`U.S. Patent No. 8,462,920
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`
`Twilio Inc.
`Petitioner
`
`v.
`
`Telesign Corporation
` Patent Owner
`
`Patent No. 8,462,920
`Filing Date: October 5, 2006
`
`TITLE: REGISTRATION, VERIFICATION AND NOTIFICATION SYSTEM
`
`
`
`Inter Partes Review No. 2016-00450
`
`
`
`
`Table of Contents
`
`
`Page
`
`
`I.
`INTRODUCTION .......................................................................................... 1
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1) ....................... 2
`A.
`Real Party-In-Interest under 37 C.F.R. § 42.8(b)(1) ............................ 2
`B.
`Related Matters under 37 C.F.R. § 42.8(b)(2) ..................................... 2
`C.
`Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3) .................. 2
`D.
`Service Information .............................................................................. 2
`E.
`Power of Attorney ................................................................................ 3
`PAYMENT OF FEES - 37 C.F.R. § 42.103 .................................................. 3
`III.
`IV. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37
`C.F.R. § 42.104 ............................................................................................... 3
`A. Grounds for Standing under 37 C.F.R. § 42.104(a) ............................. 3
`B.
`Identification of Challenge under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested ................................................ 3
`Threshold Requirement for IPR under 37 C.F.R. § 42.108 ................. 4
`C.
`BACKGROUND OF TECHNOLOGY RELATED TO THE ’920
`PATENT ......................................................................................................... 4
`VI. THE ’920 PATENT ........................................................................................ 7
`A. Overview .............................................................................................. 7
`B.
`Priority Date of the ’920 Patent............................................................ 8
`VII. PERSON HAVING ORDINARY SKILL IN THE ART (POSITA) ............. 9
`VIII. CLAIM CONSTRUCTION UNDER 37 C.F.R. § 42.104(B)(3) ................... 9
`A.
`“notification event” .............................................................................. 9
`IX. OVERVIEW OF THE PRIOR ART ............................................................ 10
`A.
`Bennett ................................................................................................ 10
`B.
`Thoursie .............................................................................................. 12
`C.
`Rolfe ................................................................................................... 13
`D. Woodhill ............................................................................................. 13
`
`V.
`
`
`
`
`
`
`-i-
`
`
`
`X.
`
`
`Bennett, Thoursie, Rolfe, and Woodhill are Analogous Art .............. 14
`E.
`CLAIMS 1-10, 13, & 17-22 OF THE ’920 PATENT ARE
`UNPATENTABLE UNDER 35 U.S.C. § 103 ............................................. 15
`A.
`Independent Claim 1: Ground 1 ......................................................... 16
`1.
`Bennett discloses the preamble of claim 1 ............................... 16
`2.
`Bennett discloses claim element 1[a] ....................................... 17
`3.
`Bennett discloses claim element 1[b] ...................................... 18
`4.
`Bennett discloses claim element 1[b][i] ................................... 18
`5.
`Bennett discloses claim element 1[b][ii] ................................. 19
`6.
`Bennett discloses claim element 1[b][iii] ................................ 20
`7.
`Bennett discloses claim element 1[b][iv] ................................. 21
`8.
`Bennett teaches or renders obvious claim element 1[c] .......... 22
`9.
`Bennett discloses claim element 1[d] ...................................... 27
`10. Bennett teaches or renders obvious claim element 1[e] .......... 29
`11. Bennett teaches or renders obvious claim element 1[e][i] ....... 29
`12. Bennett teaches or renders obvious claim element 1[e][ii] ..... 32
`13. Bennett discloses or renders obvious claim element
`1[e][iii] ..................................................................................... 34
`14. Bennett teaches or renders obvious claim element
`1[e][iv] ..................................................................................... 35
`Independent Claim 1: Ground 2 ......................................................... 37
`1.
`Claim element 1[e][i]: Bennett and Thoursie render
`obvious “establishing a second telephonic connection
`with the registrant using the verified registrant electronic
`contact.” ................................................................................... 37
`Claim element 1[e][ii]: Bennett and Thoursie render
`obvious “communicating a second communicated
`verification code to the registrant through the second
`telephonic connection.” ............................................................ 40
`
`B.
`
`2.
`
`
`
`
`
`
`-ii-
`
`
`
`3.
`
`4.
`
`
`
`C.
`D.
`E.
