`
`
`
`Filed: January 3, 2023
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`_____________________________
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_____________________________
`
`
`BANK OF AMERICA, N.A.; TRUIST BANK; BOKF, N.A.; WELLS FARGO
`BANK, N.A.; AND PNC BANK, N.A.,
`Petitioners,
`
`v.
`
`DYNAPASS IP HOLDINGS LLC,
`Patent Owner.
`
`_____________________________
`
`IPR2023-00367
`U.S. Patent 6,993,658
`_____________________________
`
`
`
`PETITION FOR INTER PARTES REVIEW
`OF U.S. PATENT 6,993,658
`
`
`
`
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`
`TABLE OF CONTENTS
`
`3.
`
`B.
`
`I.
`Relief Requested .............................................................................................. 1
`The ’658 Patent ................................................................................................ 2
`II.
`III. Level of Ordinary Skill .................................................................................... 3
`IV. Claim Construction .......................................................................................... 4
`V. Ground 1: Guthrie in Combination with Sormunen Renders Obvious
`the Challenged Claims ..................................................................................... 4
`A. Guthrie-Sormunen Combination ........................................................... 4
`1.
`Summary of the Guthrie-Sormunen Combination ...................... 4
`2.
`Guthrie and Sormunen Are Analogous Art and
`Combinable ................................................................................. 7
`A POSITA Would Been Motivated to Implement
`Sormunen’s Mobile Station and Method for Requesting
`and Obtaining Authentication Data at a Mobile Station in
`Guthrie to Improve Security .....................................................10
`Independent Claims .............................................................................16
`1.
`Claim 1 ......................................................................................16
`2.
`Claim 5 ......................................................................................40
`C. Dependent Claims ...............................................................................52
`1.
`Claim 2: “The method of claim 1, wherein the new
`password is generated by concatenating the token and the
`passcode.” .................................................................................52
`Claim 3: “The method of claim 1, wherein the personal
`communication device is a mobile phone.” ..............................54
`Claim 6: “The system of claim 5, wherein the
`communication module is further configured to receive a
`i
`
`2.
`
`3.
`
`
`
`

`

`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`
`
`
`4.
`
`request from the user for the token, and wherein the
`control module is further configured to create the new
`password in response to the request.” .......................................54
`Claim 7: “The system of claim 6, wherein the request is
`transmitted by the user through the personal
`communication device.” ...........................................................55
`VI. Ground 2: Kato in Combination with Guthrie Renders Obvious the
`Challenged Claims .........................................................................................55
`A. Kato-Guthrie Combination ..................................................................55
`1.
`Summary of the Kato-Guthrie Combination ............................55
`2.
`Kato Is Analogous Art and Combinable with Guthrie .............56
`3.
`A POSITA Would Been Motivated to Add Guthrie’s
`Challenge-Response Process to Kato’s Three-Device
`Architecture and Would Have Had a Reasonable
`Expectation of Success .............................................................59
`Independent Claims .............................................................................68
`1.
`Claim 1 ......................................................................................68
`2.
`Claim 5 ......................................................................................88
`C. Dependent Claims ...............................................................................92
`1.
`Claim 2 ......................................................................................92
`2.
`Claim 3 ......................................................................................93
`3.
`Claims 6 and 7 ...........................................................................93
`Institution Under 35 U.S.C. § 314(a) Is Appropriate in View of
`Petitioners’ Sotera Stipulation .......................................................................93
`VIII. Institution Under 35 U.S.C. § 325(d) Is Appropriate in View of New
`References and Arguments ............................................................................94
`IX. Mandatory Notices.........................................................................................95
`
`VII.
`
`B.
`
`
`
`ii
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`A.
`Real Parties-in-Interest ........................................................................95
`Related Matters ....................................................................................96
`B.
`Lead and Back-Up Counsel .................................................................97
`C.
`Service Information .............................................................................98
`D.
`Standing .........................................................................................................98
`X.
`XI. Conclusion .....................................................................................................98
`
`
`
`
`
`iii
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Cases
`Abbott Diabetes Care Inc. v. DexCom, Inc.,
`IPR2022-00922, Paper 13 (PTAB Nov. 3, 2022) ............................................... 40
`Advanced Bionics, LLC v. MED-EL Elektromedizinische
`Geräte GmbH,
`IPR2019-01469, Paper 6 (PTAB Feb. 13, 2020) ................................................ 94
`Alcon Inc. v. AMO Dev., LLC,
`IPR2021-00843, Paper 15 (PTAB Nov. 12, 2021) ............................................. 41
`Becton, Dickinson & Co. v. B. Braun Melsungen AG,
`IPR2017-01586, Paper 8 (PTAB Dec. 15, 2017) ............................................... 94
`Ex parte Davis,
`Appeal No. 2008-3403, 2008 WL 4865519 (BPAI Nov. 10, 2008) .................. 22
`Phillips v. AWH Corp.,
`415 F.3d 1303 (Fed. Cir. 2005) (en banc) ............................................................ 4
`Sotera Wireless, Inc. v. Masimo Corp.,
`IPR2020-01019, Paper 12 (PTAB Dec. 1, 2020) ............................................... 93
`Target Corp. v. Proxicom Wireless, LLC,
`IPR2020-00931, Paper 10 (PTAB Nov. 10, 2020) ............................................. 41
`Williamson v. Citrix Online, LLC,
`792 F.3d 1339 (Fed. Cir. 2015) (en banc) .......................................................... 39
`Zeroclick, LLC v. Apple Inc.,
`891 F.3d 1003 (Fed. Cir. 2018) .......................................................................... 40
`Zillow Grp., Inc. v. Int’l Bus. Machs. Corp.,
`IPR2020-01656, Paper 8 (PTAB Mar. 15, 2021) ............................................... 41
`Statutes
`35 U.S.C. § 102(a) ..................................................................................................... 1
`iv
`
`
`
`

