Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`APPLE INC.,
`Petitioner,
`v.
`UNIVERSAL SECURE REGISTRY, LLC,
`Patent Owner.
`_________________________________________
`IPR2020-01220
`
`U.S. Patent No. 9,947,000
`_________________________________________
`
`DECLARATION OF DR. PATRICK MCDANIEL IN SUPPORT OF
`PETITION FOR INTER PARTES REVIEW (CLAIMS 1-21)
`
`APPLE 1002
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`TABLE OF CONTENTS
`
`Page
`
`Table of Contents ...................................................................................................... ii 
`I. 
`Background ...................................................................................................... 1 
`II. 
`Legal Principles ............................................................................................... 4 
`A. 
`Claim Construction ............................................................................... 5 
`B. 
`Obviousness ........................................................................................... 6 
`III.  Description of the Relevant Field and the Relevant Timeframe ..................... 8 
`IV.  Technology Background .................................................................................. 9 
`A. 
`Computer Networks .............................................................................. 9 
`B. 
`Electronic Commerce .......................................................................... 10 
`C. 
`Authentication ..................................................................................... 12 
`D.  Multi-Factor Systems .......................................................................... 15 
`E. 
`Cryptography ....................................................................................... 16 
`Level of Ordinary Skill .................................................................................. 17 
`V. 
`VI.  The ’000 Patent .............................................................................................. 18 
`A. 
`Specification and Claims ..................................................................... 18 
`B. 
`Brief Description of the ’000 Patent Disclosure ................................. 19 
`C. 
`Prosecution History ............................................................................. 21 
`VII.  Overview of Prior Art References ................................................................. 22 
`A. 
`Schutzer ............................................................................................... 22 
`B.  Walker ................................................................................................. 24 
`
`- ii -
`
`

`

` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`Franklin ............................................................................................... 27 
`C. 
`Slater .................................................................................................... 28 
`D. 
`VIII.  Claims 1-21 of the ’000 Patent Are Unpatentable under 35 U.S.C.
`§ 103 .............................................................................................................. 29 
`A.  Ground 1: Claims 1-4, 6-11, 13-18, and 20-21 Are Obvious
`over Schutzer Alone or in View of Walker. ........................................ 29 
`Independent Claim 1 ................................................................. 29 
`Dependent Claim 2 ................................................................... 50 
`Dependent Claim 3 ................................................................... 51 
`Dependent Claim 4 ................................................................... 52 
`Dependent Claim 6 ................................................................... 61 
`Dependent Claim 7 ................................................................... 68 
`Independent Claim 8 ................................................................. 70 
`Dependent Claim 9 ................................................................... 71 
`Dependent Claim 10 ................................................................. 71 
`  Dependent Claim 11 ................................................................. 71 
`  Dependent Claim 13 ................................................................. 71 
`  Dependent Claim 14 ................................................................. 72 
`Independent Claim 15 ............................................................... 72 
`  Dependent Claim 16 ................................................................. 74 
`  Dependent Claim 17 ................................................................. 74 
`  Dependent Claim 18 ................................................................. 75 
`  Dependent Claim 20 ................................................................. 75 
`
` 
`
`- iii -
`
`

`

`B. 
`
`C. 