`
`Claim element 1[e][iii]: Bennett and Thoursie render
`obvious “receiving a second submitted verification code
`that is entered by the registrant via the web-site.” ................... 41
`Claim 1[e][iv]: Bennett and Thoursie render obvious “re-
`verifying the registrant electronic contact if the second
`submitted verification code is the same as the second
`communicated verification code.” ........................................... 42
`Claim 2 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ......... 42
`Claim 3 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ......... 43
`Claim 4 Is Disclosed or Rendered Obvious (Grounds1-4) ................ 44
`1.
`Grounds 1 & 2: Bennett ........................................................... 44
`2.
`Grounds 3 and 4: Bennett or Bennett + Thoursie in view
`of Rolfe renders obvious “notifying the registrant of the
`occurrence of the established notification event by
`establishing a telephonic connection with the registrant
`via a registrant electronic contact.” .......................................... 45
`Claim 5 Is Disclosed or Rendered Obvious (Grounds 1-4) ............... 47
`1.
`Grounds 1 & 2: Bennett ........................................................... 47
`2.
`Grounds 3 and 4: Bennett or Bennett + Thoursie + Rolfe ....... 48
`Claim 6 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ......... 48
`Claim 7 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ......... 50
`Claim 8 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ......... 50
`Claim 9 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ......... 50
`Claim 10 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 51
`Claim 13 Is Disclosed or Rendered Obvious (Grounds 1, 2, 5,
`6) ......................................................................................................... 51
`1.
`Grounds 1 & 2: Bennett ........................................................... 51
`2.
`Ground 5 and 6: Bennett or Bennett + Thoursie in view
`of Woodhill renders obvious “the website informs the
`registrant that an electronic message is being sent to the
`registrant via a registrant provided telephone number.” .......... 53
`M. Claim 17 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 54
`
`F.
`
`G.
`H.
`I.
`J.
`K.
`L.
`
`
`
`
`
`
`-iii-
`
`
`
`
`N.
`O.
`P.
`Q.
`R.
`
`Claim 18 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 55
`Claim 19 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 55
`Claim 20 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 56
`Claim 21 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 57
`Claim 22 Is Disclosed or Rendered Obvious (Grounds 1 and 2) ....... 58
`
`
`
`
`
`
`-iv-
`
`
`
`LIST OF EXHIBITS
`
`Document
`
`U.S. Patent No. 8,462,920 to Graves (“’920 patent”)
`Expert Declaration of Dr. Michael Shamos (“Shamos Decl.”)
`U.K. Patent Application No. 011673.1 to Chang
`U.S. Patent Application No. 2004/0219904 to De Petris
`U.S. Patent No. 8,781,975 to Bennett
`U.S. Patent Application No. 2003/0221125 to Rolfe
`U.S. Patent No. 7,577,847 to Nguyen
`U.S. Patent No. 8,302,175 to Thoursie
`U.S. Patent Application No. 2004/0203595 to Singhal (“Singhal”)
`U.S. Patent No. 6,934,858 to Woodhill
`U.S. Patent Application No. 2002/0032874 to Hagen
`U.S. Patent Application No. 2007/0042755 to Singhal (“Singhal
`II”)
`Excerpted File History for U.S. Patent No. 8,462,920
`U.S. Patent Application No. 11/034,421
`U.S. Patent Application No. 2001/0032192 to Putta
`Login webpage from Computerhope.com
`J. Kotanchik “Kerberos and Two-Factor Authentication” (March
`1994)
`United States Patent Application Publication No. 2001/007983 to
`Lee
`United States Patent Application Publication No. 2006/0020816 to
`Campbell
`Michael Ian Shamos C.V.
`United States Provisional Patent Application No. 60,572,776
`
`
`
`
`Exhibit
`Number
`1001
`1002
`1003
`1004
`1005
`1006
`1007
`1008
`1009
`1010
`1011
`1012
`
`1013
`1014
`1015
`1016
`1017
`
`1018
`
`1019
`
`1020
`1021
`
`
`
`0
`
`
`
`
`
`I.
`
`INTRODUCTION
`Petitioner Twilio requests inter partes review of claims 1-10, 13, and 17-22
`
`of Patent No. 8,462,920 (Ex. 1001). Before the Patent Office granted the ’920
`
`patent, it issued multiple rejections. Initially, the Patent Owner (“PO”) attempted to
`
`claim a single-pass verification process that notified the registrant of the
`
`occurrence of previously established notification events. But the Patent Office
`
`found that this was obvious. In the end, the Patent Office allowed claims that
`
`required a second pass of the verification process following a notification event.
