE LLP
• Case Identification: 1:24-cv-00321, W.D. Tex., 03/27/2024
• Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a regular and established physical place of business within the Western District of Texas.
• Core Dispute: Plaintiff alleges that Defendant’s mobile banking applications, which use biometric and passkey authentication compliant with the FIDO Security Standard, infringe six patents related to systems and methods for authenticating users.
• Technical Context: The technology concerns secure user authentication methods that avoid transmitting traditional credentials like passwords over a network, a critical security feature in modern online and mobile banking.
• Key Procedural History: The complaint notes that the FIDO Alliance published version 1.0 of its Universal Authentication Framework (UAF) specification in December 2014. It also quotes a Notice of Allowance for one of the patents-in-suit, in which the USPTO Examiner noted the novelty of retrieving a stored encrypted secret using a unique user input received by a mobile phone.

Case Timeline

Date	Event
2009-03-25	Earliest Priority Date for all Patents-in-Suit
2014-12-01	FIDO Alliance publishes UAF 1.0 Specification
2017-02-21	U.S. Patent No. 9,577,993 Issues
2018-01-23	U.S. Patent No. 9,876,771 Issues
2018-08-07	U.S. Patent No. 10,044,689 Issues
2019-01-01	U.S. Patent No. 10,171,433 Issues
2019-11-19	U.S. Patent No. 10,484,344 Issues
2021-07-20	U.S. Patent No. 11,070,530 Issues
2024-03-27	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 9,577,993

• Patent Identification: U.S. Patent No. 9,577,993, "System and Method for Authenticating Users," issued February 21, 2017.
• The Invention Explained:
  • Problem Addressed: The patent addresses vulnerabilities in traditional authentication schemes that require users to transmit credentials, such as a username and password, across a network to a predefined entry point (Compl. ¶20; '689 Patent, col. 1:28-39). This process exposes credentials to interception by malicious actors who could then gain unauthorized access to confidential information (Compl. ¶20).
  • The Patented Solution: The invention proposes a method where a "secret" is generated on a user's local device based on a "unique user input" and stored there with an identifier ('689 Patent, Abstract). When a remote server requests authentication, it sends the identifier to the user's device, which then prompts the user for the same unique input. After local verification, the device uses the secret to encode a communication back to the server, authenticating the user without ever transmitting the underlying credentials across the network (Compl. ¶22).
  • Technical Importance: This approach allows for user authentication and encrypted communications without exposing credentials to interception during transmission over a network (Compl. ¶23).
• Key Claims at a Glance:
  • The complaint asserts independent claims 1 and 8, and dependent claims 2-4, 6, and 9-12 (Compl. ¶40).
  • Independent Claim 1 (Method):
    • Receiving a unique user input at a computing device;
    • Generating a secret based upon the unique user input;
    • Storing the secret at the device with an identifier;
    • Receiving a first communication from a remote station that includes the identifier;
    • Prompting the user for the unique user input in response;
    • Verifying the unique user input; and
    • Transmitting a second communication encoded using the secret to the remote station.
  • Independent Claim 8 (System):
    • A non-transitory computer-readable medium with instructions that, when executed by a processor, perform a method substantively identical to Claim 1.

