DCT
2:25-cv-00514
Secure Authentication Tech LLC v. Plaid Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Secure Authentication Technologies LLC (Delaware)
- Defendant: Plaid Inc. (Delaware)
- Plaintiff’s Counsel: Quinn Emanuel Urquhart & Sullivan, LLP
- Case Identification: 2:25-cv-00514, D. Utah, 06/26/2025
- Venue Allegations: Plaintiff alleges venue is proper in the District of Utah because Defendant Plaid Inc. maintains a "regular and established physical place of business" in Salt Lake City, where it employs engineers and has allegedly committed acts of patent infringement.
- Core Dispute: Plaintiff alleges that Defendant’s financial technology platform, which enables third-party applications to connect to users' bank accounts, infringes a patent related to methods for securely accessing online accounts protected by multi-factor authentication.
- Technical Context: The technology operates in the financial technology (FinTech) sector, specifically addressing the technical challenge of enabling automated, persistent access to user financial accounts for data aggregation and management in the face of security protocols like multi-factor authentication (MFA).
- Key Procedural History: The complaint notes that during the prosecution of the patent-in-suit, the patent examiner initially rejected the claims as being directed to ineligible subject matter. The applicant successfully overcame the rejection by arguing that the invention was a technical solution requiring specialized computer hardware and leveraging an encrypted process to overcome a security method, leading the examiner to conclude the claims qualify as patent eligible.
Case Timeline
| Date | Event |
|---|---|
| 2014-01-28 | Earliest Priority Date for U.S. Patent No. 11,315,090 |
| 2022-04-26 | U.S. Patent No. 11,315,090 Issues |
| 2025-06-26 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 11,315,090 - System and Method for Automated Optimization of Financial Assets
- Patent Identification: U.S. Patent No. 11,315,090, issued April 26, 2022.
The Invention Explained
- Problem Addressed: The patent describes a technological barrier for automated financial management systems: the proliferation of multi-factor authentication (MFA) protocols by banks (Compl. ¶12). While MFA enhances security, it prevents automated third-party systems from continuously accessing a user's account to retrieve data, as the user would need to be present to respond to every MFA challenge, defeating the purpose of automation ('090 Patent, col. 17:54-18:23). This problem, the complaint alleges, "prevented the development and operation of innovative financial management systems" (Compl. ¶12).
- The Patented Solution: The invention claims a method where a third-party system acts as a "proxy for the user" to navigate MFA (Compl. ¶13). The system first uses the user's credentials to log in and, when prompted with an MFA challenge, relays that prompt to the user to receive a response (e.g., a one-time code) ('090 Patent, col. 19:35-40). After gaining initial access, the system can then add an "additional multi-factor authentication endpoint" (e.g., a new phone number or email address controlled by the third-party system) to the user's bank account profile ('090 Patent, col. 19:60-67). This new endpoint allows the system to receive and respond to subsequent MFA challenges on its own, enabling persistent, automated access without further user intervention (Compl. ¶14).
- Technical Importance: This method provides a technical pathway for third-party applications to maintain ongoing, secure connections to user accounts across various financial institutions, even as those institutions adopt more stringent MFA security.
Key Claims at a Glance
- The complaint asserts independent claim 1 and dependent claim 2 (Compl. ¶21).
- Independent Claim 1 recites a multi-step method for a third-party entity to gain access to an MFA-secured online account, including the steps of:
- collecting the account holder's credentials;
- encrypting the credentials;
- storing the encrypted credentials in a data store;
- verifying the credentials by accessing the online account;
- receiving an MFA request from the online account;
- prompting the account holder for a response to the MFA request and receiving it; and
- transmitting the response to the online account to satisfy the MFA request.
(’090 Patent, col. 30:61-31:18).
- Dependent Claim 2 adds to the method of claim 1 the further steps of:
- storing one or more of the account holder's endpoints for the online account; and
- utilizing said one or more endpoints to permit the third-party to gain access to the online account... without requiring a response by the account holder to any subsequent multi-factor authentication requests.
(’090 Patent, col. 31:19-27).
- The complaint reserves the right to assert additional claims (Compl. ¶21).
