Duo Security Inc v. STrikeForce Technologies Inc

1. Case Identification

• Case #: IPR2017-01041
• Patent #: 8,484,698
• Filed: March 14, 2017
• Petitioner(s): Duo Security Inc., Centrify Corp., and Trustwave Holdings, Inc.
• Patent Owner(s): StrikeForce Technologies, Inc.
• Challenged Claims: 1-3, 5-7, 15, 20-24, and 48-54

2. Patent Overview

• Title: Multichannel Device Utilizing a Centralized Out-Of-Band Authentication System (COBAS)
• Brief Description: The ’698 patent relates to a multichannel security system for controlling access to a host computer. The system intercepts a user's access demand on a first "access channel," diverts it to a separate security computer, and performs authentication over a second, physically separate "out-of-band" authentication channel before granting or denying access.

3. Grounds for Unpatentability

Ground 1: Claims 1-3, 5-7, 15, 20-24, and 48-54 are obvious over Feigen in view of Bulfer and Falk

• Prior Art Relied Upon: Feigen (Patent 5,699,513), Bulfer (Patent 5,736,932), and Falk (Patent 5,668,876).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Feigen taught the foundational system claimed in the ’698 patent: intercepting a connection request in an "access channel" using a filter and routing it to a separate "security host" for authentication, thereby preventing the request from reaching the destination "host computer" until authentication is complete. Petitioner contended Feigen’s single-factor authentication was deficient. Bulfer was introduced to add a second authentication factor over a separate, out-of-band channel, specifically by prompting a user on a remote wireless device (e.g., a pager or cell phone) and receiving a response. Finally, Falk was added to supply the teaching of the security computer (Falk’s “authentication center”) outputting an instruction to a network component (Falk’s “service node”) to grant or deny access based on the outcome of the authentication process.
  • Motivation to Combine: Petitioner asserted that Feigen explicitly stated the "strength of an authentication process may vary in accordance with the needs of [the] network." A person of ordinary skill in the art (POSITA), seeking to implement a more robust system as suggested by Feigen, would combine its teachings with the well-known multifactor authentication techniques disclosed in Bulfer and Falk. This combination represented a predictable implementation of "defense in depth," a guiding principle of secure system design at the time.
  • Expectation of Success: Combining these known security elements—an interception framework, a second authentication factor via a mobile device, and an access grant/deny instruction—was a straightforward application of existing technologies to achieve a predictable increase in security.

Ground 2: Claims 50 and 52 are obvious over Feigen in view of Bulfer, Falk, and Turtiainen

• Prior Art Relied Upon: Feigen (Patent 5,699,513), Bulfer (Patent 5,736,932), Falk (Patent 5,668,876), and Turtiainen (WO 99/44114).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground incorporated the Feigen/Bulfer/Falk combination from Ground 1 and added Turtiainen to address specific limitations in dependent claims 50 and 52. Turtiainen taught using a mobile phone in an authentication system that includes a software module on the device itself. This module was capable of receiving an instruction, displaying a text message to the user (e.g., an SMS message asking for confirmation), and receiving input from the user via the device's keypad (e.g., pressing "Yes" or "No"). Petitioner argued this directly taught the "third software module" for installation on the mobile device recited in claim 50 and the "notification containing an instruction for the subscriber to reply" recited in claim 52.
  • Motivation to Combine: Petitioner argued that a POSITA, having already decided to use a mobile device for two-factor authentication based on the teachings of Bulfer and Falk, would be motivated to consult a reference like Turtiainen for its detailed disclosure on implementing the user interface and software functionality on that device. Incorporating Turtiainen’s teachings would have been a predictable design choice to improve the user interaction of the authentication system.
  • Expectation of Success: The integration of a simple software-based user interface on a mobile device, as taught by Turtiainen, was a well-understood and routine task for a POSITA at the time.

4. Key Claim Construction Positions

• "multichannel security system" / "out-of-band": Petitioner argued the preambles of the independent claims are limiting due to Applicant's clear reliance on these terms during prosecution to distinguish prior art. The proposed construction required two completely separate channels (access and authentication) that do not share any facilities. This construction was central to the argument that the host computer is completely isolated from the user's access attempt prior to successful authentication.
• "intercepting": Proposed as "preventing the host computer from receiving [the access demand]." This emphasized the complete isolation of the host computer, as the interception device receives the demand instead, which was a key point of novelty asserted during prosecution.
• "host computer": Construed as "a computer to which the accessor is attempting to gain access, but which no information from an accessor is allowed to enter unless access is granted by the security computer." This construction was argued to be necessary to capture the asserted invention, which prevents any contact with the host computer before authentication is complete.

5. Arguments Regarding Discretionary Denial

• Petitioner disclosed the contemporaneous filing of a second IPR petition (IPR2017-01064) against the ’698 patent. It argued against discretionary denial for redundancy by stating the petitions were not horizontally or vertically redundant. The other petition challenged a different subset of claims (e.g., claims reciting a "biometric signal") and relied on different prior art to address those distinct limitations. Petitioner asserted the combined petitions presented only three distinct grounds of unpatentability, posing no undue burden on the Patent Owner or the Board.

6. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-3, 5-7, 15, 20-24, and 48-54 of Patent 8,484,698 as unpatentable.