`

`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`
`
`
`
`35 U.S.C. § 102(b) ..................................................................................................... 1
`35 U.S.C. § 102(e) ..................................................................................................... 1
`35 U.S.C. § 103 .......................................................................................................... 1
`35 U.S.C. § 112 ........................................................................................................ 40
`35 U.S.C. § 314(a) ................................................................................................... 93
`35 U.S.C. § 315(d) ................................................................................................... 93
`35 U.S.C. § 325(d) ................................................................................................... 94
`Regulations
`37 C.F.R. § 42.104(b)(3) .............................................................................. 40, 41, 88
`Other Authorities
`Memorandum re Interim Procedure for Discretionary Denials in AIA
`Post-Grant Proceedings with Parallel District Court Litigation
`(June 21, 2022).................................................................................................... 93
`
`
`
`
`
`
`
`
`
`v
`
`

`

`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`TABLE OF EXHIBITS
`
`Exhibit
`
`Description
`
`Ex. 1001 U.S. Patent No. 6,993,658 B1 to Engberg et al. (“the ’658 Patent”)
`
`Ex. 1002 Declaration of Dr. Peter Lawrence Reiher (“Reiher”)
`
`Ex. 1003 Curriculum Vitae of Dr. Peter Lawrence Reiher
`
`Ex. 1004 Prosecution History of the ’658 Patent
`
`Ex. 1005
`
`Japanese Patent Application Publication No. JP2000-10927 (Japanese
`language document) to Kato, filed June 25, 1998, published January
`14, 2000 (“Kato”)
`
`Ex. 1006 English Translation of Japanese Patent Application Publication No.
`JP2000-10927
`
`Ex. 1007 U.S. Patent No. 6,161,185 to Guthrie et al., filed March 6, 1998,
`published December 12, 2000 (“Guthrie”)
`
`Ex. 1008 U.S. Patent No. 5,060,263 to Bosen et al., filed March 9, 1988,
`published October 22, 1991 (“Bosen”)
`
`Ex. 1009 U.S. Patent No. 6,609,206 B1 to Veneklase, filed February 5, 1999,
`published August 19, 2003 (“Veneklase”)
`
`Ex. 1010 U.S. Patent No. 5,604,803 to Aziz, filed June 3, 1994, published
`February 18, 1997 (“Aziz”)
`
`Ex. 1011 U.S. Patent No. 6,078,908 to Schmitz, filed April 22, 1998, published
`June 20, 2000 (“Schmitz”)
`
`Ex. 1012
`
`International Patent Application Publication No. WO 95/19593 to
`Kew et al., filed January 12, 1995, published July 20, 1995 (“Kew”)
`
`Ex. 1013 U.S. Patent No. 5,153,919 to Reeds et al., filed September 13, 1991,
`published October 6, 1992 (“Reeds”)
`
`vi
`
`
`
`
`
`
`