U.S. Patent No. 9,876,771

• Patent Identification: U.S. Patent No. 9,876,771, "System and Method for Authenticating Users," issued January 23, 2018.
• The Invention Explained:
  • Problem Addressed: This patent, part of the same family as the '993 Patent, addresses the same technical problem of securing user authentication by avoiding the transmission of credentials across a network (Compl. ¶20; '689 Patent, col. 1:28-39).
  • The Patented Solution: The solution is a system and method for local, input-based authentication. The complaint highlights a quote from the '771 Patent's Notice of Allowance, where the USPTO Examiner identified as novel the "retrieving a stored encrypted secret generated by a mobile phone application...responsive to the application receiving a unique user input from the user...and responsive to receiving a first communication from a remote computer-based station that includes the identifier" (Compl. ¶24). This underscores the core inventive concept of using a local secret, unlocked by user input, in response to a remote challenge.
  • Technical Importance: This method enhances security by ensuring the user's secret is stored locally and used only upon local verification of the user's input, preventing its exposure to network-based attacks (Compl. ¶23).
• Key Claims at a Glance:
  • The complaint asserts at least independent claim 9 (Compl. ¶51).
  • Independent Claim 9 (System):
    • A mobile device comprising a processor, storage device, and memory with instructions that cause the processor to:
    • Configure an application for communication with a remote station, including receiving a unique user input;
    • Generate a secret upon receipt of the unique user input;
    • Store the secret in the storage device with an identifier;
    • Provide the user an opportunity to respond upon receipt of a first communication from the remote station;
    • Authenticate the user by receiving a proffered user input and recovering the secret if a candidate identifier generated from the proffered input matches the stored identifier; and
    • Verify the user to the remote device in a second communication encoded with the secret.

Multi-Patent Capsules

• U.S. Patent No. 10,044,689:

  • Patent Identification: U.S. Patent No. 10,044,689, "System and Method for Authenticating Users," issued August 7, 2018.
  • Technology Synopsis: The patent describes a security application on a device like a mobile phone that generates and stores a local "secret" based on a unique user input. This secret is later used to encode communications with a remote server for authentication, avoiding the need to transmit credentials over a network (Compl. ¶¶20-23).
  • Asserted Claims: Claims 1-2 and 4-8, including independent claims 1 (a method) and 4 (a computing device) (Compl. ¶58).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶60).

• U.S. Patent No. 10,171,433:

  • Patent Identification: U.S. Patent No. 10,171,433, "System and Method for Authenticating Users," issued January 1, 2019.
  • Technology Synopsis: The patent relates to a method of user authentication where a unique user input (e.g., credentials) is used to generate a secret on a local device. The device uses this secret to respond to authentication challenges from a remote station without exposing the underlying input (Compl. ¶¶20-23).
  • Asserted Claims: At least claim 1 (a method) (Compl. ¶67).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶69).

• U.S. Patent No. 10,484,344:

  • Patent Identification: U.S. Patent No. 10,484,344, "System and Method for Authenticating Users," issued November 19, 2019.
  • Technology Synopsis: The patent describes a system for authenticating a user where a computing device generates a secret from a unique user input, stores it locally with an identifier, and uses it to encode communications with a remote server that initiates an authentication request using the identifier (Compl. ¶¶20-23).
  • Asserted Claims: At least claim 1 (a system) (Compl. ¶76).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶78).

• U.S. Patent No. 11,070,530:

  • Patent Identification: U.S. Patent No. 11,070,530, "System and Method for Authenticating Users," issued July 20, 2021.
  • Technology Synopsis: The patent is directed to a system for authenticating a user by generating a secret based on a unique user input on a local device. When prompted by a remote station, the device verifies the user input locally and then uses the secret to securely communicate with the remote station (Compl. ¶¶20-23).
  • Asserted Claims: At least claim 1 (a system) (Compl. ¶85).
  • Accused Features: The complaint accuses Defendant's "FIDO-Ready Software and FIDO-Ready System" of infringement (Compl. ¶87).

III. The Accused Instrumentality

• Product Identification: The accused instrumentalities are Defendant's "FIDO-Ready Software" and related servers, collectively termed the "FIDO-Ready System" (Compl. ¶27). A specific example provided is the "USAA Mobile" application (Compl. ¶28).
• Functionality and Market Context: The accused system allows customers to access their bank accounts and authorize transactions using biometrics such as fingerprints or facial recognition instead of passwords (Compl. ¶¶25, 27). The complaint alleges this system is compliant with the FIDO (Fast Identity Online) Security Standard, an authentication protocol designed to reduce reliance on passwords (Compl. ¶26). The complaint includes a screenshot from the FIDO Alliance website's "Passkey Directory" listing USAA, which indicates its use of FIDO-compliant technology (Compl. ¶26, p. 7). Defendant allegedly markets this functionality as a "faster, safer way to log on" that provides "an extra layer of protection" against fraud (Compl. ¶33, p. 9).

