PTAB

IPR2026-00184

Microsoft Corp v. Qomplx LLC

Log In
Key Events
Petition

1. Case Identification

2. Patent Overview

  • Title: Contextual and Risk-Based Multi-Factor Authentication
  • Brief Description: The ’426 patent describes a computer system for multi-factor authentication (MFA). The system determines whether to require additional user verification based on an analysis of historical login data, specifically by detecting if a current login attempt is associated with a previous anomalous request.

3. Grounds for Unpatentability

Ground 1: Claims 1-21, 23-28, and 30 are obvious over Kirti

  • Prior Art Relied Upon: Kirti (Patent 10,063,654).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued that Kirti, by itself, renders the challenged claims obvious. Kirti taught a cloud security system that analyzes historical user login activity to create a baseline profile and detect anomalous activity, such as brute force attacks. The system received authentication requests (comprising an identifier and password) and stored information about these requests (e.g., IP address, device, success/failure) in an analytics database. Based on this historical data, Kirti determined whether a login attempt was anomalous—for instance, if it originated from a suspicious IP address or geolocation not previously associated with the user account. Upon detecting such a threat, Kirti’s system recommended and performed remedial measures, including requiring “additional steps to authentication,” such as “elevated authentication or OTP validation.” Petitioner contended that these teachings map to all limitations of the independent claims.
    • Key Aspects: Petitioner argued that while Kirti did not explicitly detail the common-sense steps of prompting a user to complete an additional verification and confirming its correct completion, these steps were inherently part of performing any "additional steps to authentication" and would have been obvious to a person of ordinary skill in the art (POSITA).

Ground 2: Claims 1-21, 23-28, and 30 are obvious over Kirti in view of Coffin

  • Prior Art Relied Upon: Kirti (Patent 10,063,654) and Coffin (David Coffin, Expert Oracle and Java Security, 2011).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner asserted that to the extent Kirti was found to lack express teachings for certain basic MFA implementation steps, Coffin supplied the missing details. Kirti provided the overall framework for detecting threats based on historical login data and triggering a need for additional security. Coffin, a textbook on securing Oracle database applications, provided explicit, step-by-step instructions for implementing various MFA methods. Coffin taught selecting from a plurality of verification methods (e.g., SMS, email, pager), prompting the user to enter a received two-factor code, and having the system test the entered code to determine if it was correct before granting access.
    • Motivation to Combine: A POSITA seeking to implement the “additional steps to authentication” described in Kirti would have been motivated to consult a reference like Coffin for established implementation details. This motivation was particularly strong because Kirti is an Oracle-assigned patent and Coffin is a textbook specifically teaching how to program secure Oracle systems, making them a natural pairing. The shared goal of both references—enhancing security by adding a second layer of authentication—provided a clear reason to combine their teachings.
    • Expectation of Success: A POSITA would have had a reasonable expectation of success in combining the references. Coffin provided a clear template for implementing well-known MFA techniques, and integrating these teachings into Kirti’s threat detection system would have involved straightforward and predictable software modifications well within the skill of a POSITA.

4. Relief Requested

  • Petitioner requests institution of an inter partes review (IPR) and cancellation of claims 1-21, 23-28, and 30 of the ’426 patent as unpatentable under 35 U.S.C. §103.