`

`Exhibit
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`
`
`Description
`
`Ex. 1014 U.S. Patent No. 6,662,300 B1 to Peters, filed June 29, 1999, published
`December 9, 2003 (“Peters”)
`
`Ex. 1015 U.S. Patent No. 5,668,876 to Falk et al., filed June 24, 1994, published
`September 16, 1997 (“Falk”)
`
`Ex. 1016 U.S. Patent No. 5,491,752 to Kaufman et al., filed September 2, 1994,
`published February 13, 1996 (“Kaufman”)
`
`Ex. 1017 U.S. Patent No. 5,736,932 to Bulfer et al., filed July 3, 1996, published
`April 7, 1998 (“Bulfer”)
`
`Ex. 1018 International Patent Application Publication No. WO 97/31306 to
`Sormunen et al., filed February 6, 1997, published August 28, 1997
`(“Sormunen”)
`
`Ex. 1019 U.S. Patent Application Publication No. 2001/0007817 to Odagiri et
`al., filed December 8, 2000, published July 12, 2001 (“Odagiri”)
`
`Ex. 1020
`
`International Patent Application Publication No. WO 01/16899 A2,
`filed August 17, 2000, published March 8, 2001 (“Shields”)
`
`Ex. 1021 U.S. Patent No. 6,430,407 B1 to Turtiainen, filed February 4, 1999,
`published August 6, 2002 (“Turtiainen”)
`
`Ex. 1022 U.S. Patent No. 6,731,731 B1 to Ueshima, filed March 29, 2001,
`published May 4, 2004 (“Ueshima”)
`
`Ex. 1023 U.S. Patent No. 6,259,909 B1 to Ratayczak et al., filed July 8, 1998,
`published July 10, 2001 (“Ratayczak”)
`
`Ex. 1024 U.S. Patent Application Publication No. 2003/0046083 A1 to
`Devinney et al., filed November 21, 1997, published March 6, 2003
`(“Devinney”)
`
`Ex. 1025 U.S. Patent No. 6,535,855 B1 to Cahill et al., filed March 31, 1998,
`published March 18, 2003 (“Cahill”)
`
`vii
`
`
`
`
`
`
`

`

`Exhibit
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`
`
`Description
`
`Ex. 1026 U.S. Patent No. 7,260,221 B1 to Atsmon, filed May 15, 2001, published
`August 21, 2007 (“Atsmon”)
`
`Ex. 1027 U.S. Patent No. 5,406,619 to Akhteruzzaman, filed March 31, 1994,
`published April 11, 1995 (“Akhteruzzaman”)
`
`Ex. 1028 U.S. Patent No. 6,338,140 B1 to Owens et al., filed November 24,
`1998, published January 8, 2002 (“Owens”)
`
`Ex. 1029 U.S. Patent No. 5,887,065 to Audebert, filed October 2, 1997,
`published March 23, 1999 (“Audebert”)
`
`Ex. 1030 U.S. Patent Application Publication No. 2002/0178370 A1 to
`Gurevich et al., filed December 29, 2000, published November 28,
`2002 (“Gurevich”)
`
`Ex. 1031 U.S. Patent No. 6,983,308 B1 to Oberhaus et al., filed December 22,
`1998, published January 3, 2006 (“Oberhaus”)
`
`Ex. 1032 U.S. Patent No. 6,035,406 to Moussa et al., filed April 2, 1997,
`published March 7, 2000 (“Moussa”)
`
`Ex. 1033 Disclosure of Asserted Claims and Infringement Contentions,
`Dynapass IP Holdings LLC v. JPMorgan Chase & Co. et al., Case No.
`2:22-cv-00212 (Lead Case) (E.D. Tex. Sept. 8, 2022)
`
`viii
`
`
`
`
`
`
`