`
`But the Patent Office lacked the full picture of the prior art when it allowed the
`
`claims.
`
`Patent No. 8,781,975 to Bennett, prior art that was not cited to the Patent
`
`Office, discloses an authentication system that verifies an online user’s contact
`
`information at registration by providing a verification code to the user via
`
`telephone and then repeats the verification process upon the occurrence of
`
`notification events. That is, when a notification event occurs, the registrant is
`
`provided another code via telephone to enter into a webpage.
`
`Had the Patent Office known of Bennett, and other re-verification
`
`technology such as Thoursie, that was available at the time PO filed its patent, the
`
`’920 patent would not have issued.
`
`
`
`
`
`
`-1-
`
`
`
`
`
`II. MANDATORY NOTICES UNDER 37 C.F.R. § 42.8(A)(1)
`A. Real Party-In-Interest under 37 C.F.R. § 42.8(b)(1)
`Petitioner Twilio Inc. is the real party-in-interest for this petition.
`
`B. Related Matters under 37 C.F.R. § 42.8(b)(2)
`The ’920 patent is asserted against Twilio in an on-going patent lawsuit
`
`brought by PO in Telesign Corp. v. Twilio Inc., No. 2:15-cv-03240 (C.D. Cal.).
`
`Twilio also filed a petition for inter partes review of U.S. Patent No. 7,945,034,
`
`which is a CIP of the ’920 patent’s parent Application No. 11/034,421.
`
`C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3)
`
`LEAD COUNSEL
`
`BACKUP COUNSEL 1
`
`Wayne Stacy (Reg. No. 45,125)
`Cooley LLP
`380 Interlocken Crescent, Ste. 900
`Broomfield, CO 80021
`Tel:720-566-4125 Fax:720-566-4099
`wstacy@cooley.com
`zTwilioIPR@cooley.com
`Carrie Richey (pro hac vice to be filed)
`Cooley LLP ATTN: Patent Group
`3175 Hanover Street
`Palo Alto, CA 94304-1130
`Tel:650-843-5000 Fax:650-849-7400
`crichey@cooley.com
`
`
`D.
`As identified in the attached Certificate of Service, a copy of the petition,
`
`Service Information
`
`including all Exhibits and a power of attorney, is being served by FEDERAL
`
`EXPRESS, costs prepaid, to the address of the attorney or agent of record for the
`
`
`
`
`
`
`-2-
`
`
`
`
`
`’920 patent: Stephen Bishop, PERKINS COIE, 1201 Third Avenue, Suite 4900,
`
`SEATTLE, WASHINGTON 98101-3099. Petitioner may be served via email at
`
`the lead counsel address provided in Part II.C.
`
`Power of Attorney
`
`E.
`A power of attorney is being filed concurrently.
`
`III. PAYMENT OF FEES - 37 C.F.R. § 42.103
`This petition for inter partes review requests review of 17 claims of the ’920
`
`patent and is accompanied by a $23,800 request and post-institution fee payment.
`
`IV. REQUIREMENTS FOR INTER PARTES REVIEW UNDER 37 C.F.R. § 42.104
`A. Grounds for Standing under 37 C.F.R. § 42.104(a)
`Petitioner certifies that the ’920 patent is eligible for inter partes review and
`
`that Petitioner is not barred or estopped from requesting inter partes review
`
`challenging the identified claims on the grounds identified in this petition.
`
`B.
`
`Identification of Challenge under 37 C.F.R. § 42.104(b) and
`Statement of Precise Relief Requested
`Petitioner requests inter partes review of claims 1-10, 13, and 17-22 of the
`
`’920 patent under the grounds in the table below. Petitioner asks that each of the
`
`claims be found unpatentable. An explanation is included in Section X. Additional
`
`explanation is set forth in the Declaration of Dr. Michael Shamos (Ex. 1002).