III. The Accused Instrumentality
Product Identification
- The complaint identifies Plaid's "Link" and "Auth" software products as the "Accused Products" (Compl. ¶17).
Functionality and Market Context
- Plaid Link is alleged to be the front-end module that "handles all aspects of the login and authentication experience, including credential validation, multi-factor authentication, error handling, and sending account linking confirmation emails" (Compl. ¶17). It provides the user interface for connecting a financial account to a third-party application.
- Plaid Auth is alleged to be a product that works with Link to "instantly verify any bank account" (Compl. ¶18). The complaint cites Plaid's documentation for Auth, which allegedly explains how to handle authentication requests, including prompting a user for a one-time passcode (Compl. ¶18).
- These products form the core of Plaid's service, which acts as an intermediary layer allowing financial technology applications to access user data from over 12,000 financial institutions (Compl. ¶11). The complaint provides a screenshot from the Plaid Link interface showing a user being prompted to enter a code received on their phone, illustrating the MFA handling process (Compl. p. 16).
IV. Analysis of Infringement Allegations
U.S. Patent No. 11,315,090 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| collecting the account holder's credentials | The Accused Products prompt users to enter their login credentials for their financial account. The complaint provides a screenshot of the Plaid Link interface with fields for "Username" and "Password" (Compl. p. 12). | ¶21 | col. 31:2-3 |
| encrypting the account holder's credentials using one or more processors | Plaid's website is cited as stating it uses "best-in-class encryption protocols like the Advanced Encryption Standard (AES 256) and Transport Layer Security (TLS)." A graphic showing "Encryption safeguards your data" is included as evidence (Compl. p. 13). | ¶21 | col. 31:4-6 |
| storing the account holder's encrypted credentials using one or more processors, wherein the encrypted credentials are stored in a data store | Plaid is alleged to store user credentials to establish a secure connection. The complaint cites a Plaid webpage explaining its data handling practices to support this step (Compl. pp. 13-14). | ¶21 | col. 31:7-10 |
| verifying the account holder's credentials by accessing, via one or more processors, the online account using the account holder's credentials | The Accused Products are alleged to submit the user's credentials to the financial institution to determine if the login attempt is successful and verify ownership of the account. | ¶21 | col. 31:11-14 |
| receiving a multi-factor authentication request from the online account, the multi-factor authentication request indicating that a response is required from the account holder... | Plaid Link is alleged to handle MFA by receiving requests from the financial institution. The complaint cites Plaid documentation which describes receiving an "MfaOtpEscalationChallenge response" from its token exchange process (Compl. p. 17). | ¶21 | col. 31:15-18 |
| prompting the account holder for a response and receiving the response thereto from the account holder | The Accused Products prompt the user to enter an MFA code sent to their email or phone. The complaint includes a screenshot of the Plaid interface stating "Verify your phone number" and providing a field for code entry (Compl. p. 17). | ¶21 | col. 31:19-21 |
| transmitting the account holder's response to the online account to satisfy the multi-factor authentication request | Plaid's documentation is alleged to state that it "sends the [one time password] the user entered for validation using the POST /users/{user_id}/2fa request." | ¶21 | col. 31:22-25 |
| (from Claim 2) storing one or more of the account holder's endpoints for the online account in a data store... | The Accused Products are alleged to store user endpoints, such as a phone number. A screenshot shows Plaid prompting a user for their mobile number to "see if [they] connected any financial accounts to apps using Plaid" (Compl. p. 19). | ¶21 | col. 31:30-33 |
| (from Claim 2) utilizing said one or more endpoints to permit the third-party to gain access to the online account... without requiring a response by the account holder to any subsequent... requests. | The complaint alleges that after authentication, Plaid permits users to request data from financial institutions, and that this data includes "realtime balance information," suggesting ongoing access. A screenshot shows the Plaid Portal where users can see data shared with apps (Compl. p. 21). | ¶21 | col. 31:34-39 |
Identified Points of Contention
- Technical Questions: A central factual question for the infringement of claim 2 may be whether the Accused Products "utiliz[e]" a stored "endpoint" to gain access "without requiring a response by the account holder" for subsequent MFA requests. The complaint's evidence shows Plaid storing a user's phone number and later providing access to account information (Compl. pp. 19, 21), but it does not explicitly show the system autonomously intercepting and responding to a new MFA challenge. The analysis may turn on what Plaid's systems technically do after the initial, user-assisted login.
