PTAB

CBM2016-00063

United Services Automobile Association v. Asghari Kamrani Nader

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Centralized Identification and Authentication System and Method
  • Brief Description: The ’432 patent relates to a system and method using a central entity for centralized identification and authentication of users to increase the security of e-commerce transactions conducted with external entities. The system generates a dynamic, time-dependent "SecureCode" for a user, which is then used as part of a digital identity to authenticate the transaction.

3. Grounds for Unpatentability

Ground 1: Claims 1, 3, 5-8, 12-13, 15-27, 30-42, 44-45, 47-48, 50-52, and 54-55 are anticipated by Norefors.

  • Prior Art Relied Upon: Norefors (Application # US 2006/0094403).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Norefors discloses every element of the challenged claims. Norefors describes an authentication system for providing a user with access to an IP network (e.g., a wireless ISP). Petitioner mapped the claimed "central-entity" to Norefors' operator-controlled web and authentication servers, the "external-entity" to Norefors' access server (run by an ISP), and the "dynamic code" to Norefors' one-time password (OTP). In Norefors, the user requests access from the external-entity, is redirected to the central-entity to receive an OTP via SMS, and then uses that OTP to log in through the external-entity, mirroring the claimed authentication flow.

Ground 2: Claims 2, 4, 9-11, 14, 28, 29, 43, 46, 49, and 53 are obvious over Norefors in view of Brown.

  • Prior Art Relied Upon: Norefors (Application # US 2006/0094403) and Brown (Patent 5,740,361).

  • Core Argument for this Ground:

    • Prior Art Mapping: Petitioner asserted Norefors provides the foundational authentication framework. Brown was introduced to supply features recited in dependent claims not explicitly found in Norefors. For claims requiring the combination of the dynamic code with user information via a "predetermined algorithm" (claim 2), Brown teaches obscuring a session key (dynamic code) by combining it with a username using an MD5 hash algorithm. For claims requiring a "financial transaction" (claim 4), Brown teaches distinguishing between "free" and "paying" users, establishing a financial context for the authentication service. Brown also discloses that a service can perform the role of the authentication entity itself, teaching the claimed limitation where the central and external entities are the same (claim 11).
    • Motivation to Combine: A POSITA would combine Brown’s security methods with Norefors' framework to enhance security by obscuring login credentials transmitted over an insecure network, a shared goal of both references. Furthermore, a POSITA would be motivated to incorporate Brown's teachings on paid access to improve the commercial viability of the access servers (like WISPs) described in Norefors.
    • Expectation of Success: Petitioner argued the combination would have yielded predictable results, as it involved applying known, compatible security and business methods to an existing authentication system without altering its core principles.

  • Additional Grounds: Petitioner asserted alternative obviousness grounds based on Norefors in view of Rajasekaran (Application # US 2003/0080183) and Norefors in view of both Rajasekaran and Brown. Rajasekaran was primarily cited to teach an alternative, well-known user workflow where the user contacts the central entity directly to obtain a one-time number before interacting with the external entity.

4. Key Claim Construction Positions

  • "Central-Entity" and "External-Entity": Petitioner argued these terms should be construed according to their explicit definitions provided in the ’432 patent specification. A "Central-Entity" is defined as a party holding the user's information and generating the SecureCode (e.g., a bank), while an "External-Entity" is a party offering goods or services (e.g., a merchant).
  • "First Central-Entity Computer" and "Second Central-Entity Computer": Petitioner contended that under the broadest reasonable interpretation, these two "computers" could be the same physical or logical device. This position was based on the express language of dependent claims 11 and 36, which recite that the "first central-entity computer and said second central-entity computer are the same."

5. Key Technical Contentions (Beyond Claim Construction)

  • Denial of Priority Date: A central contention of the petition was that the ’432 patent is not entitled to its claimed priority date from earlier "Parent" and "Grandparent" applications. Petitioner argued the Parent application fails to provide the required written description support for the claims of the ’432 patent, as its disclosure is directed to a different "interbank fund transfer" system rather than a centralized user authentication system. It was also argued that the Parent application fails to properly incorporate the Grandparent application by reference. Consequently, Petitioner asserted the patent’s effective filing date is its actual filing date of September 15, 2008, which allows Norefors, Rajasekaran, and Brown to qualify as prior art under 35 U.S.C. §102(b).
  • CBM Patent Eligibility: Petitioner argued the ’432 patent qualifies as a Covered Business Method (CBM) patent. It contended the claims are directed to activities incidental to a financial service—namely, securing e-commerce and financial transactions. Furthermore, Petitioner asserted the patent is not a "technological invention" exempt from CBM review because it merely applies abstract authentication ideas using generic, conventional computer hardware (e.g., servers, networks) without solving a technical problem or reciting a novel technological feature.

6. Relief Requested

  • Petitioner requested institution of a Covered Business Method patent review and cancellation of claims 1-55 of the ’432 patent as unpatentable.