`
`Ground
`1
`2
`
`’920 patent Claims
`1-10, 13, 17-22
`1-10, 13, 17-22
`
`Basis for Challenge
`Obvious by Bennett
`Obvious by Bennett in view of Thoursie
`
`
`
`
`
`
`-3-
`
`
`
`
`
`Ground
`3
`4
`
`’920 patent Claims
`4, 5
`4, 5
`
`5
`6
`
`13
`13
`
`Basis for Challenge
`Obvious by Bennett in view of Rolfe
`Obvious by Bennett in view of Thoursie and
`Rolfe
`Obvious by Bennett in view of Woodhill
`Obvious by Bennett in view of Thoursie and
`Woodhill
`
`
`This Petition and the Declaration of Dr. Michael Shamos cite additional
`
`prior art materials to provide technology background illustrating combinability.
`
`C. Threshold Requirement for IPR under 37 C.F.R. § 42.108
`Inter partes review of the Petitioned Claims should be instituted because this
`
`Petition establishes a reasonable likelihood that Petitioner will prevail with respect
`
`to at least one of the claims challenged. 35 U.S.C. § 314(a).
`
`V. BACKGROUND OF TECHNOLOGY RELATED TO THE ’920 PATENT
`In the late 1990s, technological development and the availability of low-cost
`
`data communication tools altered the typical setting for business and services. Ex.
`
`1003 at 1:11-18; Ex. 1004 at [0002]; see also, e.g., Ex. 1005; Ex. 1008.) Many
`
`services were facilitated by a system using a data communication network, such as
`
`the Internet or a telecommunications platform. (Ex. 1003 at 1:11-18; Ex. 1004 at
`
`[0002]-[0003]; see also, e.g., Ex. 1005; Ex. 1008.)
`
`Implementing these systems over communications networks increased
`
`security risks because fraudsters can steal information and take over online
`
`accounts. (Ex. 1005 at 1:19-67; Ex. 1006 at [0002]-[0003]; Ex. 1003 at 1:14-22.)
`
`
`
`
`
`
`-4-
`
`
`
`
`
`The earliest solutions for verifying a user included a traditional username and
`
`password. (Ex. 1005 at 1:45-47; Ex. 1008 at 1:18-2:4; Ex. 1009 at [0003]-[0006].)
`
`But password protection could easily be hacked by someone posing as the user.
`
`(Ex. 1005 at 1:58-67.)
`
`In the early 2000’s, methods for providing additional computer-network
`
`security were implemented using telephone numbers. (Ex. 1002 at ¶¶ 41-51; E.g.,
`
`Ex. 1005; Ex. 1010; Ex. 1006; Ex. 1008; Ex. 1011.) The use of a user’s telephone
`
`number to verify identity provides improved security, because a telephone number
`
`is a
`
`second authentication channel—referred
`
`to as an “out-of-band”
`
`communication—that is difficult for a fraudster to obtain. (Ex. 1005 at 6:31-40; Ex.
`
`1009 at [0030]-[0040]; Ex. 1004 [0008]-[0012].) For example, during a transaction,
`
`a user may be communicating with a banking website over the Internet (the first
`
`channel). That website’s authentication system may contact that user by phone (the
`
`second channel) and provide the user with a code that can be entered into the
`
`website. (See, e.g., Ex. 1005 at 6:31-40; Ex. 1009 at [0030]-[0040].) Collectively,
`
`these types of security systems are referred to as “two-factor authentication”
`
`because they require users to prove their identity in two separate ways.
`
`Two-factor authentication systems existed before 2005. And in particular,
`
`two-factor authentication systems based on telephone numbers existed before 2005.
`
`
`
`
`
`
`-5-
`
`
`
`
`
`(See, e.g., Ex. 1005; Ex. 1008; Ex. 1006; Ex. 1010; Ex. 1003; Ex. 1011; Ex. 1009;
`
`Ex. 1012; Ex. 1007; see also Ex. 1002 at ¶¶ 41-49.)
`
`And for added security, some authentication systems in this pre-2005 time
`
`frame repeated the two-factor authentication several times on the same user. (Ex.
`
`1005; Ex. 1008; Ex. 1011; Ex. 1010.) For example, the two-factor authentication
`
`system could verify a user on her home computer and allow access to a banking
`
`website. In this system, the user would logon using the typical user name and
`
`password combination. The system would then call the user and provide a code
`
`that the user would enter into the website. The next time the user logged in from
`
`that same home computer, the authentication system would not require this
`
`telephone-based form of verification. (See Ex. 1005 at 18:4-56.) But when that
`
`same user tried to login from her work computer, the two-factor authentication
`
`system would re-verify that same user—requiring the user to go through the
`
`telephone-based verification process again. (See Ex. 1005 at 18:4-56; see also Ex.
