IPR2023-00367
`Patent 6,993,658
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_________________
`BANK OF AMERICA, N.A., TRUIST BANK, BOKF, N.A., WELLS FARGO
`BANK, N.A., and PNC BANK, N.A.,
`
`Petitioner,
`v.
`DYNAPASS IP HOLDINGS, LLC
`
`Patent Owner.
`__________________
`Inter Partes Review No. IPR2023-00367
`Patent No. 6,993,658
`PATENT OWNER’S PRELIMINARY RESPONSE TO THE PETITION
`FOR INTER PARTES REVIEW OF U.S. PATENT NO. 6,993,658
`PURSUANT TO 37 C.F.R. § 42.107
`
`Filed on behalf of Patent Owner by:
`
`John Wittenzellner (Reg. No. 61,662)
`1735 Market Street, Suite A #453
`Philadelphia, PA 19103
`
`Todd E. Landis (Reg. No. 44,200)
`2633 McKinney Ave., Suite 130
`Dallas, TX 75204
`
`Mark McCarthy (Reg. No. 69,575)
`601 Congress Ave., Suite 600
`Austin, TX 78701
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`WILLIAMS SIMONS & LANDIS PLLC
`
`-ii-
`
`

`

`I.
`II.
`III.
`
`IPR2023-00367
`Patent 6,993,658
`
`TABLE OF CONTENTS
`
`INTRODUCTION ........................................................................................... 1
`STATEMENT OF THE PRECISE RELIEF REQUESTED .......................... 2
`THE PETITION SHOULD BE DENIED BECAUSE IT DOES NOT
`ESTABLISH A REASONABLE LIKELIHOOD OF SUCCESS ON
`ANY CHALLENGED CLAIM. ...................................................................... 2
`A.
`The ’658 Patent ....................................................................................... 3
`B.
`Level of Ordinary Skill in the Art ........................................................ 10
`C. Claim Construction ............................................................................... 10
`D. Ground 1 – The Combination of Guthrie and Sormunen Does Not
`Render Obvious Claims 1-3 and 5-7 of the ’658 Patent. ..................... 11
`1.
`It Would Not Have Been Obvious To Combine Guthrie And
`Sormunen ..................................................................................15
`Independent Claim 1 .................................................................24
`i.
`1[a] “associating
`the user with a personal
`communication device . . . wherein said second
`network is a cell phone network different from the
`first computer network” ....................................................24
`1[b] “receiving a request from a user for a token
`via the personal communication device, over the
`second network” ................................................................24
`iii. 1[f] “transmitting the token to the personal
`communication device” .....................................................25
`Dependent Claims 2 and 3 ........................................................25
`Independent Claim 5 .................................................................25
`i.
`5[b] “a user database configured to associate a user
`with a personal communication device possessed
`by the user . . .” ..................................................................25
`
`2.
`
`3.
`4.
`
`ii.
`
`-i-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`ii.
`
`2.
`
`5[e] “a communication module configured to
`transmit the token to the personal communication
`device through the cell phone network” ...........................26
`Dependent Claims 6 and 7 ........................................................26
`5.
`E. Ground 2 – The Combination of Kato and Guthrie Does Not Render
`Obvious Claims 1-3 and 5-7 of the ’658 Patent. .................................. 27
`1.
`It Would Not Have Been Obvious To Combine Kato And
`Guthrie ......................................................................................31
`Independent Claim 1 .................................................................36
`i.
`1[a] “associating
`the user with a personal
`communication device . . . wherein said second
`network is a cell phone network different from the
`first computer network” ....................................................36
`1[b] “receiving a request from a user for a token
`via the personal communication device, over the
`second network” ................................................................36
`iii. 1[f] “transmitting the token to the personal
`communication device” .....................................................37
`Dependent Claims 2 and 3 ........................................................37
`Independent Claim 5 .................................................................37
`i.
