PTAB

IPR2026-00184

Microsoft Corp v. Qomplx LLC

Log In
Key Events
Petition
petition

1. Case Identification

2. Patent Overview

  • Title: Contextual and Risk-Based Multi-Factor Authentication
  • Brief Description: The ’426 patent discloses a system for multi-factor authentication (MFA) where the need for additional verification is triggered based on analyzing historical login data. The system determines if a previous login attempt associated with a user account comprised a secondary identifier not associated with that account, which indicates a potential security threat and prompts a requirement for further authentication.

3. Grounds for Unpatentability

Ground 1: Claims 1-21, 23-28, and 30 are obvious over Kirti.

  • Prior Art Relied Upon: Kirti (Patent 10,063,654).
  • Core Argument for this Ground:
    • Prior Art Mapping: Petitioner argued Kirti teaches a cloud security system that analyzes historical login activity stored in a multidimensional time-series database to detect threats and remediate them, satisfying the core limitations of the independent claims. Kirti’s system establishes a "baseline user profile" that includes associated IP addresses, geolocations, and devices. The system then detected anomalous login attempts when a current request used an identifier (e.g., a suspicious IP address) that was not associated with the user's established baseline profile. Petitioner asserted this directly mapped to the claim language requiring determination of whether a previous request comprised a "second identifier not associated with the first user account." Upon detecting such an anomalous threat, Kirti's system required remedial measures such as "elevated authentication or OTP validation," which Petitioner contended was the claimed "additional verification." Petitioner argued that the final steps of selecting, prompting, and verifying the additional authentication method were implicitly disclosed or would have been obvious implementations of Kirti's system to a Person of Ordinary Skill in the Art (POSITA).
    • Key Aspects: The core of this ground was that Kirti alone rendered the claims obvious because its teachings on threat remediation based on anomalous login history inherently included the claimed concepts. Any missing implementation details, like prompting a user for a one-time password, were well-known and obvious additions for a POSITA.

Ground 2: Claims 1-21, 23-28, and 30 are obvious over Kirti in view of Coffin.

  • Prior Art Relied Upon: Kirti (Patent 10,063,654) and Coffin (a 2011 textbook, Expert Oracle and Java Security).
  • Core Argument for this Ground:
    • Prior Art Mapping: As an alternative ground, Petitioner argued that if Kirti were found to lack explicit detail for implementing additional verification, the Coffin textbook supplied the missing elements. While Kirti provided the framework for threat detection and the mandate for "additional steps to authentication," Coffin provided detailed, step-by-step instructions for implementing a plurality of such methods. Coffin explicitly taught methods including a "second password or PIN," CAPTCHA, biometric scans, and sending one-time passcodes to a user's email or cell phone. Further, Coffin detailed the process of selecting from available methods, prompting the user to enter the provided code, and having the system test the code "to see if it passes muster," which Petitioner argued directly taught the final limitations of the independent claims concerning selecting, prompting, and completing the verification.
    • Motivation to Combine: A POSITA implementing Kirti's system would combine its teachings with Coffin to supply the necessary implementation details for the MFA features Kirti called for. The motivation was particularly strong because both references operate in the same technical field and, more specifically, within the Oracle ecosystem. Kirti is an Oracle-assigned patent, and Coffin is a textbook on programming secure Oracle database applications, making them a "natural pairing." The shared goal of enhancing security by adding a second authentication factor provided a clear reason to combine their respective teachings.
    • Expectation of Success: A POSITA would have a high expectation of success in the combination because implementing Coffin's well-understood, conventional authentication routines into Kirti's security framework would involve only predictable and straightforward software modifications. Coffin itself was presented as a practical guide with code templates, ensuring that the integration would be predictable and well within the ordinary skill of a POSITA.

4. Relief Requested

  • Petitioner requests institution of IPR and cancellation of claims 1-21, 23-28, and 30 as unpatentable.