`
`1002 at ¶¶ 41-49.) Other systems required multiple verifications every time a user
`
`tried to access certain systems. (Ex. 1008; Ex. 1011; Ex. 1010.) And other systems
`
`established rules engines that evaluated multiple factors to determine whether a
`
`user presented enough security risk to justify requiring multiple two-factor
`
`authentication. (Ex. 1005 at 18:4-21.)
`
`
`
`
`
`
`-6-
`
`
`
`
`
`Also, notifying users of the occurrence of events was well known in the art
`
`before the ’902 patent’s priority date. For example, a person could be contacted via
`
`email, page, cell, fax, or postal mail about recent account activity. (Ex. 1015 at
`
`[0123]; Ex. 1006 at [088]-[0090]; Ex. 1018; Ex. 1019; see also Ex. 1002 at ¶¶ 50-
`
`51.)
`
`VI. THE ’920 PATENT
`A. Overview
`The ’920 patent is directed at a telephone-based two-factor authentication
`
`process. (Ex. 1001 at Abstract, FIG. 8, FIG. 9, FIG. 10, 1:6-14, 7:53-8:28, 8:52-
`
`9:2.) Originally, PO directed its proposed claims toward a single-pass two-factor
`
`authentication process. (Ex. 1013 at 28.) But the Patent Office rejected those
`
`claims. (Ex. 1013 at 43-44.) Eventually, the PO amended the claims to require that
`
`the two-factor authentication process be repeated for the same user—a two-pass
`
`process. (Ex. 1013 at 66-67, Ex. 1002 at ¶¶ 31-32.) An alleged point of novelty for
`
`the amended claims, according to the PO, was that the authentication process was
`
`repeated based on the occurrence of an established notification event. (Ex. 1013 at
`
`66-67, 81-82.) According to the ’920 patent, a notification event could be as simple
`
`as a request to access a user’s account or to modify account information. (Ex. 1001
`
`at cls. 20-22, 8:59-62, FIG. 9 blocks 906, 908, 910.)
`
`
`
`
`
`
`-7-
`
`
`
`
`
`Priority Date of the ’920 Patent
`
`B.
`The ’920 patent
`
`issued from Application No. 11/538,989 (“’920
`
`application”), filed October 5, 2006. The ’920 was filed as a CIP of application No.
`
`11/034,421 (“’421 application”), filed on January 11, 2005 and subsequently
`
`abandoned. (Id.) The Petitioned Claims can only be given a priority date of
`
`October 5, 2006, because the ’421 application lacks written description of the
`
`claimed invention. (Ex. 1002 at ¶¶ 33-40.)
`
`Of the Petitioned Claims, claim 1 is the only independent claim. In part,
`
`claim 1 recites a “notification event.” (Ex. 1001 at cl. 1.) The words “notification
`
`event” does not appear in the ’421 application. (Ex. 1014 at 4-7; Ex. 1002 at ¶ 37.)
`
`The first time the words appear are in the ’920 application, which states: “After
`
`registration
`
`[and
`
`initial verification], notification events are established.
`
`Establishing the notification events can be done by either the registrant and/or the
`
`business or other third party utilizing the system and process of the present
`
`invention.” (Ex. 1013 at 9 ¶ 9.) Further, Dr. Shamos confirmed that the concept of
`
`“notification event” does not appear in the ’421 application and that the ’421
`
`application does not disclose the concept to a POSITA. (Ex. 1002 at ¶¶ 33-40.)
`
`In addition, claim 1 also recites “re-verification” steps (i.e., the second pass)
`
`in which the registrant is re-verified after an occurrence of a “notification event.”
`
`(Ex. 1001 at cl. 1.) This re-verification process is not described in the ’421
`
`
`
`
`
`
`-8-
`
`
`
`
`
`application. (Ex. 1002 at ¶ 38.) Support for the “re-verification” steps first appears
`
`in the ’920 application, which states: “The registrant may be required to re-verify,
`
`as described above, before permitting access or alteration of the registrant’s
`
`account or receiving notification of the occurrence of the preestablished event.”
`
`(Ex. 1013 at 10 ¶ 12.) Dr. Shamos confirmed that the re-verification step is not
`
`disclosed to a POSITA in the ’421 application. (Ex. 1002 at ¶¶ 33-40.)