`5[b] “a user database configured to associate a user
`with a personal communication device possessed
`by the user . . .” ..................................................................37
`5[e] “a communication module configured to
`transmit the token to the personal communication
`device through the cell phone network” ...........................38
`Dependent Claims 6 and 7 ........................................................38
`5.
`THE PETITION SHOULD BE DENIED BECAUSE THE BOARD
`DOES NOT HAVE JURISDICTION OVER EXPIRED PATENTS. ..........39
`CONCLUSION ..............................................................................................40
`
`3.
`4.
`
`ii.
`
`ii.
`
`IV.
`
`V.
`
`-ii-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`TABLE OF AUTHORITIES
`
`Cases
`Oil States Energy Servs., LLC v. Greene’s Energy Grp., LLC,
`138 S. Ct. 1365 (2018) .........................................................................................39
`Statutes
`35 U.S.C. § 314(b)(1)...............................................................................................11
`
`-iii-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Exhibit
`
`2001
`
`2002
`
`EXHIBIT LIST
`
`Description
`Google Patents webpage for U.S. Patent No. 6,993,658,
`
`https://patents.google.com/patent/US6993658B1/
`
`Docket Control Order, Dynapass IP Holdings, LLC v. JPMorgan
`
`Chase & Co., et al., No. 2:22-cv-00212-JRG-RSP p. 6 (E.D. Tex.
`
`Oct. 13, 2022)
`
`-iv-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`I.
`
`INTRODUCTION
`
`Dynapass IP Holdings, LLC (“Patent Owner”) respectfully submits this
`
`Preliminary Response (the “Response”) to the Petition for Inter Partes Review of
`
`U.S. Patent No. 6,993,658 (IPR2023-00367, the “Petition” or “Pet.”) filed by Bank
`
`of America, N.A., Truist Bank, BOKF, N.A., Wells Fargo Bank, N.A., and PNC
`
`Bank, N.A. (collectively, “Petitioners”).
`
`Institution should be denied because the Petition fails to demonstrate a
`
`reasonable likelihood that any challenged claim of the ’658 Patent is unpatentable.
`
`Faced with novel, nonobvious claims, Petitioners engage in impermissible hindsight
`
`to pick and choose disclosures in an attempt to recreate the claimed inventions of the
`
`’658 Patent. For example, Petitioners disregard the fact that Guthrie expressly
`
`teaches away from using battery powered devices, like the “mobile station” in
`
`Sormunen or the “PHS terminal” in Kato. See Ex. 1007 at 1:61-63 (“Furthermore,
`
`the card requires a battery to energize its internal circuitry. Therefore, the card has
`
`a limited life, after which a new battery must be inserted.”). Petitioners argue that
`
`“cellular networks and SMS messaging are more secure than computer networks like
`
`the Internet,” with no supporting evidence. And they ask the Board to find, again
`
`without any supporting evidence, that 1997/1998 timeframe mobile phones and
`
`pagers were capable of implementing the cryptographic algorithms that Guthrie only
`
`describes as being performed on a personal computer. In sum, Petitioner’s
`
`-1-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`obviousness theory is cut from whole cloth, so they cannot meet their burden of
`
`showing that the challenged claims are unpatentable.
`
`Finally, the Petition should be denied because the Board does not have
`
`jurisdiction over expired patents. For these reasons, institution should be denied.
`
`II.
`
`STATEMENT OF THE PRECISE RELIEF REQUESTED
`
`Petitioners assert that claims 1-3 and 5-7 of the ’658 Patent are unpatentable
`
`under the following grounds:
`
`Pet., p. 1.
`
`Patent Owner requests that the Board deny institution of the Petition with
`
`respect to all challenged claims and all asserted grounds. A full statement of the
`
`reasons for the relief requested is set forth in Sections III and IV of this Response.
`
`III.
`
`THE PETITION SHOULD BE DENIED BECAUSE IT DOES NOT
`ESTABLISH A REASONABLE LIKELIHOOD OF SUCCESS ON ANY
`CHALLENGED CLAIM.