- Scope Questions: The patent describes a "third-party entity" performing the claimed method. The infringement allegation appears to map "Plaid and ultimately Plaid's customers" to this entity (Compl. ¶21). A question may arise as to whether Plaid's role as an intermediary platform for other applications fits the scope of the "third-party entity" as contemplated by the patent, which describes a more monolithic "financial management network" ('090 Patent, col. 18:53-54).
V. Key Claim Terms for Construction
The Term: "endpoint" (Claim 2)
- Context and Importance: This term is critical to Claim 2, which covers the novel aspect of persistent, automated access. The definition of "endpoint" and how it is "utiliz[ed]" will determine if Plaid's alleged storing of a user's phone number infringes. Practitioners may focus on this term because the infringement theory for Claim 2 rests on it.
- Intrinsic Evidence for a Broader Interpretation: The specification provides examples of an endpoint, such as "an additional phone number or email address" ('090 Patent, col. 19:63-64), which could support a broad interpretation that includes any user contact information the system stores.
- Intrinsic Evidence for a Narrower Interpretation: The claim requires "utilizing said one or more endpoints to permit the third-party to gain access... without requiring a response by the account holder." This linkage suggests an "endpoint" may be more than just stored contact information; it may need to be a contact point that is programmatically accessible to the third-party system itself, allowing it to autonomously receive and use an MFA code. The patent describes adding an additional endpoint for this purpose ('090 Patent, col. 19:60-67), which could be construed to mean an endpoint controlled by the system, not the user's pre-existing phone number.
The Term: "utilizing said one or more endpoints to permit the third-party to gain access... without requiring a response by the account holder" (Claim 2)
- Context and Importance: This entire phrase is the functional heart of Claim 2. Its construction will be dispositive for infringement of that claim. The dispute will likely focus on whether simply accessing data after an initial MFA event satisfies the "without requiring a response" limitation for "subsequent" authentications.
- Intrinsic Evidence for a Broader Interpretation: The patent's abstract discusses "automatically allocating and transferring funds among the accounts without intervention of the account holder." A party could argue this broad goal supports an interpretation where any automated data access after the initial setup meets the limitation's spirit.
- Intrinsic Evidence for a Narrower Interpretation: The patent describes a specific procedure for handling MFA where the system can "respond directly to multi-factor authentication requests without requiring user intervention or user presence" ('090 Patent, col. 20:9-12). This suggests the "utilizing" step involves the system actively and autonomously handling a new MFA challenge, not just re-using a previous session token or accessing data in a period where a new MFA challenge is not issued.
VI. Other Allegations
Indirect Infringement
- The complaint alleges inducement of infringement, asserting that Plaid encourages and instructs its customers and their end-users to use the Accused Products in an infringing manner through its product documentation and literature (Compl. ¶22). It specifically references Plaid's documentation for its "Auth" product as instructing on how to permit access to an MFA-protected account (Compl. ¶22).
Willful Infringement
- The complaint pleads willfulness based on Plaid's alleged actual knowledge of the '090 patent, stating this knowledge exists "at least as of the filing of this complaint" (Compl. ¶23). It further reserves the right to supplement this allegation with evidence of pre-suit knowledge obtained through discovery (Compl. ¶24).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of patent eligibility: given the prosecution history, which involved an initial rejection under 35 U.S.C. § 101, the case may turn on whether the claims are directed to a patent-eligible technical solution to a problem rooted in computer technology (improving automated data access in the face of MFA) or to an abstract idea of managing authentication credentials.
- A key evidentiary question will be one of technical operation: does Plaid's system, as required by Claim 2, actually add or use an "endpoint" to autonomously handle subsequent MFA challenges from financial institutions without user involvement, or does it simply store user contact details for identity verification and rely on user interaction for each new MFA event?
- The infringement analysis will likely depend on a question of definitional scope: can the term "endpoint," in the context of being "utiliz[ed]" to gain access "without requiring a response by the account holder," be construed to cover a user's own pre-existing phone number stored by Plaid, or does it require a new endpoint controlled by the system itself for automated MFA interception?