`
`VII. PERSON HAVING ORDINARY SKILL IN THE ART (POSITA)
`The ’920 patent is directed at verifying users of Internet websites during a
`
`registration process. (Ex. 1001 at 1:7-14.) At the time of the alleged invention, a
`
`person having ordinary skill in the art (“POSITA”) would have at least an
`
`undergraduate degree in computer science, or equivalent experience, and in
`
`addition would be familiar with Internet communications. (Ex. 1002 at ¶¶ 11-20.)
`
`VIII. CLAIM CONSTRUCTION UNDER 37 C.F.R. § 42.104(b)(3)
`Except where a BRI is expressly offered below, Petitioner construes the
`
`language of the claims to have their plain and ordinary meaning.
`
` “notification event”
`
`A.
`The BRI of “notification event” is “an event that results in the registrant
`
`being contacted either for re-verification or for notification that the event
`
`occurred.” (Ex. 1002 at ¶¶ 23-29.) The ’920 patent uses the term “notification
`
`event” broadly. Notification events can be implemented in “a wide variety of
`
`
`
`
`
`
`-9-
`
`
`
`
`
`scenarios” including ATM transactions, credit card transactions, or as parental
`
`controls. (Ex. 1001 at 10:55-11:56, cls. 19-22.) A notification event may be any
`
`transaction. (Ex. 1001 at 2:46-48, 10:56-60, cl. 21.) For example, the notification
`
`events may occur when a user requests to access or alter her account. (Ex. 1001 at
`
`14:23-34, cls. 20, 22.) Or a notification event may occur “every time a withdrawal
`
`or more than one thousand dollars is requested from his checking account, or is
`
`charged to his credit card.” (Id. at 1:39-45, 10:60-63.) Notification events may
`
`comprise a news event, or even status of credit reports. (Id. at 11:11-20.)
`
`This BRI (as applied below at claim 1[c]) is further supported by PO’s own
`
`statements during prosecution of the ’920 patent. During prosecution, the PO
`
`argued, “an established notification event may include receiving a request to access
`
`an account associated with the registrant from a device that is not associated with
`
`the account.” (Ex. 1013 at 81.) Thus, a “notification event” does not necessarily
`
`result in notifying the registrant of the occurrence; it may result in either re-
`
`verification or notification. (Ex. 1002 at ¶¶ 27-29.)
`
`IX. OVERVIEW OF THE PRIOR ART
`A. Bennett
`Patent No. 8,781,975 (“Bennett”) was filed May 23, 2005. (Ex. 1005.)
`
`Bennett is prior art under 35 U.S.C. § 102(e) and 102(a) because it published on
`
`Dec. 8, 2005 within a year of the filing date of the ’920 patent and was filed prior
`
`
`
`
`
`
`-10-
`
`
`
`
`
`to the effective filing date of the ’920 patent. (See Part VI.B.) Bennett claims
`
`priority to a provisional application filed May 21, 2004, which is incorporated by
`
`reference. (Ex. 1021.)
`
`Bennett is directed at an “authentication system” that performs a two-factor
`
`authentication at registration and repeats the process when a notification event
`
`occurs. (Ex. 1005 at Abstract, 1:13-15, 2:47-3:16, FIG. 2, 13:31-15:55, FIG. 3,
`
`15:61-17:8, 18:4-56.) For example, Bennett teaches when a user attempts an online
`
`transaction, such as registering for an online account; the authentication system
`
`receives the registrant’s “channel” information, such as a telephone number, and
`
`stores it in a database. (Ex. 1005 at 14:46-56, 15:61-16:1, 16:22-38; Ex. 1002 at ¶¶
`
`72-79.) The authentication system establishes a telephone connection with the
`
`phone number and communicates a completion code to the user. (Id. at 14:57-
`
`15:34, 18:57-19:15, 16:39-61; Ex. 1002 at ¶¶ 81-91.) After the user enters the
`
`completion code into the website, the account is set-up. (Id. at 15:12-41, 16:54-61.)
`
`Bennett teaches that after a successful initial authentication, the system will
`
`determine whether to re-verify a user during a subsequent transaction. For
`
`example, a business may not want their customers to always have to go through the
`
`two-factor verification process at every login. (Ex. 1005 at 18:4-21.) The business
`
`can then establish certain events of higher risk—such as a return user logging-in
`
`from a different device than the one used to register the account. (Id. at 18:4-56,
`
`
`
`
`
`
`-11-
`
`
`
`
`
`17:8-14, 12:22-12:44; see also id. at 11:28-12:44.) When the authentication system
`
`identifies a notification event, the system requires the user to repeat the two-factor
`
`verification process using the previously verified phone number. (See, e.g., id. at
`
`15:8-50, 16:39-61, 18:4-56; Ex. 1002 at ¶¶ 127-35.)
