Unified Patents Inc v. SMART AUTHENTICATION IP, LLC

1. Case Identification

• Case #: IPR2017-02047
• Patent #: 8,082,213
• Filed: September 5, 2017
• Petitioner(s): Unified Patents Inc.
• Patent Owner(s): Smart Authentication IP, LLC
• Challenged Claims: 1-17

2. Patent Overview

• Title: Method and System for Personalized Online Security
• Brief Description: The ’213 patent relates to a third-party user authentication service that authenticates users on behalf of commercial clients. The system allows a user to establish personalized authentication policies, including variable-factor authentication, which dictate the combination of rules, secrets, or tangible objects required for subsequent authentication.

3. Grounds for Unpatentability

Ground I: Obviousness over Harris and Owen - Claims 1-17 are obvious over Harris in view of Owen.

• Prior Art Relied Upon: Harris (Patent 8,751,801) and Owen (WO 03/032126).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Harris discloses the core elements of the ’213 patent’s independent claims. Harris describes a "System and Method for Authenticating Users Using a Plurality of Authentication Factors," which functions as the claimed user-authentication service. Its "service provider" or "web server" corresponds to the claimed "authentication-service client," and its system authenticates registered users. Critically, Harris allegedly discloses a multi-layered communication structure: a first medium for the user-to-client request (e.g., the Internet), a second medium for client-to-authentication-service communication (e.g., an internal LAN), and a third medium for the authentication service to communicate with the user's second device (e.g., a telephone network or SMS). Harris also discloses storing user-specified authentication policies in a database and employing variable-factor authentication by requiring both a password and control of a separate device.
  • Motivation to Combine (for §103 grounds): While Harris teaches that users can specify, add, and modify authentication policies via a "registration manager," it does not explicitly disclose a function for users to delete policies. Petitioner asserted Owen remedies this. Owen discloses a web-based administrative utility that allows users or administrators to create, modify, and, crucially, delete authentication policies and user information. A POSITA would combine Owen's comprehensive account management features with Harris's authentication system to provide users full control over the policy lifecycle, thereby alleviating administrative burdens and saving memory by removing old policies, which are predictable benefits.
  • Expectation of Success (for §103 grounds): A POSITA would have a high expectation of success as both Harris and Owen operate in the same field of user authentication and teach account management utilities.

Ground II: Obviousness over Vandergeest and Delany - Claims 1-10 are obvious over Vandergeest in view of Delany.

• Prior Art Relied Upon: Vandergeest (Patent 7,765,580) and Delany (Application # 2002/0156879).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner contended Vandergeest discloses a multi-factor authentication method using a "back channel" (e.g., SMS or telephone) that is distinct from the primary channel (e.g., the Internet). The system involves a "first unit" (user's initial device), a "second unit" (web server/client), and an "authentication unit" (AU) that sends a code to a "third unit" (user's second device, like a phone). This structure allegedly maps to the claimed system of a user, client, and authentication service interconnected by multiple, distinct communication media. Vandergeest also teaches storing user-specific policies (e.g., destination device data for the back channel) in an authentication database, populated during a user registration process.
  • Motivation to Combine (for §103 grounds): Vandergeest describes a registration process where users can add policies but, like Harris, does not explicitly disclose a user-controlled interface for modifying or deleting them. Petitioner introduced Delany to supply this functionality. Delany teaches an "Identity Server" with a "User Manager" that allows individual users to create, delete, and modify their own identity profiles and access privileges. A POSITA would be motivated to integrate Delany's user-controlled interface into Vandergeest's system to achieve the predictable benefits of reducing administrator workload and enhancing security by allowing users to remove policies for old or compromised devices.
  • Expectation of Success (for §103 grounds): Combining Delany's user management interface with Vandergeest's authentication framework would be a straightforward integration for a POSITA, as both references address network security and user identity management.

• Additional Grounds: Petitioner asserted an additional obviousness challenge (Ground III) against method claims 12-17 based on Vandergeest alone, arguing its disclosure of an authentication method using a back channel meets the limitations of the challenged method claims. The arguments for claims 12-17 in this ground substantially mirror the teachings relied upon for claims 1-6 in the Vandergeest/Delany combination.

4. Key Claim Construction Positions

• "variable-factor authentication": Petitioner proposed construing this term as requiring "both secret information (e.g., a password) and evidence of control of a tangible object (e.g., a cell phone)." This construction was consistent with a determination made by the Board during the patent's original prosecution and was central to distinguishing the invention from prior art that used only one type of factor.
• "user-authentication policies": Proposed construction was "a stored set, associated with a user, of one or more constraint(s) and/or parameter(s) associated with user-authentication processes." This broad construction was used to argue that storing information like a destination device address (in Vandergeest) or the "type and mode" of authentication (in Harris) met this claim limitation.
• "specified by the user": Proposed construction was "at a minimum, to include the user selecting from policy templates that describe available types of policies." This construction allowed Petitioner to argue that a user selecting a pre-defined authentication option during a registration process satisfied the limitation.

5. Relief Requested

• Petitioner requested institution of an inter partes review and cancellation of claims 1-17 of the ’213 patent as unpatentable under 35 U.S.C. §103.