`
`As shown below, the Petition fails to demonstrate a reasonable likelihood that
`
`Petitioner would prevail with respect to any claim of the ’658 Patent. The Petition
`
`challenges claims 1-3 and 5-7 of the ’658 Patent (the “Challenged Claims”). Pet. at
`
`-2-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`1. As detailed herein, each proposed Ground fails to disclose key limitations of each
`
`Challenged Claim, so trial should not be instituted.
`
`A.
`
`The ’658 Patent
`
`The ’658 Patent, which is titled “Use of Personal Communication Devices for
`
`User Authentication,” was filed on March 6, 2000, and issued on January 31, 2006.
`
`Ex. 1001. The ’658 Patent relates to “the authentication of users of secure systems
`
`and, more particularly, the invention relates to a system through which user tokens
`
`required for user authentication are supplied through personal communication
`
`devices such as mobile telephones and pagers.” Ex. 1001 at 1:7-11.
`
`At the time of the claimed inventions, “secure systems”1 used “a user ID and
`
`password pair to identify and authenticate system users.” See id. at 1:13-14.
`
`Although user ID/password pairs were ubiquitous, they suffered from several
`
`shortcomings, as recognized by the inventors of the ’658 Patent:
`
`Passwords created by users are often combinations of words and names,
`which are easy to remember but also easily guessed. Guessing
`passwords is a frequent technique used by “hackers” to break into
`systems. Therefore, many systems impose regulations on password
`formats that require mixtures of letters of different cases and symbols
`and that no part of a password be a word in the dictionary. A user’s
`inability to remember complex combinations of letters, numbers, and
`
`1 The ’658 Patent describes many non-limiting examples of a “secure system,”
`including Novell NetWare-, Microsoft NT-, Windows 2000-, and UNIX/Linux-
`based computers, as well as “any system, device, account, “a user account on a
`network of computer workstations, a user account on a website, or a secure area of
`a building.” Ex. 1001 at 1:13-19, 4:13-23.
`
`-3-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`symbols often results in the password being written down, sometimes
`on a note stuck to the side of a workstation.
`
`Id. at 1:28-38.
`
`The increasing use of remote connectivity at the time of the claimed
`
`inventions further exacerbated the shortcomings of user ID/password pairs. See id.
`
`at 1:20-26. As a result, then-current systems faced several issues:
`
`Present systems face several problems: users dread frequent password
`changes, frequent password changes with hard-to-remember passwords
`inevitably result in users surreptitiously writing down passwords, and
`security is compromised when users write down their passwords.
`
`Id. at 1:39-43. Two-factor authentication (a form of multi-factor authentication)
`
`improves user ID/password pairs by adding “unpredictable, one-time-only access
`
`codes.” See id. at 1:49-51. The first factor is “a user passcode or personal
`
`identification number.” See id. at 1:46-47. The second factor is the “unpredictable,
`
`one-time-only access codes.” See id. at 1:49-51. In two-factor authentication,
`
`system access is based upon:
`
` “nonsecret information known to the user, such as the user ID;”
`
` secret information known to the user, such as the passcode;” and
`
` “information provided to the user through an object possessed by the user,
`
`such as the token.”
`
`Id. at 2:11-15.
`
`-4-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`The ’658 Patent acknowledges the existence of the RSA Security, Inc.
`
`SecurID product at the time of the claimed inventions, but identified significant
`
`deficiencies in the product:
`
`The SecurID product, however, requires users to carry an additional
`item on their person in order to access a secure system. It would be
`advantageous if the benefits of the SecurID system could be achieved
`using a device
`that many users already carry—a personal
`communication device such as a mobile phone or a pager.
`
`Id. at 1:54-59. The ’658 Patent requires the use of a personal communication device,
`
`which teaches away from a separate device like the SecurID product. See id.
