UNITED STATES PATENT AND TRADEMARK OFFICE
`
`———————
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`———————
`
`UNIFIED PATENTS, LLC
`
`Petitioner
`
`- v. –
`
`DYNAPASS HOLDINGS, LLC
`
`Patent Owner
`
`———————
`
`IPR2023-00425
`
`U.S. Patent 6,993,658
`
`SUPPLEMENTAL DECLARATION OF BRUCE MCNAIR
`
`
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 1 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`TABLE OF CONTENTS
`Introduction ..................................................................................................... 3
`
`GROUND 1 ..................................................................................................... 5
`
`I.
`
`II.
`
`A.
`
`B.
`
`C.
`
`Limitation [5.3] “a control module . . . configured to create a
`new password based at least upon a token and a passcode” ................. 5
`Limitation [5.4] “a communication module configured to
`transmit the token to the personal communication device
`through the cell phone network;” ......................................................... 9
`Limitation [5.5] “an authentication module configured to
`receive the password from the user through a secure computer
`network,” ............................................................................................ 10
`Limitation [5.6] “wherein the authentication module activates
`access to the account in response to the password and
`deactivates the account within a predetermined amount of time
`after activating the account, such that said account is not
`accessible through any password via the secure computer
`network,” ............................................................................................ 11
`III. GROUND 2 ................................................................................................... 15
`
`D.
`
`A.
`
`B.
`
`C.
`
`Limitation [5.3]- the “passcode” ......................................................... 15
`Limitation [5.6] “activates access to the account in response to
`the password” ...................................................................................... 20
`Limitation [5.6] “deactivates the account within a
`predetermined amount of time after activating the account, such
`that said account is not accessible through any password via the
`secure computer network” .................................................................. 21
`Limitation [1.2] “receiving a request from the user for a token
`via the personal communication device, over the second
`network” ............................................................................................. 27
`IV. Conclusion .................................................................................................... 28
`
`D.
`
`i
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 2 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`I, Bruce McNair, do hereby declare as follows:
`
`I.
`
`INTRODUCTION
`
`1.
`
`I have been asked to respond to certain opinions in Patent Owner’s
`
`Response (POR), Paper 13, in this proceeding. As with my previous declaration,
`
`EX1003, in forming the opinions expressed in this declaration, I relied upon my
`
`education and experience in the relevant field of art and have considered the
`
`viewpoint of a Person of Ordinary Skill in the Art (“POSITA”), as of March 6, 2000,
`
`the priority date of U.S. Patent 6,993,658 (“the ’658 patent”). I have also relied on
`
`the following exhibits:
`
`Exhibit No.
`
`Description
`
`1001
`
`U.S. Patent 6,993,658
`
`1002
`
`Prosecution History File of Application 09/519,829
`
`1005
`
`1006
`
`European Patent Application No. 084451 to Veneklase
`(“Veneklase”)
`PCT Patent Publication No. WO 96/00485 to Jonsson (“Jonsson”)
`
`1007
`
`PCT Patent Publication No. WO 95/19593 to Kew (“Kew”)
`
`1008
`
`1009
`
`PCT Patent Publication No. WO 97/31306 to Sormunen
`(“Sormunen”)
`Li Gong, “Optimal Authentication Protocols Resistant to
`Password Guessing Attacks," Proceedings The Eighth IEEE
`
`1
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 3 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`Computer Security Foundations Workshop, 1995, pp. 24-29, doi:
`10.1109/CSFW.1995.518549.
`U.S. Patent 3,938,091
`
`IETF RFC2289, “A One-Time Password System,” February 1989,
`available at https://www.rfc-editor.org/rfc/rfc2289.html
`U.S. Patent 5,276,444
`
`S.A. Sherman, R. Skibo, R.S. Murray, “Secure Network Access
`Using Multiple Applications of AT&T’s Smart Card,” AT&T
`Technical Journal, September/October 1994
`Lt. Gen. Charles R. Myers, “Vietnam Studies: Division-Level
`Communications, 1962-1973”, US Department of the Army, 1982,
`Ch. 8, retrieved from https://history.army.mil/catalog/pubs/90/90-
`11.html December 13, 2022.