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`  Dependent Claim 21 ................................................................. 75 
`Ground 2: Claims 5, 12, and 19 Are Obvious over Schutzer
`Alone or in View of Walker and/or Slater .......................................... 76 
`Dependent Claim 5 ................................................................... 76 
`Dependent Claim 12 ................................................................. 85 
`Dependent Claim 19 ................................................................. 86 
`Ground 3: Claims 1-4, 6-11, 13-18, and 20-21 Are Obvious
`over Franklin in View of Schutzer. ..................................................... 86 
`Independent Claim 1 ................................................................. 86 
`Dependent Claim 2 ................................................................. 111 
`Dependent Claim 3 ................................................................. 112 
`Dependent Claim 4 ................................................................. 114 
`Dependent Claim 6 ................................................................. 120 
`Dependent Claim 7 ................................................................. 125 
`Independent Claim 8 ............................................................... 126 
`Dependent Claim 9 ................................................................. 127 
`Dependent Claim 10 ............................................................... 127 
`  Dependent Claim 11 ............................................................... 128 
`  Dependent Claim 13 ............................................................... 128 
`  Dependent Claim 14 ............................................................... 128 
`Independent Claim 15 ............................................................. 128 
`  Dependent Claim 16 ............................................................... 130 
`  Dependent Claim 17 ............................................................... 130 
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`- iv -
`
`

`

` 
`
`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`  Dependent Claim 18 ............................................................... 130 
`  Dependent Claim 20 ............................................................... 131 
`  Dependent Claim 21 ............................................................... 131 
`D.  Ground 4: Claims 5, 12, and 19 Are Obvious over Franklin in
`View of Schutzer and Slater. ............................................................. 132 
`Dependent Claim 5 ................................................................. 132 
`Dependent Claim 12 ............................................................... 141 
`Dependent Claim 19 ............................................................... 142 
`IX.  Conclusion ................................................................................................... 142 
`X.  Availability for Cross-Examination ............................................................ 142 
`XI.  Right to Supplement .................................................................................... 143 
`XII.  Jurat .............................................................................................................. 144 
`Appendix A ............................................................................................................ 145 
`Appendix B ............................................................................................................ 146 
`
` 
`
` 
`
`- v -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`I, Patrick McDaniel, Ph.D., declare as follows:
`
`1. My name is Patrick McDaniel.
`
`2.
`
`I have been retained by Apple Inc. (“Apple”) to provide opinions in
`
`this proceeding relating to U.S. Patent No. 9,947,000 (“’000 patent”).
`
`3.
`
`I am being compensated at my standard billing rate of $600 per hour
`
`for time spent on this matter.
`
`4. My compensation is in no way dependent on the outcome of this
`
`proceeding.
`
`5.
`
`I have no financial interest in Apple or in the ’000 patent.
`
`I.
`
`BACKGROUND
`6. My qualifications for forming the opinions in this declaration are
`
`summarized here. I earned a Ph.D. in Computer Science and Engineering from
`
`University of Michigan, Ann Arbor in 2001. I earned a Bachelor of Science
`
`degree in Computer Science from Ohio University in 1989 and a Master of Science
`
`degree, also in Computer Science, from Ball State University in 1991.
`
`7.
`
`Since 2017, I have been the William L. Weiss Professor of
`
`Information and Communications Technology in the School of Electrical
`
`Engineering and Computer Science at Pennsylvania State University in University
`
`Park, PA. I am also the director of the Institute for Network and Security
`
`- 1 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`Research, and founder and co-director of the Systems and Internet Infrastructure
`
`Security Laboratory, a research laboratory focused on the study of security in
`
`diverse network and computer environments. My research efforts primarily
`
`involve computer systems, network, management, authentication, systems security,
`
`and technical public policy.
`
`8.
`
`Before my current position, I was an Assistant Professor (2004-2007),
`
`Associate Professor (2007-2011), Full Professor (2011-2015), and Distinguished
`
`Professor of Computer Science and Engineering at Pennsylvania State University
`
`(2015-2017). Since 2004, I have taught several courses in the field of computer
`
`systems, systems programming, networks, and network and computer security at
`
`both the undergraduate and graduate level. I created and continue to maintain
`
`several of these courses for Penn State.
`
`9.
`
`From 2003-2009, I was also an Adjunct Professor at the Stern School
`
`of Business at New York University in New York, NY. At the Stern School of
`
`Business, I taught courses in computer and network security and online privacy.
`
`10.
`
`I am a Fellow of the Association for Computing Machinery (the
`
`leading professional association for computer science) and the Institute for
`
`Electrical and Electronics Engineering (the leading professional association for
`
`computer engineering).
`
`- 2 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`I was also the Program Manager (PM) and lead scientist for the Cyber
`
`11.