`

`
`
`I.
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`Relief Requested
`Petitioners request inter partes review and cancellation of claims 1-3 and 5-7
`
`(“the Challenged Claims”) of U.S. Patent No. 6,993,658 based on:
`
`Exhibit
`
`Ex. 1005
`
`References
`
`Japanese Patent Application Publication No. JP2000-
`10927 (Japanese language document) to Kato, filed June
`25, 1998, published January 14, 2000 (“Kato”)1
`
`Ex. 1007 U.S. Patent No. 6,161,185 to Guthrie et al., filed March
`6, 1998, published December 12, 2000 (“Guthrie”)
`
`Ex. 1018
`
`International Patent Application Publication No. WO
`97/31306 to Sormunen et al., filed February 6, 1997,
`published August 28, 1997 (“Sormunen”)
`
`Type
`
`§ 102(a)
`
`§ 102(e)
`
`§ 102(b)
`
`The Challenged Claims are unpatentable under the following grounds:
`
`Ground
`
`Claims
`
`Reference(s)
`
`1
`
`2
`
`1-3, 5-7
`
`1-3, 5-7
`
`Guthrie, Sormunen
`
`Kato, Guthrie
`
`Basis
`
`§ 103
`
`§ 103
`
`
`
` All reference cites are based on the translation (Ex. 1006).
`
` 1
`
`
`
`
`
` 1
`
`
`
`

`

`
`
`II. The ’658 Patent
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`The application for the ’658 Patent was filed on March 6, 2000. Ex. 1001, 1.
`
`Dynapass asserted that the priority date of Challenged Claims is the March 6, 2000,
`
`filing date. Ex. 1033, 3.
`
`The ’658 Patent discloses authenticating a user to access a secure system
`
`based on a password. Ex. 1001, Abstract. A user authentication server authenticates
`
`the user by receiving a password from the user via a secure computer network and
`
`comparing the received password with a password associated with the user in a user
`
`database. Id., Abstract, 3:8-14, 7:11-18, 7:40-67.
`
`
`
` 2
`
`
`
`
`
`

`

`
`
`Id., FIG. 1.2
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`To obtain the password, the user sends a request for a token to a token server
`
`over a cell phone network via a personable communication device. Id., 5:22-31, 6:1-
`
`12, 6:26-40, 7:46-63, 9:3-10. The user authentication server identifies the request
`
`with the user, generates a token, and transmits the token to the personal
`
`communication device. Id., 1:63-2:15, 5:22-56, 6:4-12, 6:35-67, 7:31-39, 9:28-54,
`
`10:59-62. The token server also generates a new password based on the token and a
`
`passcode and updates the user database. Id., 6:59-64, 8:16-25, 8:53-63, 9:28-37. The
`
`token is not known to the user, but the passcode is. Id., 4:36-39, 6:52-55, 9:21-25.
`
`Before the token expires, the user can submit the password to the user authentication
`
`server via the secure computer network to access the secure system. Id., Abstract,
`
`4:52-56, 7:57-67, 9:55-64.
`
`III. Level of Ordinary Skill
`A person of ordinary skill in the art (“POSITA”) would have at least a
`
`bachelor’s degree in Electrical Engineering, Computer Science, Computer
`
`Engineering, or equivalent, and at least two years of prior experience with user
`
`
`
` All emphases and annotations added unless noted otherwise.
`
` 3
`
`
`
`
`
` 2
`
`
`
`