`Z. J. Haas and S. Paul, "Limited-lifetime shared-access in mobile
`systems," Proceedings IEEE International Conference on
`Communications ICC '95, 1995, pp. 1404-1408 vol.3, doi:
`10.1109/ICC.1995.524434
`Mobivity, A Brief History of Text Messaging, Sept. 27, 2012,
`available at https://www.mobivity.com/mobivity-blog/a-brief-
`history-of-text-messaging
`Microsoft Computer Dictionary (5th ed. 2002)
`
`1010
`
`1011
`
`1012
`
`1013
`
`1014
`
`1015
`
`1016
`
`1018
`
`1019
`
`U.S. Patent 7,058,974
`
`1020
`
`U.S. Patent 5,559,505
`
`1021
`
`“Viet Nam Studies – Division-Level Communications 1962-
`1973,” Department of the Army, CMH PUB 90-11, 1982.
`
`2
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 4 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`1022
`
`1023
`
`"Recent-secure authentication: enforcing revocation in distributed
`systems," Proceedings 1995 IEEE Symposium on Security and
`Privacy, Oakland, CA, USA, 1995, pp. 224-235, doi:
`10.1109/SECPRI.1995.398935
`"A class of flexible and efficient key management protocols,"
`Proceedings 9th IEEE Computer Security Foundations Workshop,
`Kenmare, Ireland, 1996, pp. 2-8, doi:
`10.1109/CSFW.1996.503685
`
`II. GROUND 1
`
`2.
`
`Patent Owner makes several arguments in an attempt to distinguish
`
`from the Veneklase/Jonsson combination. However, the fundamental error in Patent
`
`Owner’s analysis is that it fails to understand the cited references from the
`
`perspective of a POSITA. As I explained in my previous declaration, EX1003, when
`
`the combination of the disclosure of Veneklase and Jonsson is viewed from the
`
`perspective of a POSITA, claim 5 is obvious.
`
`3.
`
`Patent Owner disputes the application of Venkelase and Jonsson to
`
`certain limitations of claim 5. I address each of the challenged limitations below.
`
`Limitation [5.3] “a control module . . . configured to create a new
`A.
`password based at least upon a token and a passcode”
`
`4.
`
`Patent Owner alleges that modifying Veneklase with the teaching of
`
`Jonsson to allow for the transmission of the password only one time would “violate
`
`Veneklase’s principle of operation” because the two-step authentication is a “key
`
`3
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 5 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`feature” of Veneklase. I disagree. The modified system would still allow for
`
`multiple levels of security. In particular, the modified system includes entering the
`
`PIN (e.g., passcode) only one time after a request for authorization is initiated.
`
`However, the entry of the PIN is only done after the receipt of a challenge code, as
`
`taught by Jonsson. Thus, the PIN is only entered once into the personal unit 20 and
`
`is not transmitted, which prevents interception. Rather, the PIN is entered into the
`
`user’s device and a response code is generated based on the received challenge
`
`code, [and] the user input (e.g., PIN) .” EX1006, 8:12-14. To be clear, this method
`
`is more efficient than the process of Veneklase because it saves the user from
`
`having to manually enter both the PIN and the challenge code. That is, the method
`
`of Jonsson calculates and sends the response code (e.g., password) after receipt of
`
`the challenge code and the single entry of the PIN.
`
`5. While the modification necessarily changes how Veneklase would
`
`operate, it still accomplishes Veneklase’s goal of preventing unauthorized access
`
`and adds advantages. In particular, I note that incorporating Jonsson’s teaching to
`
`only require entry of the PIN to the user’s device provides added security over
`
`sending the PIN over a communication channel where it can be intercepted.
`
`6.
`
`The portion of Veneklase cited by Patent Owner relates to notifying
`
`the user that someone is seeking access to the system with the password. The
`
`proposed modification would also notify the user that someone is seeking access
`
`4
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 6 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`because the user would receive a challenge code (e.g., token), which would alert
`
`the user that someone is seeking access to the account.
`
`7.
`
`Patent Owner also concludes that the combined system would be
`
`“more prone to Denial of Service (DoS) attacks.” This argument is a red herring.
`
`For example, a POSITA would have understood a a DoS attack as:
`
`characterized by an explicit attempt by attackers to prevent
`legitimate users of a service from using that service. DoS attacks are
`aimed at devices and networks with exposure to the Internet. Their
`goal is to cripple a device or network so that external users no longer
`have access to network resources. Without hacking password files
`or stealing sensitive data, a denial-of-service hacker simply fires
`up a program that will generate enough traffic to a particular site that
`it denies service to the site's legitimate users.
`
`EX1019, 1:14-23. Patent Owner’s own evidence confirms this understanding:
`
`Computerized assault, usually planned, that seeks to disrupt Web
`access. A denial of service attack can occur in a number of forms.