`
`Security Collaborative Research Alliance (CRA) from 2013 to 2018. The CRA is
`
`led by Penn State University and includes faculty and researchers from the Army
`
`Research Laboratory, Carnegie Mellon University, Indiana University, the
`
`University of California-Davis, and the University of California-Riverside. This
`
`initiative is a major research project aimed at developing new cyber-security
`
`technology for military networks, computers, and installations.
`
`12.
`
`I have served as an advisor to several Ph.D. and master’s degree
`
`candidates, several of whom have gone on to become professors at various
`
`institutions such as Purdue University, University of Toronto, North Carolina State
`
`University, the University of Oregon, and the Georgia Institute of Technology. I
`
`am currently an advisor to two Ph.D. candidates and a number of master’s
`
`students.
`
`13. Before joining Pennsylvania State University as a professor, I was a
`
`software developer and project manager for companies in the networking industry
`
`including Applied Innovation, Inc. and Primary Access Corporation. I was also a
`
`senior researcher at AT&T Research-Labs. As part of my duties in these industrial
`
`positions, I informed, reviewed, and formed corporate policies and practices
`
`- 3 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`relating to the deployment and subsequent management of software systems such
`
`as those sold and supported by Oracle.
`
`14.
`
`I have published extensively in the field of network and security
`
`management, computer systems, authentication, systems security, applied
`
`cryptography, and network security. In addition to writing several articles for
`
`industry journals and conferences, I have authored portions of numerous books
`
`related to computer systems, applied cryptography, and network security. I have
`
`served on the editorial boards of several peer-reviewed journals including ACM
`
`Transactions on Internet Technology, for which I was the Editor-in-Chief. I was
`
`also an Associate Editor for ACM Transactions on Information and System
`
`Security and IEEE Transactions of Software Engineering, two highly regarded
`
`journals in the field. A complete list of my publications in the last 10 years, as
`
`well as a list of editorial positions can be found in my curriculum vitae, which is
`
`attached as Appendix B.
`
`II.
`
`LEGAL PRINCIPLES
`15. For purposes of this declaration, I have been informed about certain
`
`aspects of the law that are relevant to my analysis and opinions. I am not an
`
`attorney.
`
`- 4 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`A. Claim Construction
`16.
`I have been informed that claim construction is a matter of law and
`
`that the final claim construction will ultimately be determined by the Board.
`
`17.
`
`I understand that the terms of a patent claim are generally given their
`
`ordinary and customary meaning. This is the meaning that the term would have to
`
`a person of ordinary skill in the art as of the time of the alleged invention.
`
`18.
`
`I understand that terms of a claim should be understood in the context
`
`of the claim as a whole. I also understand that the specification of the patent is
`
`relevant to the meaning of a claim term. I understand that the claims must be read
`
`in light of the specification.
`
`19.
`
`I understand that the file history should also be considered when
`
`interpreting the meaning of the claims of a patent. The file history can contain
`
`evidence of how the U.S. Patent and Trademark Office (“PTO”) and the applicant
`
`understood the patent and the meaning of the terms of the patent.
`
`20.
`
`I understand that the claim language, specification, and prosecution
`
`history are referred to as “intrinsic evidence.”
`
`21.
`
`I understand that evidence from an expert in the field may also be
`
`relevant in the determination of how a person of ordinary skill in the art would
`
`understand the claims. I understand that this evidence, which is referred to as
`
`- 5 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`“extrinsic evidence,” must be considered in the context of the intrinsic evidence
`
`and cannot be used to change the meaning of a claim term to be inconsistent with
`
`the intrinsic evidence.
`
`B. Obviousness
`22.
`I have been informed and understand that a patent claim can be
`
`considered to have been obvious to a person of ordinary skill in the art at the time
`
`the application was filed. This means that even if all the requirements of a claim
`
`are not found in a single prior art reference, the claim is not patentable if the
`
`differences between the subject matter in the prior art and the subject matter in the
`
`claim would have been obvious to a person of ordinary skill in the art at the time
`
`the application was filed.
`
`23.
`
`I have also been informed and understand that a determination of
`
`whether a claim would have been obvious should be based upon several factors,
`
`including, among others:
`
`o the level of ordinary skill in the art at the time the application was
`filed;
`o the scope and content of the prior art; and
`o what differences, if any, existed between the claimed invention and
`the prior art.