`
`Thoursie
`
`B.
`U.S. Patent No. 8,302,175 (“Thoursie”) was filed April 20, 2005. (Ex.
`
`1008.) Thoursie is prior art under 35 U.S.C. § 102(e) because it was filed before
`
`the ’920 patent’s October 5, 2006 priority date and published after the effective
`
`filing date of the ’920 patent. (See Part VI.B.)
`
`Thoursie is also directed at an authentication system that performs two-
`
`factor authentication at registration and then repeats the two-factor verification
`
`process upon the occurrence of certain events. (Ex. 1008 at Abstract, 6:44-7:19,
`
`7:20-40.) For example, Thoursie teaches when a user attempts to sign up for an
`
`account, the customer registers her telephone number. (Ex. 1008 at 7:3-8.) The
`
`system calls the number and communicates a verification code to the user. (Id. at
`
`7:8-19.) After the user enters the code into the website, she can complete set-up.
`
`(Id.)
`
`Thoursie further discloses that the authentication system identifies when a
`
`previously-registered user logs in again or makes changes to her account. (Ex.
`
`1008 at 7:20-25.) The system then repeats the two-factor authentication process
`
`
`
`
`
`
`-12-
`
`
`
`
`
`using the same phone number. (Id. at 7:20-28.) The user is then required to go
`
`through the verification process a second time. (Id. at 7:20-34.)
`
`C. Rolfe
`U.S. Patent Application No. 2003/0221125 (“Rolfe”) was filed May 24,
`
`2002. (Ex. 1006.) Rolfe is prior art under 35 U.S.C. § 102(b) because it was
`
`published more than a year before the ’920 patent’s October 5, 2006 priority date.
`
`(See Part VI.B.)
`
`Rolfe is also directed to a two-factor authentication system that collects
`
`biometrics information at registration, notifies the user of the occurrence of certain
`
`transactions, and uses the biometrics information to confirm the transaction. (Ex.
`
`1006 at Abstract.) Rolfe teaches that the authentication system sends a
`
`confirmation number over one channel, such as the telephone, and the user inputs
`
`the code over another channel, such as the Internet. (Ex. 1006 at [0035]-[0045],
`
`[0059]-[0061], [0083], Tables II-A and II-B.) After registration, the user is notified
`
`of events, for example, a high value transaction, that require further authorization.
`
`(Id. 1006 at [0083]-[0091].)
`
`D. Woodhill
`U.S. Patent No. 6,934,858 (“Woodhill”) was filed December 13, 2000 and
`
`published August 23, 2005. (Ex. 1010.) Woodhill is prior art under 35 U.S.C. §
`
`
`
`
`
`
`-13-
`
`
`
`
`
`102(b) because it was published more than a year before the’920 patent’s October
`
`5, 2006 priority date. (See Part VI.B.)
`
`Woodhill teaches a two-factor authentication system for user registration.
`
`(Ex. 1010 at 8:13-45, 9:6-32.) Woodhill teaches prompting the registrant to input a
`
`telephone number for receiving the verification code. (Id. at Fig. 2A block 106,
`
`FIGs. 6, 9; see also id. at 9:13-27, 10:20-22, Table 3 step 5.) The webpage displays
`
`the verification code, and the registrant is instructed to input the code into her
`
`telephone. (Id. at 8:13-45, 9:6-32, FIG. 9, Table 3 step 8.) Once the code is entered,
`
`the registrant can complete the registration process. (Id.)
`
`Bennett, Thoursie, Rolfe, and Woodhill are Analogous Art
`
`E.
`These references are analogous to the ’920 patent. All were designed to
`
`protect systems from fraudulent users. (Ex. 1002 at ¶ 54; see Ex. 1005; Ex. 1008;
`
`Ex. 1006; Ex. 1010.) All disclose an out-of-band, two-factor authentication method
`
`that uses a telephone number to verify the identity of a person during registration
`
`by communicating a verification code to the registrant. (Ex. 1002 at ¶¶ 54-55; Ex.