`
`The ’658 Patent solves the deficiencies of the SecurID product and further
`
`improves two-factor authentication in a unique, novel, non-obvious way. Figure 1
`
`of the ’658 Patent, reproduced below, depicts an embodiment of a user
`
`authentication system (identified as “100” in the figure):
`
`-5-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Id. at Fig. 1; see also id. at 3:31-33.
`
`Authentication system (100) regulates access to secure system (110). Id. at
`
`4:9-13. User authentication server (102) “preferably includes a program or a suite
`
`of programs running on a computer system to perform user authentication services.”
`
`Id. at 4:27-29. “The authentication information preferably includes a user ID 152, a
`
`passcode 154 and a user token 156.” Id. at 4:36-39. Tokens are received on the
`
`user’s personal communication device (106), which can be, for example, “a pager or
`
`mobile phone having SMS (short message service) receive capability.” Id. at 4:13-
`
`15.
`
`-6-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`It is important to be aware of the terminology used by the ’658 Patent. The
`
`“user ID may be publicly known and used to identify the user.” Id. at 4:39-40. The
`
`’658 Patent uses the term “passcode” to refer to what is commonly called a
`
`“password:” “For example, the user 108 can combine a valid, memorized passcode
`
`of ‘abcd’ . . . .” Id. 4:54-55; see also id. at 1:27-29 (“Passwords created by users are
`
`often combinations of words and names, which are easy to remember but also easily
`
`guessed.”), 4:40 (The passcode 154 is preferably secret and known only to the user
`
`108.”). The “token” can be, for example, “a random or pseudo-random sequence of
`
`numbers or digits or both numbers and digits.” Id. at 9:22-24.
`
`The ’658 Patent uses the term “password” to refer to the combination of at
`
`least the “passcode” and a “token.” Id. at 4:52-53 (“In the preferred embodiment,
`
`the user 108 combines the token 156 with the passcode 154 to form a password
`
`158.”). For example, if the passcode is “abcd” and the token is “1234,” the password
`
`could be “abcd1234” or “1234abcd.” See id. at 4:54-56. The components of the
`
`password (e.g., the passcode and token) can be combined or sent to the system as
`
`separate components. See id. at 4:52-65.
`
`Figure 5, reproduced below, depicts an embodiment of how the system
`
`provides tokens and authenticates users.
`
`-7-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Id. at Fig. 5; see also id. at 3:41-43.
`
`In step 502, the system associates the user’s user ID and passcode with the
`
`user’s personal communication device. Id. at 8:53-60. By doing so, the system
`
`transmits the token only to the associated user. See id. In steps 504, 506, and 508,
`
`the system receives a request for a token, determines which user made the request
`
`(i.e., associates the request with a user ID), and generates the token. See id. at 9:3-
`
`-8-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`27, Fig. 5. Those steps differ from other systems that continually generate access
`
`codes. See, e.g., id. at 1:49-51 (“The SecurID card generates and displays
`
`unpredictable, one-time-only access codes that automatically change every 60
`
`seconds.”). In step 510, the system generates a new “password” based on at least
`
`the “token” and “passcode.” Id. at 9:28-33, Fig. 5. That password is then stored and
`
`the user’s account can be activated if it was deactivated. Id. at 9:34-41, Fig. 5 (step
`
`512).
`
`In step 514, the system transmits the token to the user’s personal
`
`communication device. See id. at 9:44-53, Fig. 5. Claim 1 of the ’658 Patent
`
`requires that the “personal communication device” be “in communication over a
`
`second network, wherein said network is a cell phone network. . . .” Id. at 11:47-50.
`
`Claim 5 requires that the token is transmitted to the “personal communication
`
`device” through a “cell phone network.” Id. at 12:34-36. The claims also require
`
`that the user’s account is deactivated “within a predetermined amount of time” after
`
`the account is activated. Id. at 12:9-13 (claim 1), 12:41-47 (claim 5).
