Plaid Inc v. Secure Authentication Technologies LLC

1. Case Identification

• Case #: IPR2026-00157
• Patent #: 11,315,090
• Filed: January 15, 2025
• Petitioner(s): Plaid Inc.
• Patent Owner(s): Six Trees Capital LLC, Secure Authentication Technologies LLC
• Challenged Claims: 1-10

2. Patent Overview

• Title: Method for Permitting Third-Party Access to an Online Account Secured by Multi-Factor Authentication
• Brief Description: The ’090 patent discloses a method for a third-party entity to securely and automatically gain access to a user’s online account. The system is designed to handle multi-factor authentication (MFA) protocols on behalf of the user without requiring their direct intervention for each access attempt.

3. Grounds for Unpatentability

Ground 1: Anticipation by Hsu - Claims 1, 4–6, and 9–10 are anticipated by Hsu under 35 U.S.C. §102.

• Prior Art Relied Upon: Hsu (Application # 2008/0115198).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Hsu discloses every element of the challenged claims. Hsu describes a third-party financial application that securely accesses a user’s online accounts (e.g., banking) that are protected by MFA. The system performs the claimed steps of: (1) collecting user credentials via a user interface or from a data store; (2) encrypting the credentials using an explicit "encryption module" running on one or more processors; (3) storing the encrypted credentials in a "data structure"; (4) verifying the credentials by accessing the online account; and (5) receiving an MFA request (e.g., a challenge question), prompting the user, receiving the response, and transmitting it to satisfy the MFA requirement. Petitioner asserted that Hsu's detailed examples of XML commands for handling challenge questions map directly to the final steps of claims 1 and 6.

Ground 2: Anticipation by Hazlehurst - Claims 1, 4–6, and 9–10 are anticipated by Hazlehurst under 35 U.S.C. §102.

• Prior Art Relied Upon: Hazlehurst (Patent 8,261,334).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner contended that Hazlehurst independently teaches a complete proxy system for automated web authentication that performs all steps of the challenged claims. Hazlehurst’s "Pin Vault Application" acts as a third party to log into a user's web-based accounts, which are secured by two-factor authentication such as time-sensitive tokens or CAPTCHA. The system collects and stores user credentials in an encrypted "user pin vault" (a data store), uses processors to access the accounts, and handles MFA requests by presenting the challenge to the user and transmitting their response. Petitioner argued Hazlehurst’s system is designed specifically to automate access to MFA-protected sites, directly anticipating the ’090 patent’s claims.

Ground 3: Obviousness over Emerson in view of Hsu - Claims 1, 4–6, and 9–10 are obvious over Emerson in view of Hsu under 35 U.S.C. §103.

• Prior Art Relied Upon: Emerson (Application # 2009/0198615) and Hsu (Application # 2008/0115198).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner argued that Emerson discloses a third-party "ODS agent" for conducting secure online financial transactions that meets nearly all claim limitations, including collecting credentials, storing them in a database, and managing MFA interactions with a bank. However, Emerson does not explicitly teach encrypting the collected credentials. Hsu remedies this deficiency by expressly teaching the encryption of sensitive user credentials using an "encryption module" for enhanced security.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine Emerson's authentication system with Hsu's explicit encryption method to address the well-known and critical security risks of handling unencrypted financial data. Both references identify security as a major issue in online banking, providing a clear motivation to incorporate Hsu's known security-enhancing technique into Emerson's system.
  • Expectation of Success: A POSITA would have a reasonable expectation of success, as Emerson’s system already utilizes processors and data storage, making the integration of a standard encryption module as taught by Hsu a straightforward and predictable modification.

• Additional Grounds: Petitioner asserted six additional obviousness challenges.

  • Grounds 4-6 argued that claims 2, 3, 7, and 8 are obvious over the primary references (Hsu, Hazlehurst, Emerson/Hsu) in view of Peotta (a 2011 journal article). Peotta teaches that a third party can alter the cellular phone number ("endpoint") associated with an account to intercept and automatically respond to SMS-based MFA codes, thus enabling automated access without user intervention.
  • Grounds 7-9 made parallel arguments for claims 2, 3, 7, and 8, relying on 2FA Q&A (a 2013 Stack Exchange post) instead of Peotta. 2FA Q&A similarly teaches modifying an account's registered phone number via social engineering to reroute MFA codes to a third party, achieving the same automated result.

4. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-10 of the ’090 patent as unpatentable.