`
`- 6 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`I have further been informed and understand that the teachings of two
`
`24.
`
`or more references may be combined in the same way as disclosed in the claims, if
`
`such a combination would have been obvious to one having ordinary skill in the
`
`art. In determining whether a combination based on either a single reference or
`
`multiple references would have been obvious, it is appropriate to consider, among
`
`other factors:
`
`o whether the teachings of the prior art references disclose known
`concepts combined in familiar ways, and when combined, would yield
`
`predictable results;
`o whether a person of ordinary skill in the art could implement a
`predictable variation, and would see the benefit of doing so;
`o whether the claimed elements represent one of a limited number of
`known design choices, and would have a reasonable expectation of
`
`success by those skilled in the art;
`o whether a person of ordinary skill would have recognized a reason to
`combine known elements in the manner described in the claim;
`o whether there is some teaching or suggestion in the prior art to make
`the modification or combination of elements claimed in the patent;
`
`and
`
`- 7 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`o whether the claimed invention applies a known technique that had
`been used to improve a similar device or method in a similar way.
`
`25.
`
`In addition, I have been informed and understand that one of ordinary
`
`skill in the art has ordinary creativity, and is not an automaton.
`
`26.
`
`I have been informed and understand that in considering obviousness,
`
`it is important not to determine obviousness using the benefit of hindsight derived
`
`from the patent being considered.
`
`III.
`
`DESCRIPTION OF THE RELEVANT FIELD AND THE RELEVANT
`TIMEFRAME
`27.
`I have studied and understand the specification, claims, and file
`
`history of the ’000 patent. I have also studied the exhibits listed in the Table of
`
`Exhibits attached hereto as Appendix A, as well as the materials cited herein.
`
`Based on my study of these materials, I believe that the relevant field for purposes
`
`of my analysis is computer science, including the areas of distributed systems,
`
`authentication, and systems and data security. As described above, I have
`
`extensive experience in the relevant technology and am well versed in the state of
`
`the art from before the claimed priority date of the patent.
`
`28. The ’000 patent was filed on August 30, 2017 and issued on April 17,
`
`2018. The ’000 patent is a continuation of a series of applications and claims
`
`priority to an application filed on March 16, 2001.
`
`- 8 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`TECHNOLOGY BACKGROUND
`29.
`In this section, I discuss the state of the art with respect to certain
`
`IV.
`
`technologies relevant to the subject matter of the ’000 patent.
`
`30. During the time around March 2001, a person of ordinary skill in the
`
`art would have been aware of various developments in the areas of computer
`
`electronic transactions, authentication, and multifactor authentication systems, as I
`
`discuss below.
`
`A. Computer Networks
`31. A person of ordinary skill in the art would have been aware of the use
`
`of computer networks for the purposes of creating transactions prior to the alleged
`
`invention date of the ’000 patent. Modern computers use networks to support
`
`applications such as e-mail, network browsing, and streaming entertainment over
`
`large geographic areas. A network is a collection of computers and hardware
`
`devices that cooperate to transfer data between endpoints such as desktop
`
`computers, laptops, tablets, and phones. These networks are focused on providing
`
`point-to-point communication (i.e., device to device), in which a sender computer
`
`sends data to a recipient (receiver) computer.
`
`32. The dominant network in recent times, including the time preceding
`
`the alleged invention date of the ’000 patent, is the Internet, which is a world-wide
`
`- 9 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`collection of networks run by different organizations (e.g., Penn State University,
`
`Amazon, etc.), network providers (called Internet Service Providers, e.g., Time
`
`Warner, AT&T), and individuals. All the computers and network devices run a set
`
`of standardized protocols called the Internet Protocols (IP). These standards define
`
`the rules for how the computers communicate and coordinate to move data from
`
`one part of the network to another.
`
`B.