`
`The Patent Office issued the ’658 Patent issued after several office actions.
`
`Since then, the ’658 Patent has been cited by more than 200 patent applications. Ex.
`
`2001, https://patents.google.com/patent/US6993658B1/. Amongst those patent
`
`applications are patent applications filed by major industry entities, including IBM
`
`Corporation, Microsoft Corporation, Lucent Technologies, Honeywell International,
`
`-9-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Inc., British Telecommunications PLC, AT&T, Visa, and Google Inc. See id. They
`
`also include a patent application filed by JPMorgan Chase Bank, N.A., a defendant
`
`in the parallel district court proceedings in the Eastern District of Texas. See id.
`
`B.
`
`Level of Ordinary Skill in the Art
`
`For the purposes of this Response only, Patent Owner does not dispute the
`
`level of skill of a person of ordinary skill in the art (“POSITA”) identified in the
`
`Petition.
`
`C.
`
`Claim Construction
`
`Due to the substantial deficiencies in the Petition, Patent Owner contends that
`
`claim construction is not necessary for the Board to determine that the Petition fails
`
`to demonstrate a reasonable likelihood that any challenged claim of the ’658 Patent
`
`is unpatentable. Patent Owner reserves the right to address claim construction of
`
`any term in the challenged claims if the Board institutes inter partes proceedings.
`
`Patent Owner notes that Petitioners are defendants in parallel district court
`
`proceedings in the United States District Court for the Eastern District of Texas,
`
`Marshall Division. Those proceedings have been consolidated in Dynapass IP
`
`Holdings, LLC v. JPMorgan Chase & Co., et al., No. 2:22-cv-00212-JRG-RSP (E.D.
`
`Tex.). The deadline for the parties to exchange preliminary claim constructions is
`
`June 22, 2023, and the deadline to file a joint claim construction statement is July
`
`13, 2023, both of which are before the deadline for the Board to issue an institution
`
`-10-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`decision. Ex. 2002, Docket Control Order, Dynapass IP Holdings, LLC v.
`
`JPMorgan Chase & Co., et al., No. 2:22-cv-00212-JRG-RSP p. 6 (E.D. Tex. Oct.
`
`13, 2022); see also 35 U.S.C. § 314(b)(1). Petitioners represented to the Board that
`
`“[f]or this IPR, the plain meaning of each claim terms can be applied.” Pet. at 4.
`
`Patent Owner reserves its right to supplement its briefing if Petitioners adopt a claim-
`
`construction position in the district-court proceedings that is inconsistent with their
`
`representation to the Board.
`
`D.
`
`Ground 1 – The Combination of Guthrie and Sormunen Does Not
`Render Obvious Claims 1-3 and 5-7 of the ’658 Patent.
`
`Petitioners contend that the combination of Guthrie and Sormunen renders
`
`obvious claims 1-3 and 5-7 of the ’658 Patent. Pet. at 1, 4-55. That combination
`
`does not render obvious claims 1-3 and 5-7 of the ’658 Patent for at least the
`
`following reasons.
`
`Guthrie pertains to “electronic access systems in computers.” Ex. 1007 at 1:8-
`
`9. In Guthrie, the user uses a client computer (102) to authenticate with an
`
`authentication server (104). See id. at 4:13-27.
`
`-11-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Id. at Fig. 1A. More specifically, the client computer and the authentication server
`
`both run applications that contain a “calculator” that is used for the authentication
`
`process—both applications calculate the “response value,” based on several inputs,
`
`and the server determines whether the “response value” received from the client
`
`computer matches the “response value” calculated by the server. See id. at 4:13-27.
`
`Guthrie specifies a client computer because its authentication process requires
`
`the user interface and computing power of a computer. Figure 9A, reproduced
`
`below, depicts the user interface of the “SADB calculator” application running on a
`
`client computer:
`
`Id. at Fig. 9A; see also id. at 12:43-45.