`The most common form of attack is to overwhelm an Internet
`server with connection requests that cannot be completed. This
`causes the server to become so busy attempting to respond to the
`attack that it ignores legitimate requests for connections. One
`example of this type of attack, known as a SYN flood, inundates the
`server’s entry ports with false connection messages. Another,
`known as the Ping of Death, sends a ping command with an
`oversized IP packet that causes the server to freeze, crash, or restart.
`
`5
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 7 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`Other forms of denial of service attacks include the destruction or
`alteration of a server’s configuration data, such as router
`information; unauthorized access to physical components of a
`system; and the sending of large or invalid data that causes a system
`to crash or freeze. See also packet, Ping of Death, SYN flood.
`
`EX1018, p. 173.
`
`8.
`
`The problems of DoS attacks on authentication systems have been
`
`known long before either of the prior art references or the patent filing. I have
`
`personal experience in addressing the long-known problem of attackers creating a
`
`DoS by repeated invalid access attempts. See, e.g., McNair, US Patent 5,559,505
`
`“Security System for Providing Lockout for Invalid Access Attempts,” granted
`
`September 24, 1996, EX1020. Jonsson does not exacerbate this problem but, in
`
`fact, acknowledges the fact that there may very well be invalid access attempts,
`
`e.g., in Claim 22 “permitting access to said service only when a result of said
`
`comparison of said response code generated by said personal unit to said expected
`
`response code is acceptable.” The ’658 patent only appears to address how to
`
`process access requests when the requests are valid. Only in the Background
`
`(1:29-31) does the ’658 patent even briefly acknowledge the actions of hackers
`
`guessing passwords. Nowhere, not in the flow chart diagrams, in the written
`
`description, or claims does it address the necessary system actions when an invalid
`
`access attempt is made, thus failing to consider or address any potential DoS issues
`
`6
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 8 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`- well known, unfortunate side effects of authentication systems.
`
`9.
`
`I note that Veneklase fairs no better in dealing with the problem of
`
`DoS attacks. There is no disclosure in Veneklase that would lessen the chances of a
`
`DoS attack. The use of Veneklase’s two passwords does not lessen the chance of a
`
`DoS attack because a hacker would still trigger DoS through repeated invalid
`
`access attempts, thereby overwhelming the system and preventing authorized users
`
`from gaining access, i.e., a DoS attack.
`
`10.
`
`Finally, Patent Owner asserts that Veneklase’s teaching of an
`
`algorithm for additional security is not an explicit teaching, suggestion, or
`
`motivation for combining Veneklase with Jonsson’s teachings. I disagree. A
`
`POSITA would have understood that Veneklase’s specific teaching of using
`
`algorithms to enhance security would have provided a suggestion to employ other
`
`algorithms related to security in order to further Veneklase’s explicitly stated goal
`
`to “ensure that only authorized users gain access to a computer system.” EX1005,
`
`3:31-33. Patent Owner’s rationale is akin to saying that a POSITA would not be
`
`motivated to modify a security system that utilizes one type of lock, e.g., a
`
`padlock, by using another type of lock, e.g., a combination lock.
`
`Limitation [5.4] “a communication module configured to transmit
`B.
`the token to the personal communication device through the cell phone
`network;”
`
`11.
`
`I note that this limitation is directed to the communication module, but
`
`7
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 9 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`Patent Owner appears to attack the method of identifying a user’s device. In
`
`particular, Patent Owner argues that the inability to look up a phone number
`
`somehow negates the combination. I do not agree with this assertion as there
`
`would not be a requirement to look up a phone number in the combination with
`
`Jonsson. In particular, Jonsson discloses:
`
`A user initiates a service access through terminal 22 by transmitting
`the request over a service access network 24 to a service node 26.
`The service node 26 does not immediately initiate the services
`offered. Rather, it generates a challenge code or causes a challenge
`code to be generated in an authentication center 30. The challenge
`code is sent over an authentication challenge network 28 to the
`personal unit.
`
`Ex. 1006, 9:2–8; also 10:13–27, Fig. 3. Thus, in the combination, there is no need
`
`to look up a phone number in the combination.
`
`12.
`
`Patent Owner also reiterates its arguments regarding DoS attacks. For
`
`the same reasons I discuss above, a POSITA would not have understood that
`
`Veneklase was any more effective at avoiding or stopping DoS attacks.
`
`Limitation [5.5] “an authentication module configured to receive
`C.
`the password from the user through a secure computer network,”
`
`13.