IV. Analysis of Infringement Allegations

'993 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving, by an application running on a computing device... a unique user input	The USAA Mobile app receives biometric inputs, such as fingerprints or facial characteristics, from the user for authentication.	¶25, ¶27	col. 28:43-46
generating, by said application, a secret based upon said unique user input	The accused software provides for the "generation of a secret after receiving biometrics." This secret is used for authentication.	¶25	col. 28:47-49
storing said secret at the computing device, said secret being stored with an identifier so as to be retrievable when the unique user input is again received	Defendant’s marketing materials state that for fingerprint or face ID, the user's data is "encrypted and stored on your device." A screenshot on page 10 of the complaint shows this statement.	¶33	col. 28:49-53
receiving at the computing device from a remote computer-based station a first communication...including the identifier associated with the secret	The accused system facilitates secure communication between user devices and related servers for authentication and authorization.	¶28	col. 28:54-57
responsive to said receiving, prompting a user via a user interface for the unique user input	Defendant’s app prompts users for biometric logon to access their accounts. The complaint provides a screenshot showing Defendant’s marketing of "biometric logon."	¶33	col. 28:58-60
verifying said unique user input to the computing device	Defendant’s system uses biological characteristics like a fingerprint or face "to verify your identity."	¶33	col. 28:61-63
transmitting from the computing device to the remote computer-based station a second communication encoded using the secret	Users of the accused system "securely and privately communicate between their devices and related servers for authentication."	¶28	col. 28:63-66

• Identified Points of Contention:
  • Scope Questions: A central question may be whether the term "secret," as described in the patent's specification which discusses generating secrets from inputs like usernames and passwords ('689 Patent, Fig. 7D), can be construed to cover the cryptographic public/private key pairs used in the FIDO protocol.
  • Technical Questions: The infringement theory may depend on how the accused system technically operates. A question for the court will be whether the system "generat[es] a secret based upon" the biometric input, as the claim requires, or if it generates a key pair at registration and subsequently uses the biometric input merely to unlock and authorize the use of that pre-existing key. The complaint alleges a secret is generated "after receiving biometrics" but does not detail the mechanism (Compl. ¶25).

'771 Patent Infringement Allegations

Claim Element (from Independent Claim 9)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
A mobile device, comprising a processor, a storage device, and a memory, said memory storing processor-executable instructions, which...cause said processor to perform steps comprising:	The USAA Mobile app runs on mobile devices which contain these hardware components.	¶28	col. 28:13-18
configuring an application...to receive a unique user input	Defendant's app is configured to receive biometric inputs like fingerprints or facial scans for logon and transaction approval.	¶25, ¶27	col. 28:19-25
upon receipt of said unique user input, generating a secret	The accused software allegedly generates a "secret" after receiving the user's biometric input.	¶25	col. 28:26-27
storing said secret in said storage device...with an identifier	Defendant states that biometric data for fingerprint or face ID is "encrypted and stored on your device." This is shown in a screenshot on page 10 of the complaint.	¶33	col. 28:28-31
upon receipt at the mobile device of a first communication from said remote computer-based station, providing the user...an opportunity to respond	The system involves communication between the user's mobile device and Defendant's servers, which prompts the user to provide biometric input for authentication.	¶28, ¶33	col. 28:32-36
authenticating the user by...recovering the secret from said storage device if the candidate identifier matches the identifier	The system verifies the user's identity using the biometric input before allowing access or authorizing transactions.	¶27, ¶33	col. 28:37-42
verifying said user to the remote computing device in a second communication encoded using said secret	The user's device communicates securely with Defendant's servers to complete authentication after the local biometric verification.	¶28	col. 28:43-45