`
`The SADB calculator uses a serial number, SADB password, and challenge
`
`as input to the SHA 128 hash algorithm, which is a cryptographic function. See id.
`
`-12-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`6:10-27, Fig. 3. The user interface (including the ability to copy values to and from
`
`the clipboard) is necessitated by the length of the various inputs and the response.
`
`See id. at Fig. 3. Guthrie specifies that the client computer is a DOS, UNIX, or
`
`Macintosh computer due to the requirements of providing a user interface and the
`
`processing requirements necessary to generate the response using the SHA 128 hash
`
`algorithm. See id. at 12:43-53. Similarly, although the authentication server does
`
`not require a user interface, it requires a at least “a DOS-based personal computer
`
`(PC),” if not “a high-grade, mid-range computer.” See id. at 4:50-57. All of the
`
`communications between the client computer and server take place over the same
`
`network, unlike the claims of the ’658 Patent. See, e.g., id. at 4:65-5:1 (“Messages
`
`and other data are exchanged between the client 102 and the server 104 via the
`
`network 100. The network 100 may be a public switched telephone network (PSTN),
`
`such as in a dial-in or other access configuration.”).
`
`Sormunen takes a very different approach from Guthrie. Sormunen discloses
`
`“a method and system for obtaining at least one item of user specific authentication
`
`data, such as a password and/or a user name.” Ex. 1018 at 1:3-5. In contrast to
`
`Guthrie, Sormunen is simply about transmitting user authentication information
`
`(e.g., username or password) to a user. In Sormunen, the user requests a password
`
`or list of passwords by sending a “short message” (i.e., an SMS text message) from
`
`a ”mobile station” to a service. Id. at 5:35-38 (“For obtaining the password or list
`
`-13-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`of passwords required for using a service 1, the user of the service sends a short
`
`message 2 from a paging terminal 3, such as a mobile station.”), 6:5-7 (“For example
`
`the GSM system allows sending short message, wherein a GSM mobile station can
`
`be used in implementation of the method according to the invention.”). Rather than
`
`use a computer like Guthrie, Sormunen uses a 1997-era mobile phone to receive
`
`passwords via text message. See id. Sormunen does not require the computing
`
`power of Guthrie’s client computer because it does not perform hashing algorithms
`
`on multiple inputs to generate a response. Id. at 6:35-7:14 (disclosing that the user
`
`inputs the same password that was previously sent to the user by the short message
`
`service center: “The password server 5 transmits the password and/or the user name
`
`to the short message service center 4, which forms according to the data a reply
`
`message 6, which is sent to the paging terminal 3 preferably in enciphered form. . . .
`
`After the user has given his or her user name and the valid password, the verification
`
`service 9 transmits the given data to the service 1, which sends a check request 11
`
`of the user name and the password to the password server 5.”) That Sormunen uses
`
`a mobile phone is also contrary to Guthrie’s express teaching away from using
`
`battery powered devices, like a mobile phone. See Ex. 1007 at 1:61-63
`
`(“Furthermore, the card requires a battery to energize its internal circuitry.
`
`Therefore, the card has a limited life, after which a new battery must be inserted.”).
`
`That Sormunen transmits passwords via text message also violates a central tenet of
`
`-14-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Guthrie, that “the user’s authentication password is never transmitted over the
`
`network where it could be exposed or compromised.” Id. at 4:23-27 (emphasis
`
`added).
`
`Despite those incompatibilities in the art, the Petition argues that it would have
`
`been obvious to combine Guthrie and Sormunen to arrive at the claimed inventions
`
`of the ’658 Patent. The applicable term for Petitioners’ obviousness argument is
`
`“impermissible hindsight,” which is improper.
`
`1.