`
`1005 at 15:8-50, 16:39-61, 6:44-7:19, 7:20-40; Ex. 1008 at 7:3-34; Ex. 1006 at
`
`[0035]-[0045], [0059]-[0061], [0083], Tables II-A and II-B; Ex. 1010 at 8:13-45,
`
`9:6-32, FIG. 9, Table 3 step 8.) Thus, all of the references are not only in the same
`
`field of endeavor as the ’920 patent, but also address the same problems with
`
`similar solutions. (Ex. 1002 at ¶¶ 52-56.)
`
`
`
`
`
`
`-14-
`
`
`
`
`
`The ’920 patent, Bennett, and Thoursie are also directed at a process for a
`
`second out-of-band verification after a notification event, such as logging-into an
`
`existing account, logging in from a different device, or taking part in a consumer
`
`transaction. (Ex. 1001 at FIG. 8, 2:43-55, 8:59-9:2, 7:53-8:28, FIG. 9, 8:52-58; Ex.
`
`1005 at Abstract, 1:13-15, 2:47-3:16, 18:4-56, FIG. 2, 13:31-15:55, FIG. 3, 15:61-
`
`17:8, 18:4-56; Ex. 1008 at 6:44-7:19, 7:20-40.) As taught by the ’920 patent,
`
`Bennett, and Thoursie, when an authentication system identifies one of these
`
`events, the system, again, communicates a verification code that must be entered
`
`by the user to complete the event. (Ex. 1001 at 8:59-9:26, FIG. 9 block 912; Ex.
`
`1005 at 18:4-19:15; Ex. 1008 at 7:20-34, FIG. 2.)
`
`X. CLAIMS 1-10, 13, & 17-22 OF THE ’920 PATENT ARE UNPATENTABLE
`UNDER 35 U.S.C. § 103
`
`Under Ground 1, Bennett renders obvious each element of Claims 1-10, 13,
`
`17-22. If the Board finds that Bennett alone does not render these claims obvious,
`
`then under Ground 2, Bennett in view of Thoursie renders these claims obvious.
`
`Grounds 3 and 4 are similar in that they address the same dependent claims by
`
`adding Rolfe to Grounds 1 and 2. Grounds 5 and 6 are similar in that they address
`
`dependent claim 13 by adding Woodhill to Grounds 1 and 2, respectively.
`
`Ground
`1
`2
`3
`
`’920 patent Claims
`1-10, 13, 17-22
`1-10, 13, 17-22
`4, 5
`
`Basis for Challenge
`Obvious over Bennett
`Obvious over Bennett in view of Thoursie
`Obvious over Bennett in view Rolfe
`
`
`
`
`
`
`-15-
`
`
`
`
`
`Ground
`4
`
`’920 patent Claims
`4, 5
`
`5
`6
`
`13
`13
`
`Basis for Challenge
`Obvious over Bennett in view of Thoursie and
`Rolfe
`Obvious over Bennett in view of Woodhill
`Obvious over Bennett in view of Thoursie and
`Woodhill
`
`
`
`
`
`A.
`
`Independent Claim 1: Ground 1
`1.
`
`Bennett discloses the preamble of claim 1
`
`1 - preamble A verification and notification process, comprising of:
`
`Bennett discloses a verification and notification process. (See Parts. X.A.1-
`
`X.A.14; Ex. 1002 at ¶¶ 58-71.) For example, when a user wishes to conduct an
`
`online transaction, such as setting up a financial account, the authentication system
`
`determines whether the user must be verified. (Id. at 7:54-8:6, 9:19-30, 15:61-16:1,
`
`12:33-41; see also Part IX.A.)
`
`After a user has previously registered and verified, the system will, after
`
`certain events, contact the user to become re-verified by requiring a second, two-
`
`factor authentication. (Ex. 1005 at 18:4-19:16, 16:3-21, FIG. 2 block 115; Ex. 1002
`
`at ¶¶ 68-69.) For example, where a returning user attempts to access an account
`
`from a different IP address or computer that was previously used, the system may
`
`notify the user by re-verifying and communicating a verification message to the
`
`stored communication channel. (Id. at 18:4-19:16, 16:3-21, 14:50-15:7, FIG. 2; Ex.
`
`1021 at p. 5; Ex. 1002 at ¶¶ 68-69; see also Part IX.A.)
`
`
`
`
`
`
`-16-
`