DCT
6:23-cv-00319
Proxense LLC v. Microsoft Corp
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Proxense, LLC (Delaware)
- Defendant: Microsoft Corporation (Washington)
- Plaintiff’s Counsel: Hecht Partners LLP; Susman Godfrey L.L.P.
- Case Identification: 6:23-cv-00319, W.D. Tex., 05/02/2023
- Venue Allegations: Plaintiff alleges venue is proper in the Western District of Texas because Microsoft maintains a principal place of business, operates numerous data centers, and employs individuals within the district, and has not contested venue in this district in prior patent litigation.
- Core Dispute: Plaintiff alleges that Defendant’s password-less authentication architecture, including Microsoft Identity Platform, Windows Hello, and the Microsoft Authenticator App, infringes six patents related to biometric and personal digital key-based authentication systems.
- Technical Context: The technology concerns systems and methods for using local biometric verification on a user's device to enable secure, password-less authentication to various digital applications and services.
- Key Procedural History: The complaint alleges that Proxense and Microsoft engaged in discussions in 2010 regarding Proxense's secure authentication technology. It further alleges that on July 29, 2016, Plaintiff’s counsel sent a letter to Microsoft providing notice of the patents-in-suit, which allegedly included a comparison of the claimed inventions to Microsoft's products.
Case Timeline
| Date | Event |
|---|---|
| 2004-12-20 | Earliest Priority Date for ’730, ’954, and ’905 Patents |
| 2007-12-06 | Earliest Priority Date for ’042, ’289, and ’960 Patents |
| 2008-01-01 | Microsoft allegedly began operating data centers in W.D. Texas |
| 2010-01-01 | Proxense and Microsoft allegedly engaged in discussions regarding authentication technology |
| 2013-01-08 | ’730 Patent Issued |
| 2014-02-04 | ’042 Patent Issued |
| 2014-11-11 | ’954 Patent Issued |
| 2016-03-29 | ’905 Patent Issued |
| 2016-07-29 | Proxense allegedly sent notice letter regarding patents-in-suit to Microsoft |
| 2017-06-13 | ’289 Patent Issued |
| 2018-09-11 | ’960 Patent Issued |
| 2018-11-20 | Windows Hello allegedly enabled password-less sign-in |
| 2023-05-02 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,352,730 - “Biometric Personal Data Key (PDK) Authentication”
The Invention Explained
- Problem Addressed: The patent describes the weaknesses of conventional authentication methods, such as passwords that can be forgotten or stolen, and simple access objects like electronic key fobs that validate the object itself but not the identity of the person holding it (’730 Patent, col. 1:21-48).
- The Patented Solution: The invention proposes a portable, self-contained "integrated device" or "biometric key" that persistently stores a user's biometric data (e.g., a fingerprint) in a tamper-proof format. To authenticate, a user provides a live biometric scan to the device. The device performs a local comparison between the live scan and the stored data. If they match, the device wirelessly transmits a unique code to an external authentication system to grant access, thereby providing a keyless and password-less verification of the user's identity (’730 Patent, Abstract; col. 2:1-6).
- Technical Importance: The technology aimed to combine the security of biometric identification with the convenience of a portable token, reducing reliance on easily compromised credentials like passwords (Compl. ¶29, 31).
Key Claims at a Glance
- The complaint asserts independent method claim 1 and independent system claim 15 (Compl. ¶83).
- Essential elements of independent claim 1 include:
- Persistently storing biometric data and a plurality of codes (including a device ID and a secret decryption value) in a tamper-proof format on an integrated device.
- Receiving scan data from a biometric scan in response to a verification request.
- Comparing the scan data to the stored biometric data on the device.
- If there is a match, wirelessly sending one or more of the codes for authentication by a third-party trusted authority.
- Receiving an access message from that authority, which allows the user to access an application.
- The complaint reserves the right to assert dependent claims 2, 3, 5, 16, and 17 (Compl. ¶83).
U.S. Patent No. 8,886,954 - “Biometric Personal Data Key (PDK) Authentication”
The Invention Explained
- Problem Addressed: As a continuation of the application leading to the ’730 Patent, the ’954 Patent addresses the same fundamental problems of insecure and inconvenient user authentication methods (’954 Patent, col. 1:22-54).
- The Patented Solution: The ’954 Patent describes a similar system centered on an integrated device that stores biometric data and unique codes. After a user is verified via a local biometric scan, the device wirelessly sends a code to a third party for authentication. The key distinction from the ’730 Patent appears to be in the claim language describing the interaction between the device, the authenticating entity, and the application receiving the access grant (’954 Patent, Abstract; col. 2:3-24).