`
`It Would Not Have Been Obvious To Combine Guthrie And
`Sormunen
`
`The Petition identifies three reasons for why it would have been obvious to
`
`combine Guthrie and Sormunen, by replacing the client computer of Guthrie with
`
`the “mobile station” of Sormunen:
`
` “(1) preventing transmission of authentication data over the computer
`
`network;”
`
` “(2) preventing transmission of the user’s secret password over any
`
`network;” and
`
` “(3) additionally identifying the user based on the mobile device possessed
`
`by the user.”
`
`Pet., p. 10.
`
`-15-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`First, the Petition argues that “because Sormunen recognizes that cellular
`
`networks and SMS messaging are more secure than computer networks like the
`
`Internet, a POSITA would have been motivated to implement Sormunen’s mobile
`
`station in Guthrie to request and receive Guthrie’s challenge to prevent the challenge
`
`from being exposed over the computer network.” Id. That argument fails because
`
`Sormunen does not recognize that cellular networks and SMS messaging are more
`
`secure than computer networks. Sormunen states that unenciphered data (i.e., non-
`
`encrypted data) can be read when transmitted over the Internet. See Ex. 1018 at 3:4-
`
`5 (cited Pet., p. 11). Sormunen states that SMS messages sent “in enciphered form”
`
`(i.e., encrypted) are “almost impossible for outsiders to decipher.” See id. at 6:5-9.
`
`In other words, Sormunen makes the unremarkable assertion that encrypted data is
`
`more secure than unencrypted data, without making any comparison between
`
`cellular/SMS networks and computer networks. This is further shown by the fact
`
`that Sormunen states that its system can be implemented over an Internet connection.
`
`See id. at 6:12-17 (“Further, the message can be sent by forming a data transmission
`
`connection to the Internet network, to the so-called WWW (World Wide Web) page
`
`of the information service 15 provider, and giving the user authentication data as
`
`well as the number of the mobile station, to which the authentication data is
`
`transmitted preferably in a short message.”), 6:38-7:4 (“The short message service
`
`center 4 for example attends to that the short message is sent to the correct paging
`
`-16-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`terminal 3. Herein it is possible to utilize the information in the connection of the
`
`message received by the short message service center 4 from the paging terminal
`
`3.”). Moreover, Petitioners’ argument is contrary to a related petition for inter partes
`
`review of the ’658 Patent where petitioner Unified Patents argued that cellular/SMS
`
`networks are less secure and subject to eavesdropping:
`
`A POSITA would have understood that the algorithm system has the
`added security benefit of preventing unauthorized personnel from being
`able to access the system by engaging in SIM swapping. SIM swapping
`is a well-known trick of hackers in which they contact your service
`provider and activate a new SIM card on a different device in order to
`receive the user’s authentication token.
`
`Unified Patents, LLC v. Dynapass IP Holdings, LLC, No. IPR2023-00425, Paper 1
`
`p. 32 (Jan. 6, 2023).
`
`Petitioners’ remaining support—Veneklase and Kaufman—do not contain
`
`any comparison between cellular networks and SMS messaging and computer
`
`networks, so they do not support Petitioner’s argument. See Ex. 1009 at 1:25-38
`
`(Veneklase); Ex. 3:9-25 (Kaufman). And the declaration of Dr. Reiher should be
`
`afforded no weigh for this argument because the declaration does nothing more
`
`restate Petitioners’ argument without any additional supporting evidence or
`
`reasoning. Compare Pet. pp. 10-11 with Ex. 1002 ¶64 (Reiher declaration); Xerox
`
`Corp., et al. v. Bytemark, Inc., No. IPR2022-00624, Paper 9, pp. 15-16 (P.T.A.B.
`
`Aug. 24, 2022) (Precedential) (denying IPR institution – holding declaration is
`
`-17-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`entitled to little weight when it contains an exact restatement of the petition’s
`
`arguments without any additional supporting evidence or reasoning).