`

`
`
`authentication technologies for computer systems as of the earliest priority date of
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`the ’658 Patent—March 6, 2000. Additional education could substitute for
`
`professional experience and vice versa. Reiher, 23.
`
`IV. Claim Construction
`The Board construes claims per Phillips v. AWH Corp., 415 F.3d 1303 (Fed.
`
`Cir. 2005) (en banc). For this IPR, the plain meaning of each claim term can be
`
`applied. Reiher, 25-29. Petitioners reserve the right to contend that any of the
`
`Challenged Claims are indefinite.
`
`V. Ground 1: Guthrie in Combination with Sormunen Renders Obvious the
`Challenged Claims
`A. Guthrie-Sormunen Combination
`Summary of the Guthrie-Sormunen Combination
`1.
`Guthrie discloses authenticating a user to access network resources coupled
`
`to a server based on dynamic authentication data submitted via a client. To enhance
`
`security, Guthrie discloses using authentication data that includes three pieces of
`
`authentication information—a secret password known by the user (never transmitted
`
`across a network), a randomly generated challenge (transmitted to the user), and a
`
`response generated from the password and challenge (transmitted by the user).
`
`Guthrie, Abstract. Guthrie discloses sending a request for the challenge from the user
`
`via the client to the server, transmitting the challenge from the server to the client
`
` 4
`
`
`
`
`
`

`

`
`
`over a computer network, calculating a response by a client Secure Authentication
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`DataBase (“SADB”) calculator by performing a hashing algorithm on the password
`
`and challenge, and transmitting the response to the server for authentication. Id.,
`
`7:60-8:6, 6:57-64, 7:27-38; Reiher, 55.
`
`Like Guthrie, Sormunen discloses authenticating a user to access network
`
`resources based on a dynamic password submitted via an access terminal. Sormunen,
`
`p. 1, ll. 24-28, p. 7, ll. 9-18, FIG. 2. To increase security, Sormunen discloses a
`
`method of obtaining the dynamic password that includes a three-device architecture:
`
`sending a “password request” from the user via a mobile station (one device) to a
`
`password server (second device), transmitting the password to the mobile phone over
`
`a mobile communication network, and submitting the password to the password
`
`server via an access terminal (third device) for authentication. Id., p. 5, l. 33–p. 7,
`
`l. 18; Reiher, 56.
`
` 5
`
`
`
`
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`
`
`Sormunen, FIG. 2.
`
`A POSITA would have combined Guthrie and Sormunen to improve the
`
`security of Guthrie’s system by implementing Sormunen’s mobile station to request
`
`and receive Guthrie’s challenge. Adding a mobile station to Guthrie’s system would
`
`improve the secure identification of the user by requiring the user to possess a third
`
`device (from Sormunen) in addition to the user’s secret password (from Guthrie).
`
`Ratayczak, 1:39-55, 2:4-34, 4:24-32 (teaching using a mobile telephone for
`
`transmitting authentication data allows for greater security); Reiher, 57.
`
` 6
`
`
`
`
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`2. Guthrie and Sormunen Are Analogous Art and Combinable
`The ’658 Patent discloses authenticating a user to gain access to a secure
`
`system based on a dynamic password. Ex. 1001, Abstract; § II; Reiher, 58.
`
`Like the ’658 Patent, Guthrie discloses a personal authentication system with
`
`a dynamic challenge-response process to enhance security. Guthrie, Abstract;
`
`Reiher, 59.
`
`
`
` 7
`
`
`
`Guthrie, FIG. 5.
`
`
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`To access a server, a user initiates an authentication request for a challenge
`
`from the server. Id., 7:49-63. A server SADB calculator identifies the user, generates
`
`a challenge (an eight-digit random value), and sends the challenge to the user via the
`
`client. Id., 7:64-8:2, 10:39-46, 11:21-25. The server also generates an expected
`
`response based on the challenge and an SADB password associated with the user
`
`stored in a user account table, updates the expected response value stored in the table,
`
`and sets in the user account table a response valid timer that provides a limited
`
`duration in which in the user must generate a response. Id., 10:46-58, FIG. 6. After
`
`receiving the challenge, the user’s computer calculates the response based on the
`
`challenge and the user’s SADB password and submits the response to the server. Id.,
`
`6:65-7:6, 7:27-38. Before the timer expires, the server compares the expected
`
`response with the response from the client to authenticate the user. Id., 7:7-9, 7:38-
`
`45, 11:60-12:42. If the timer has expired, the user cannot be authenticated without
`
`restarting the challenge-response process. Id., 11:50-59, FIG. 8B; Reiher, 60.
`
`Sormunen is in the same field of user authentication and addresses the same
`
`problem of regulating a user’s access to a secure computer system as the ’658 Patent
`
`and Guthrie. Like the ’658 Patent, Sormunen discloses a personal authentication
`
`system with a dynamic process for obtaining authentication data using a personal
`
`communication device—a mobile station—to enhance security. Sormunen,
`
` 8
`
`
`
`
`
`