- Technical Importance: This patent continues the development of a framework for secure, portable, biometric-based authentication to replace traditional passwords and simple tokens (Compl. ¶29, 31).
Key Claims at a Glance
- The complaint asserts independent method claim 1 and independent system claim 22 (Compl. ¶117).
- Essential elements of independent claim 1 include:
- Persistently storing biometric data and codes (including a device ID) in a tamper-proof format on an integrated device.
- Receiving scan data from a biometric scan.
- Comparing the scan data to the stored biometric data.
- If there is a match, wirelessly sending one or more codes for authentication to a third party.
- Receiving, at an application, an access message from the trusted authority indicating successful authentication.
- The complaint reserves the right to assert dependent claims 2, 3, 5, 6, 7, 23, 24, 25, 26, and 27 (Compl. ¶117).
U.S. Patent No. 9,298,905 - “Biometric Personal Data Key (PDK) Authentication”
Technology Synopsis
This patent is part of the same family as the ’730 and ’954 Patents and addresses password-less authentication. It claims a system where an integrated device stores biometric data, verifies a user with a live scan, and then wirelessly sends a code to a third-party authority, which in turn provides an access message allowing the user to complete a financial transaction (’905 Patent, Abstract).
Asserted Claims
Independent claims 1 and 15 (Compl. ¶151).
Accused Features
The complaint alleges that Microsoft's password-less architecture, which uses biometrics to authorize access to services and subscriptions, infringes this patent (Compl. ¶152, 173).
U.S. Patent No. 8,646,042 - “Hybrid Device Having a Personal Digital Key and Receiver-Decoder Circuit and Methods of Use”
Technology Synopsis
This patent describes a "hybrid device" that contains both a Personal Digital Key (PDK) component and a Receiver-Decoder Circuit (RDC). This architecture allows for various operational modes and interactions, such as a PDK on one device enabling functions on a separate device containing an RDC, creating a system for chained or multi-factor authorization (’042 Patent, Abstract; col. 1:52-60).
Asserted Claims
Independent claim 1 (Compl. ¶186).
Accused Features
The complaint alleges that FIDO2-compliant authenticators (used with Microsoft's platform) embody the claimed "minimal embodiment of a PDK" and that the Windows operating system and its associated browsers (Edge, Chrome) provide the "external RDC" functionality for communicating with these authenticators (Compl. ¶193-196).
U.S. Patent No. 9,679,289 - “Hybrid Device Having a Personal Digital Key and Receiver-Decoder Circuit and Methods of Use”
Technology Synopsis
This patent is a continuation of the family including the ’042 Patent, further detailing a hybrid device with PDK and RDC components. The claims focus on a method where creating a wireless link between an external device and the hybrid device, and receiving a signal, generates an "enablement signal" that activates an application, function, or service (’289 Patent, Abstract; col. 24:14-23).
Asserted Claims
Independent claims 14 and 16 (Compl. ¶209).
Accused Features
The complaint accuses the interaction between FIDO2-compliant authenticators and Microsoft's Identity Platform via a WebAuthn client (e.g., a browser) of infringing these claims (Compl. ¶216-219).
U.S. Patent No. 10,073,960 - “Hybrid Device Having a Personal Digital Key and Receiver-Decoder Circuit and Methods of Use”
Technology Synopsis
As part of the same family as the ’042 and ’289 Patents, this patent also relates to a hybrid PDK/RDC device. The asserted method claims describe creating a wireless link and receiving a signal at the device, which in turn generates an "enablement signal" for an application, function, or service (’960 Patent, Abstract; col. 24:14-23).
Asserted Claims
Independent claims 14 and 16 (Compl. ¶232).
Accused Features
The infringement theory is parallel to that for the ’289 Patent, targeting the interaction between external authenticators and Microsoft's platform via a WebAuthn client (Compl. ¶239-242).
III. The Accused Instrumentality
Product Identification
The accused instrumentality is Microsoft’s “universal platform password-less architecture” (Compl. ¶46). This architecture is comprised of three primary components:
- Microsoft Identity Platform (also known as Azure Active Directory): A cloud-based service that acts as an authorization server, coordinating authentication requests and issuing access tokens (Compl. ¶47).
- Authenticators: Devices or software that perform user verification. These include Microsoft’s native Windows Hello (on Windows 10/11 devices) and the Microsoft Authenticator App (on iOS and Android devices), as well as FIDO2-compliant hardware from third-party partners (Compl. ¶49, 55).