`
`Second, the Petition argues that “a POSITA would have recognized that
`
`maintaining Guthrie’s never-transmitted secret password, unlike Sormunen’s
`
`authentication data that is all transmitted over one network or another, would result
`
`in a more secure combined system.” Pet., p. 11. But Guthrie already does not
`
`transmit the user’s password. See Ex. 1007 at 4:23-27, 6:10-27, Fig. 3. So
`
`combining Sormunen with Guthrie does not address any alleged deficiency in
`
`Guthrie. And Guthrie expressly teaches away from using battery powered devices,
`
`like a mobile station. See Ex. 1007 at 1:61-63 (“Furthermore, the card requires a
`
`battery to energize its internal circuitry. Therefore, the card has a limited life, after
`
`which a new battery must be inserted.”). The declaration of Dr. Reiher should be
`
`afforded no weigh for this argument because the declaration does nothing more
`
`restate Petitioners’ argument without any additional supporting evidence or
`
`reasoning. Compare Pet. pp. 11-12 with Ex. 1002 ¶65 (Reiher declaration); Xerox
`
`Corp., et al. v. Bytemark, Inc., No. IPR2022-00624, Paper 9, pp. 15-16 (P.T.A.B.
`
`Aug. 24, 2022) (Precedential) (denying IPR institution – holding declaration is
`
`entitled to little weight when it contains an exact restatement of the petition’s
`
`arguments without any additional supporting evidence or reasoning).
`
`-18-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`Third, the Petition argues that “using Sormunen’s mobile station to request
`
`and receive Guthrie’s challenge further improves security by additionally verifying
`
`the user by their personal communication device.” See Pet., p. 12. That is because,
`
`according to Petitioners, the “only user-specific data Guthrie requires for requesting
`
`the challenge is the user account ID.” Id. (citing Ex. 1007, 7:60-63). But Petitioners
`
`fail to identify any evidence that requesting a challenge via a mobile station is more
`
`secure than requesting it via user account ID. See id. To the contrary, Sormunen
`
`itself allows for requesting user-authentication information over the Internet, without
`
`any mention of decreased security as a result of doing so. See Ex. 1018 at 6:12-17
`
`(“Further, the message can be sent by forming a data transmission connection to the
`
`Internet network, to the so-called WWW (World Wide Web) page of the information
`
`service 15 provider, and giving the user authentication data as well as the number of
`
`the mobile station, to which the authentication data is transmitted preferably in a
`
`short message.”). And as the petitioner in Unified Patents, LLC v. Dynapass IP
`
`Holdings, LLC noted, SIM swapping can be used to send/receive SMS messages,
`
`nullifying the alleged benefit put forth by Petitioners here. See Unified Patents, LLC
`
`v. Dynapass IP Holdings, LLC, No. IPR2023-00425, Paper 1 p. 32 (Jan. 6, 2023).
`
`Here again, the declaration of Dr. Reiher should be afforded no weigh for this
`
`argument because the declaration does nothing more restate Petitioners’ argument
`
`without any additional supporting evidence or reasoning. Compare Pet. pp. 12-13
`
`-19-
`
`

`

`IPR2023-00367
`Patent 6,993,658
`
`with Ex. 1002 ¶66 (Reiher declaration); Xerox Corp., et al. v. Bytemark, Inc., No.
`
`IPR2022-00624, Paper 9, pp. 15-16 (P.T.A.B. Aug. 24, 2022) (Precedential)
`
`(denying IPR institution – holding declaration is entitled to little weight when it
`
`contains an exact restatement of the petition’s arguments without any additional
`
`supporting evidence or reasoning).
`
`The Petition also argues that a POSITA would have had a reasonable
`
`expectation of success in combining Guthrie and Sormunen, by replacing the client
`
`computer of Guthrie with the “mobile station” of Sormunen. Pet., pp. 13-15.
`
`Petitioner argues that a POSITA would have had a reasonable expectation of success
`
`because “Guthrie’s server can receive and send short messages in the same way as
`
`Sormunen’s password server,” through ISDN li