`

`
`
`Abstract, p. 5, l. 33–p. 7, l. 7. Like the ’658 Patent, to securely obtain the password,
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`Sormunen sends a short message including a “password request” from a mobile
`
`station via a mobile communication network, like a cellular network. Id., p. 4, l. 30–
`
`p. 6, l. 1, p. 7, l. 37–p. 8, l. 3. A password server receives the request, generates a
`
`password, and sends a reply message containing the password to the mobile station.
`
`Id., p. 6, ll. 20-38. The user then submits, via an access terminal, the received
`
`password to access the protected service. Id., p. 6, l. 35–p. 7, l. 24. Sormunen’s
`
`mobile station communicates with
`
`the password server over a mobile
`
`communication network (id., p. 7, l. 37–p. 8, l. 3, p. 8, ll. 19-22), and the access
`
`terminal is connected with the protected service over a separate computer network
`
`(id., p. 3, ll. 25-38, p. 8, ll. 5-7). Reiher, 61.
`
`Guthrie and Sormunen are both analogous to the ’658 Patent and are
`
`combinable. Both disclose user authentication systems and obtaining dynamic
`
`authentication data for authenticating a user to access a secured system. Both address
`
`the same problem—problems of conventional authentication systems based on a
`
`fixed password, which can be stolen or guessed, and the risk of transmitting a secret
`
`password over a computer network, which can more easily be read by unauthorized
`
`users than short message service (“SMS”) messages over a cellular network.
`
`Guthrie, 1:20-28, 1:49-63; Sormunen, p. 2, ll. 20-29, p. 3, ll. 4-5, p. 4, ll. 1-7, 18-24.
`
` 9
`
`
`
`
`
`

`

`
`
`Because both address these problems in different ways, the combination creates a
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`more secure system than either individually. Reiher, 62.
`
`3.
`
`A POSITA Would Been Motivated to Implement
`Sormunen’s Mobile Station and Method for Requesting and
`Obtaining Authentication Data at a Mobile Station in
`Guthrie to Improve Security
`a. Motivation
`A POSITA would have found it obvious to implement Sormunen’s mobile
`
`station and method for requesting and obtaining authentication data at the mobile
`
`station in Guthrie’s authentication system to further improve security by:
`
`(1) preventing transmission of authentication data over the computer network;
`
`(2) preventing transmission of the user’s secret password over any network; and
`
`(3) additionally identifying the user based on the mobile device possessed by the
`
`user. Id., 63.
`
`First, because Sormunen recognizes that cellular networks and SMS
`
`messaging are more secure than computer networks like the Internet, a POSITA
`
`would have been motivated to implement Sormunen’s mobile station in Guthrie to
`
`request and receive Guthrie’s challenge to prevent the challenge from being exposed
`
`over the computer network. Guthrie’s server generates a challenge and sends the
`
`challenge to the user via an Internet network. Guthrie, 10:39-46, 11:21-25, 4:65-5:4,
`
`5:25-27. But Sormunen teaches that “unauthorized persons can easily read
`
`
`
`
`10
`
`