- Resources: Applications, websites, or services that request user authentication, such as Microsoft Office 365, Xbox, or services from third-party developers who subscribe to the Microsoft Identity Platform (Compl. ¶47-48).
Functionality and Market Context
- The architecture enables users to sign into various services without a password. A resource redirects a user to the Microsoft Identity Platform, which sends a challenge (e.g., a nonce) to the user’s registered authenticator. The user provides a biometric gesture (e.g., face scan, fingerprint) to the authenticator, which unlocks a device-specific private key to sign the challenge. The signed challenge and a credential ID are sent back to the Identity Platform, which validates the signature using a previously stored public key. Upon successful validation, the Platform issues a security token (e.g., a bearer token) that grants the user access to the resource (Compl. ¶56, 61-64, 68-70).
- The complaint alleges this architecture is central to Microsoft's Identity and Access Management services, which are sold to corporate clients and developers (Compl. ¶48, 53).
IV. Analysis of Infringement Allegations
’730 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| persistently storing biometric data of the user and a plurality of codes and other data values comprising a device ID code...and a secret decryption value in a tamper proof format written to a storage element on the integrated device that is unable to be subsequently altered | Authenticators like Windows Hello and the Microsoft Authenticator App store biometric templates and private keys in secure, isolated hardware environments such as a Trusted Platform Module (TPM), Virtualization Based Security (VBS), a Trusted Execution Environment (TEE), or a Secure Enclave, which the complaint alleges constitutes a "tamper proof format." | ¶57-61, 95 | col. 4:35-43 |
| responsive to receiving a request for a biometric verification of the user, receiving scan data from a biometric scan | When a user initiates a sign-in, the authenticator prompts for and receives live biometric data, such as a facial scan for Windows Hello or a fingerprint scan on a mobile device. | ¶62-64 | col. 4:12-16 |
| comparing the scan data to the biometric data to determine whether the scan data matches the biometric data | The authenticator device performs this comparison locally to verify the user's identity before proceeding. | ¶96 | col. 4:16-24 |
| responsive to a determination that the scan data matches the biometric data, wirelessly sending one or more codes from the plurality of codes and the other data values for authentication by an agent that is a third-party trusted authority | After local verification, the authenticator wirelessly (via Wi-Fi or cellular) sends a signed nonce and a credential ID (the "codes") to the Microsoft Identity Platform (the "third-party trusted authority") for authentication. | ¶68-69, 97-99 | col. 8:29-41 |
| responsive to authentication of the one or more codes and the other data values by the agent, receiving an access message from the agent allowing the user access to an application | The Microsoft Identity Platform validates the received data and, if successful, issues a bearer token (the "access message") that is sent to the resource to grant the user access. A diagram illustrates this authorization flow (Compl. p. 24, from Ex. 27). | ¶70-71, 103 | col. 8:42-49 |
Identified Points of Contention
- Scope Questions: A primary question may be whether Microsoft's distributed system—consisting of a cloud service (Identity Platform) and separate client-side software/hardware (Authenticator)—meets the claim limitation of an "integrated device." The patent figures and description often depict a single, self-contained hardware token.
- Technical Questions: The analysis may focus on whether storing data in a modern secure enclave like a TEE or TPM, which provides cryptographic isolation, is technically equivalent to the "tamper proof format" that is "unable to be subsequently altered" as described in the patent. This raises the question of whether "tamper proof" requires data to be physically unchangeable (like in a ROM) or merely architecturally secured from unauthorized modification.
’954 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| persistently storing biometric data of a user and a plurality of codes...comprising a device ID code...in a tamper proof format written to a storage element on an integrated device | Authenticators store biometric data and cryptographic keys (alleged "codes") in secure hardware enclaves (TPM, TEE, Secure Enclave), which is alleged to meet the "tamper proof format" requirement. | ¶119-124, 128-129 | col. 12:4-13 |
| responsive to receiving a request for a biometric verification of the user, receiving scan data from a biometric scan | In response to an authentication request from the Microsoft Identity Platform, the authenticator prompts the user for and receives live biometric input. A diagram illustrates this user interaction flow (Compl. p. 22, from Ex. 22). | ¶130 | col. 12:14-17 |
| comparing the scan data to the biometric data | The local authenticator device compares the live scan data to the stored biometric template to verify the user. | ¶130 | col. 12:18-19 |
| responsive to a determination that the scan data matches the biometric data, wirelessly sending one or more codes...for authentication to a third party that operates a trusted authority | The authenticator sends a signed response and credential ID (the "codes") over a wireless network to the Microsoft Identity Platform, which is alleged to be the "third party that operates a trusted authority." | ¶131-134 | col. 12:20-27 |
| receiving, at an application, an access message from the trusted authority indicating that the trusted authority successfully authenticated the one or more codes | The Microsoft Identity Platform issues an ID Token or Access Token (the "access message") to the application (the "resource"), confirming successful authentication and granting access. | ¶137 | col. 12:28-32 |
Identified Points of Contention
- Scope Questions: Similar to the ’730 Patent, a key dispute may be whether the term "integrated device" can be construed to read on Microsoft's distributed architecture of client authenticators and a cloud-based identity provider.