`Electronic Commerce
`33. As of the late 1990s, one of the driving forces behind the development
`
`of the Internet was electronic commerce (“EC”). EC is the sale of goods and
`
`services over the Internet, e.g., purchasing a book from an online bookstore such as
`
`Amazon. Indeed, by 2001, EC was established and growing quickly. There were
`
`literally hundreds of EC companies and software platforms available to online
`
`retailers and service providers, and many standards were published and available
`
`for use.
`
`34. The basic unit of electronic commerce is the transaction. A
`
`transaction is generally just the purchase of goods or services through the Internet
`
`(most often through an online retailer such as Amazon). There are three parties
`
`typically involved in a transaction, the consumer/customer (referred to as the
`
`“user” in the ’000 patent), the retailer or merchant (business selling goods or
`
`- 10 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`services), and a bank or credit card company (facilitating the transfer of funds from
`
`the customer’s account to the retailer’s account). Note that there are many
`
`arrangements in EC that may include other parties, e.g., the bank role may consist
`
`of both a traditional commercial bank (e.g., Bank of America) and a credit card
`
`network (e.g., VISA).
`
`35. The flow of a transaction is generally the same. The customer and
`
`retailer agree on the goods and pricing for the transaction (e.g., through an online
`
`shopping basket), and the customer signals the desire to proceed with the
`
`transaction through an online interface (e.g., hitting the pay now button on the
`
`webpage). At that point the transaction is begun by the user providing some
`
`authentication information and presenting the information to the retailer. The
`
`retailer then validates the user directly or passes it on to the bank. If correct, the
`
`bank then provides confirmation to the retailer that the transaction can proceed and
`
`records and initiates the transfer of money. The retailer then records the success of
`
`the transaction and arranges to provide the goods (e.g., shipping the book) or
`
`services (e.g., letting the user view a video they paid to see).
`
`36. One key to making this process work is to ensure that the
`
`authentication of the user is secure. Here, secure means that somebody that is not
`
`- 11 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`the user cannot forge or copy the authentication information and get goods under a
`
`victim’s account.
`
`C. Authentication
`37. Prior to the alleged invention date of the ’000 patent, a person of
`
`ordinary skill in the art would have been aware of the structure and use of
`
`authentication in computer systems. The purported purpose of the ’000 patent is to
`
`provide a system and method for the authentication of a user for a transaction, i.e.,
`
`performing user authentication. Ex-1001, ’000 patent at Abstract, 3:15-4:6, 19:5-
`
`18, 19:45-56. Authentication generally relates to the process of securely
`
`identifying the identity of a user, system, or device. In the context of the ’000
`
`patent, it specifically relates to the authentication of the user in an EC transaction.
`
`Authentication is often performed in order to subsequently evaluate the user as
`
`being able to exercise some right such as completing a transaction. Here,
`
`authentication is needed to ensure that users only access data stores and services
`
`they are authorized to access, and to ensure non-authorized users are prevented
`
`from accessing data and services they are not authorized to access.
`
`38. Almost all authentication—EC and others—is performed in the same
`
`general manner. When users attempt to access a system, they are prompted for
`
`some kind of credential proving their identity. If they can supply the credential or
`
`- 12 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`otherwise prove they are authorized to access it, they are deemed authentic and the
`
`system provides access.
`
`39.
`
`It was known prior to the alleged invention date of the ’000 patent that
`
`the architecture of most authentication systems involves a client (customer
`
`computer) asking a server (service-providing computer) for access, e.g., via a login
`
`prompt or transaction request. The server then receives the credential over the
`
`network and checks its validity, e.g., whether the password is correct. Most often,
`
`the user information and credential information used for validating the credential
`
`are contained within an authentication database located at the server. This
`
`database can be as simple as a file (such as the password file in the UNIX
`
`operating system) or as complex as a relational database within a banking system.
`
`40.
`
`In computer security, it was known prior to the alleged invention date
`
`of the ’000 patent that there are at least three kinds of credentials: something you
`
`know, something you are, and something you have. The classical means of
`
`authentication is the password as “something you know.” To simplify, a password
`
`is a secret that is presumed known only to the user and the system. When a user
`
`wishes to gain access to the system, the system prompts the user for the password.