`

`
`
`information transferred via the Internet.” Sormunen, p. 3, ll. 4-5; Veneklase, 1:25-
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`38 (Internet communication systems “have been especially prone to unauthorized
`
`‘break-ins’, viral destruction, and/or unauthorized data modifications”); Kaufman,
`
`3:9-25 (passwords sent to access a distributed system can be eavesdropped).
`
`Implementing Sormunen’s method of obtaining authentication data in short
`
`messages over a mobile communication network in Guthrie would have reduced the
`
`risk of exposing the challenge to an unauthorized user and improved security
`
`because “it is almost impossible for outsiders to decipher the content of the short
`
`messages.” Sormunen, p. 6, ll. 5-9; Reiher, 64.
`
`Second, a POSITA would have recognized that maintaining Guthrie’s never-
`
`transmitted secret password, unlike Sormunen’s authentication data that is all
`
`transmitted over one network or another, would result in a more secure combined
`
`system. In Sormunen, an unauthorized user could obtain Sormunen’s mobile station
`
`and dynamic password to access the secure system. Odagiri, [0004], [0038] (an
`
`unauthorized person may obtain a portable telephone, such as a Personal Handy-
`
`phone System (“PHS”)). The combined system, however, requires the user to use
`
`both the challenge (transmitted) and a secret password (not transmitted) to generate
`
`the response, ensuring that an unauthorized user in possession of the mobile station
`
`and challenge cannot access the secured system without the user’s secret password.
`
`
`
`
`11
`
`

`

`
`
`Bosen 2:26-31, 4:44-49 (improving security by making the generation of authentic
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`passwords dependent not only on possession of a random challenge, but also on
`
`possession of confidential information); Falk, 4:32-45 (confirming the user’s
`
`identity by requiring information from the user, the authentication center, and the
`
`cellular phone), 5:4-7 (the user must know the user’s PIN, be in possession of the
`
`cellular telephone, and receive the appropriate challenge code); Reiher, 65.
`
`Third, using Sormunen’s mobile station to request and receive Guthrie’s
`
`challenge further improves security by additionally verifying the user by their
`
`personal communication device. The only user-specific data Guthrie requires for
`
`requesting the challenge is the user account ID. Guthrie, 7:60-63. A user account ID
`
`is typically not secret and can be known to an unauthorized user. Id., 1:25-29; Kato,
`
`[0003]; Kaufman, 2:8-12. Using Sormunen’s mobile station to obtain Guthrie’s
`
`challenge allows the challenge request to be sent from a user-associated mobile
`
`station (by a telephone number). This allows Guthrie’s server to identify the user
`
`based on the mobile station in addition to the user account ID. Sormunen, p. 4, ll. 30-
`
`33 (SMS messages are sent based on a telephone number), p. 9, ll. 28-32 (using a
`
`telephone number of the mobile station to identify the user); Ueshima, Abstract,
`
`16:13-20, 10:20-29, FIG. 3 (authenticating a user by identifying the user’s number
`
`before generating and transmitting a password to the user); Kato, [0008] (disclosing
`
`
`
`
`12
`
`

`

`
`
`a mobile telephone terminal has a telephone number); Bulfer, 3:1-18 (identifying a
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`user based on a wireless remote communication device having a unique number);
`
`Falk, 4:32-45, 5:4-7; Turtiainen, 8:1-53 (identifying a user based on user information
`
`associated with a mobile station). Such identification of the user ensures that an
`
`unauthorized user who obtains the user’s account ID and account password still
`
`cannot obtain the challenge to access Guthrie’s secured system so long as the
`
`unauthorized user does not obtain possession of the user’s personal communication
`
`device. And even if an unauthorized user were to obtain possession of the user’s
`
`personal communication device, they would additionally have to have the user’s
`
`secret password—which cannot be intercepted via network communications—to
`
`access the system. Requiring all three components of the combination—a mobile
`
`station, a secret password, and a challenge—results in a more secure system than
`
`either Guthrie or Sormunen individually. Reiher, 66.
`
`Reasonable Expectation of Success
`b.
`A POSITA would have had a reasonable expectation of success in
`
`implementing Sormunen’s mobile station and method for requesting and obtaining
`
`authentication data at the mobile station in Guthrie’s authentication system.
`
`Guthrie’s server can receive and send short messages in the same way as Sormunen’s
`
`password server. Guthrie discloses that its server can have a dial-in application
`
`
`
`
`13
`
`