- Technical Questions: The meaning of "codes" will be a likely point of contention. The complaint alleges that the credential ID and the private key/signed nonce constitute the claimed "codes." Analysis may turn on whether these cryptographically-related data elements function as the "codes" described in the patent specification.
V. Key Claim Terms for Construction
The Term: "integrated device" (from ’730 Claim 1; ’954 Claim 1)
- Context and Importance: This term is central because the patented invention is described as a physical token or key. The accused system, however, is a distributed architecture combining user hardware, software applications, and remote cloud services. The outcome of the case may depend on whether Microsoft’s multi-part system can be considered a single "integrated device" under the claim construction.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification suggests the device can be integrated into other common items, stating it "can be integrated into a portable electronic device such as a cell phone, Personal Digital Assistant (PDA), or GPS unit" (’730 Patent, col. 6:20-23). This may support an argument that the "device" is not limited to a standalone fob but can be a set of functions within a larger system.
- Evidence for a Narrower Interpretation: The patent repeatedly refers to the invention as a "biometric key" and a "modified key fob" with a "small form factor" and a "unitary molding" (’730 Patent, col. 3:12-24, Fig. 1). This language may support a narrower construction limited to a single, self-contained physical object.
The Term: "tamper proof format written to a storage element...that is unable to be subsequently altered" (from ’730 Claim 1; ’954 Claim 1)
- Context and Importance: The complaint alleges that storing data within a TPM, TEE, or Secure Enclave meets this limitation. These technologies provide security through isolation and encryption but do not necessarily make the data permanently unchangeable. Practitioners may focus on this term because the infringement argument depends on equating modern secure enclaves with the specific "tamper proof" and "unable to be...altered" requirements of the claims.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification states that persistent storage "can include, for example, a ROM element, a flash memory element, or any other type of non-volatile storage element" (’730 Patent, col. 4:33-36). Because flash memory is inherently alterable, this language could support a broader interpretation where "tamper proof" means architecturally secured against unauthorized changes, rather than physically immutable.
- Evidence for a Narrower Interpretation: The specification emphasizes that the format "does not allow any changes to biometric data" and that this "increases reliability of authentication" (’730 Patent, col. 4:38-43). This language, combined with the "unable to be subsequently altered" claim requirement, may support a narrower construction requiring a write-once or read-only memory format.
VI. Other Allegations
Indirect Infringement
The complaint alleges inducement of infringement, asserting that Microsoft actively encourages infringement by providing customers and developers with advertising, technical documentation, developer guides (such as the Microsoft Authentication Library), and instructions on how to use and integrate with the accused password-less architecture (Compl. ¶74-77, 105). It also alleges contributory infringement, claiming that the Windows Hello and Microsoft Authenticator App components are especially made for infringement and have no substantial non-infringing use within the accused system (Compl. ¶78-79, 106).
Willful Infringement
Willfulness is alleged based on Microsoft’s purported knowledge of the patents since at least July 29, 2016, the date of a notice letter from Plaintiff’s counsel. The complaint further alleges this knowledge dates back to discussions between the parties in 2010. It is asserted that Microsoft continued its allegedly infringing activities despite this knowledge or, alternatively, was willfully blind to its infringement (Compl. ¶42-45, 80, 107).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "integrated device," which the patents describe in the context of a portable, self-contained hardware key, be construed to cover Microsoft’s distributed architecture of user devices, authenticator software, and a separate, cloud-based identity platform?
- A key technical question will be one of functional equivalence: does storing biometric data and cryptographic keys within modern secure hardware enclaves (e.g., TPM, TEE), which offer protection through isolation and encryption, satisfy the claim requirement for storage in a "tamper proof format" that is "unable to be subsequently altered"?
- A central liability question will be whether Microsoft’s role as the provider of the central authorization server (Microsoft Identity Platform) and authenticator software makes it a direct infringer of the end-to-end method claims, or if its liability, if any, arises from inducing or contributing to the infringing acts of its users and developer partners.