• Identified Points of Contention:
  • Scope Questions: As with the '993 Patent, the interpretation of "generating a secret" will be a key issue. The question is whether the FIDO protocol's method of creating and binding a cryptographic key to a device authenticator falls within the scope of this claim language.
  • Technical Questions: The complaint alleges the accused USAA Mobile app implements the FIDO standard (Compl. ¶26). The factual question will be whether the specific technical steps of the FIDO protocol, as implemented by USAA, align with the sequence of generating, storing, and recovering a secret as claimed in the patent.

V. Key Claim Terms for Construction

• The Term: "unique user input"

  • Context and Importance: This term's scope is fundamental to the dispute. The complaint alleges that biometrics like fingerprints and facial characteristics constitute a "unique user input" (Compl. ¶25). Practitioners may focus on this term because its construction will determine whether the patents, whose specifications provide examples of traditional credentials like usernames and passwords ('689 Patent, col. 22:40-42), can read on modern biometric authentication systems.
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The plain language of the claim term itself is not explicitly limited to passwords or text strings. The patent abstract uses "e.g., user credentials," which may suggest credentials are an example, not a limitation ('689 Patent, Abstract).
    • Evidence for a Narrower Interpretation: The detailed description and figures in the patent family consistently use "username" and "password" as the exemplary inputs to the secret-generation process, which could support an argument that the invention is limited to such conventional credentials ('68-9 Patent, Fig. 7D).

• The Term: "generating a secret based upon said unique user input"

  • Context and Importance: This phrase describes the core technical action of the invention. Its meaning is critical because FIDO-based systems typically generate a cryptographic key pair once during a registration phase and then use a biometric input to authorize its subsequent use. This may differ from the patent's description of using credentials as direct inputs to an "n-bit generator" to create the secret ('689 Patent, Step 211, Fig. 2A).
  • Intrinsic Evidence for Interpretation:
    • Evidence for a Broader Interpretation: The phrase "based upon" could be argued to encompass a process that is initiated by or contingent upon the user input, rather than requiring the input's data to be a direct computational component of the secret itself.
    • Evidence for a Narrower Interpretation: The patent's flowcharts depict the "user credentials" as a direct input into an "N-BIT GENERATOR" that produces the secret ('689 Patent, Fig. 3, Step 235). This suggests a direct computational relationship where the secret is mathematically derived from the input, a potentially narrower meaning.

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement of infringement, stating that Defendant instructs and encourages its customers to use the accused biometric authentication features (Compl. ¶45). The complaint provides screenshots of Defendant's website with instructions on "How to enroll in biometrics" as evidence of these instructions (Compl. ¶33, p. 10).
• Willful Infringement: The complaint alleges willful infringement based on Defendant's knowledge of the patents acquired "since the filing and service of PACid's Complaint" (Compl. ¶95). This is a claim for post-suit willfulness, alleging that any continued infringement after receiving notice via the lawsuit is willful.

VII. Analyst’s Conclusion: Key Questions for the Case

• A core issue will be one of definitional scope: can the claim term "unique user input," which is exemplified in the patent specification with traditional usernames and passwords, be construed broadly enough to cover the physiological biometric data used by the accused FIDO-compliant authentication system?
• A key evidentiary question will be one of functional mismatch: does the accused FIDO system—which typically generates a persistent cryptographic key pair at enrollment and uses biometrics to unlock it—perform the patented step of "generating a secret based upon" the unique user input, or is there a fundamental difference in technical operation compared to the patent's disclosure of using credentials as direct inputs to a secret-generating algorithm?
• The case may also turn on a question of temporal relevance: given that the patents claim priority to 2009, a central issue will be whether the claimed invention was intended to, and is technically broad enough to, encompass modern, standardized authentication protocols like FIDO, which were developed and adopted years later.