`

`
`
`forming connections over Integrated Services Digital Network (“ISDN”) lines.
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`Guthrie, 5:30-32, 13:48-53. Likewise, Sormunen’s password server can connect
`
`with the SMS center using ISDN connection. Sormunen, p. 8, ll. 15-18. Guthrie’s
`
`server, like Sormunen’s password server, is capable and ready to form the same
`
`ISDN connection with an SMS center to receive a challenge request and send a
`
`challenge in short messages over a mobile communication network. Id.; Reiher, 67.
`
`A POSITA would have further had a reasonable expectation of success in
`
`implementing Guthrie’s challenge-response process using the mobile device of
`
`Sormunen (adding Sormunen’s mobile station to Guthrie) by either (1) having the
`
`mobile station receive the challenge, but implementing Guthrie’s SADB calculator
`
`on Guthrie’s client after the user manually enters the received challenge on the client;
`
`or (2) having the mobile station implement Guthrie’s SADB calculator and then
`
`having
`
`the user enter
`
`the resulting response on Guthrie’s client. Both
`
`implementations provide the security benefit recognized by Guthrie of requiring
`
`manual entry of authentication data. Guthrie, FIG. 9A, 7:29-34, 12:57-60; Reiher,
`
`68.
`
`In the first implementation, a POSITA would have had a reasonable
`
`expectation of success because Guthrie’s SADB calculator is already implemented
`
`in its client device and Guthrie expressly contemplates a user manually entering
`
`
`
`
`14
`
`

`

`
`
`information into the calculator. Guthrie, FIG. 9A, 7:29-34, 12:57-60; Reiher, 69.
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`In the second implementation, a POSITA would have had a reasonable
`
`expectation of success because Sormunen’s mobile station is capable and ready for
`
`implementing Guthrie’s client SADB calculator or secured hashing algorithm
`
`(“SHA”). Sormunen’s mobile station is capable of performing SHA. Guthrie
`
`discloses that its SADB calculators can be implemented as software on various
`
`platforms, including a “palm top computer.” Guthrie, Abstract, 3:59-63, 4:8-13,
`
`5:18-22, 5:48-6:9, 12:43-53, 13:16-20. A POSITA would have understood that a
`
`“palm top computer” is a mobile computer like Sormunen’s mobile station. Odagiri,
`
`[0038], [0046]-[0047]; Ueshima, 4:1-4, 9:14-22; Oberhaus, 1:21-23. And mobile
`
`stations were known to perform hash algorithms. Falk, 3:4-20, 4:19-45. Guthrie’s
`
`SADB calculators are “not compute intensive,” and “the central processing unit
`
`(CPU) and input/output (I/O) processing requirements for the calculators are
`
`minimal ... so that authentication can be calculated in substantially less than one
`
`second.” Guthrie, 2:57-67. Sormunen teaches that its mobile station can be
`
`implemented with software applications to perform functions, such as forming and
`
`processing short messages (Sormunen, p. 7, ll. 25-34). A POSITA would have
`
`understood that Guthrie’s SADB calculator would be readily implemented in
`
`Sormunen’s mobile station as a software application. Reiher, 70.
`
`
`
`
`15
`
`

`

`
`
`
`
`
`IPR2023-00367
`U.S. Patent No. 6,993,658
`
`B. Independent Claims
`Claim 1
`1.
`1[preamble]: “A method of authenticating a user on a
`a.
`first secure computer network, the user having a user
`account on said first secure computer network, the
`method comprising:”
`Guthrie discloses 1[preamble]. Id., 72-77.
`
`The ’658 Patent provides no definition for secure computer network, but the
`
`specification explain that a secure computer network is a “secure system” accessible
`
`over a network. Ex. 1001, Abstract, 4:20-26. The “preferred embodiment of the
`
`present invention is a password setting system for setting user passwords for a
`
`sec