`
`If the password is correct, then the user is deemed to be who he/she says he/she is
`
`(is authenticated).
`
`- 13 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`41. Biometrics are “something you are” credentials. Here, at access time,
`
`the system passively authenticates or prompts the user to provide proof of identity
`
`via measurement of some physical characteristic “such as a fingerprint, voice print,
`
`signature, iris or facial scan, or DNA analysis.” Ex-1001, ’000 patent at 4:26-28.
`
`The design and use of biometric systems were well known and practiced by March
`
`2001. See Exs-1011-1013 (generally discussing the use of biometrics for computer
`
`network authentication).
`
`42.
`
`“Something you have” credentials are devices or objects that a user
`
`provides for the purposes of authentication. Examples of these credentials are
`
`credit cards, access badges, or password token devices.
`
`43.
`
`It was known prior to the alleged invention date of the ’000 patent that
`
`some credentials have a limited lifetime and were designed for “one time” use.
`
`Such credentials are typically created to have a short window of time where they
`
`are usable (a time-variant password) or only allowed to be used once (one-time
`
`password). For example, one of the earliest authentication systems using a one-
`
`time password approach was the S/Key system introduced and subsequently
`
`standardized in the early 1990s. In this one-time password scheme, the user was
`
`given a list of passwords that could only be used once. Each time the user logged
`
`in, he/she would use the next password on the list and cross it off. Other solutions
`
`- 14 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`are based on time, where the user will calculate a password as a function of some
`
`credential and a time window. Here the password could be used several times
`
`within that (presumably short) window.
`
`44. The RSA SecureID token is a device introduced before the priority
`
`date of the ’000 patent that generates a new password every few seconds and
`
`displays it on a small LCD display. When a user logs in, he/she provides the
`
`password that is currently on the display. A server also can generate the same
`
`password and thereby validate the password presented by the user. Note that the
`
`password can only be used once to log in to a device (and hence is truly a one-time
`
`use password). Hence, the user will have to wait a few seconds for another
`
`password if they desire to log in again or to another device.
`
`D. Multi-Factor Systems
`45. Prior to the alleged invention date of the ’000 patent, a person of
`
`ordinary skill in the art would have been aware of multi-factor authentication
`
`systems. In recognition of the challenges of authentication in computer systems,
`
`the security community noted as early as 1984 that authentication would be greatly
`
`enhanced if the system used multiple forms of authentication. Ex-1010, Liu at 29
`
`(“Using biometrics also allows a hierarchical structure of data protection, making
`
`the data even more secure: Passwords supply a minimal level of access to network
`
`- 15 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`data; biometrics, the next level. You can even layer biometric technologies to
`
`enhance security levels.”). In this model, two or more different authentication
`
`means (factors) would be used to perform authentication. For example, it was
`
`common in 2001 to use a physical device token such as the SecureID, as well as a
`
`password as a strong means of authenticating users in high value settings, e.g.,
`
`business applications. Thus, an adversary would have to break or bypass multiple
`
`systems to gain access—and, as a result, the system as a whole was substantially
`
`stronger than a system using a single form of authentication.
`
`E. Cryptography
`46. Prior to the alleged invention date of the ’000 patent, a person of
`
`ordinary skill in the art would have been aware of the cryptographic tools used to
`
`support electronic transactions and user authentication. One of the most widely
`
`used approach for this was the use of encryption. An encryption algorithm is a
`
`software implemented function that converts data (called plaintext) into a form that
`
`cannot be read by anyone (called ciphertext) unless they have access to a special
`
`encryption key. The process of converting the ciphertext back into plaintext is
`
`- 16 -
`
`

`

`Declaration of Dr. Patrick McDaniel
`In Support of Petition for Inter Partes Review
`of U.S. Patent No. 9,947,000
`
`
`called decryption, which requires access to the decryption key.1 Note that the
`
`ciphertext created by encryption of data is unpredictable.
`
`47. Another cryptographic tool frequently used in electronic commerce
`
`application is a cryptographic hash function. This function takes arbitrary data as
`
`input and generates an unpredictable value that is a large number (e.g