`
`Patent Owner states that because Veneklase’s system uses “off the
`
`shelf” and readily available components, that it would not be capable of
`
`performing the software implemented methods of Jonnson. This is contradicted by
`
`8
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 10 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`the express disclosure of Jonnson that “the capacity for performing the necessary
`
`calculations exists in conventional cellular telephones and personal communication
`
`units, allowing the present invention to be implemented through software.”
`
`EX1006, 7:21-31. Patent Owner attempts to distinguish from this clear teaching
`
`by citing the preceding sentence describing a preferred embodiment where the
`
`personal unit is a separate unit. However, a POSITA would have understood from
`
`the express teachings of Jonsson that conventional pagers are capable of running
`
`software to execute algorithms, such as Jonsson’s. Further, Veneklase already
`
`discloses that its pager unit executes algorithms. EX1005, 9:26-10:11. Thus, a
`
`POSITA would have understood that the pager of Veneklase was capable of
`
`performing the algorithms of Jonsson.
`
`Limitation [5.6] “wherein the authentication module activates
`D.
`access to the account in response to the password and deactivates the
`account within a predetermined amount of time after activating the
`account, such that said account is not accessible through any password
`via the secure computer network,”
`
`14.
`
`Patent Owner makes four separate arguments with respect to this
`
`limitation. I address each below.
`
`15. First, Patent Owner alleges that Veneklase does not activate access in
`
`response to the creation of the password. As an initial matter, the claim does not
`
`include the language “creation of” or any variation thereof. Thus, my previous
`
`declaration demonstrated how Veneklase activates access to the account (e.g.,
`
`9
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 11 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`allows access) in response to the entry of the password. I am informed that a
`
`district court has interpreted this limitation to include the words “the creation of”
`
`such that the court’s interpretation of this limitation is “activates access to the
`
`account in response to the creation of the password.” While I disagree with this
`
`interpretation injecting extraneous words into the claim, it does not change the fact
`
`that the combination of Veneklase and Jonnson discloses this limitation even under
`
`the court’s interpretation.
`
`16. Patent Owner is taking the position that “activates access” is
`
`something that happens before access is granted. However, this is a gratuitous
`
`point, as access to the account has to be activated in order for the created password
`
`to work, i.e, the account is accessed. In other words, the account cannot be used
`
`when the account is deactivated. I am not aware of any system that does not
`
`“activate access” to the account when generating a new password as this would
`
`undermine the purpose of generating a new password, i.e., accessing an account.
`
`17.
`
`Jonsson discloses creating “an expected response code,” (e.g.,
`
`password) , at which point access to the account is activated, and access is granted
`
`when the “expected response code” matches the received response code. Ex.1006,
`
`10:2-5. In particular, a POSITA would have understood that the “expected”
`
`response code indicates that the account access is activated because it is awaiting a
`
`response. As such, Jonsson teaches activating access to the account in response to
`
`10
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 12 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`the creation of the password under the district court’s interpretation.
`
`18.
`
`In addition, Jonsson discloses that “the challenge code and the
`
`response is unique for each transaction.” EX1006, 3:16-18. A POSITA would have
`
`understood this disclosure to mean that account access is not activated prior to the
`
`sending of the challenge code to the user and the creation of the expected response
`
`code (e.g., password) because prior response codes would not have worked. In
`
`other words, until the unique challenge code and unique expected response code
`
`are created and sent for a particular transaction, there is no access to the account.
`
`19. Second, Patent Owner alleges that the claimed predetermined amount
`
`of time is the timeframe between activation and deactivation of the account.
`
`However, Patent Owner mistakes the “predetermined amount of time after
`
`activating the account” to mean the entire period after account access is activated.
`
`Rather, a POSITA would have understood that this claim limitation simply means
`
`any predetermined period after activation. In the combined system of Veneklase
`
`and Jonsson, the predetermined period would include the time from receiving the
`
`challenge code (at or after account activation, as discussed above) and the sending
`
`of the response code, which would be governed by Veneklase’s teaching that the
`
`password must be “received within a predetermined period of time.” EX1005,
`
`8:40-49.
`
`11
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 13 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`20. Third, Patent Owner alleges that “because the Petition alleges that the
`
`“predetermined period of time” begins with “receipt of the token (e.g., randomly
`
`generated challenge code) ” by “pager 420,” it would be the “personal
`
`communication device,” not the “authentication module” (i.e., “code compare
`
`module 416” in the “host computer”) that activates access to the account.” This is
`
`again based on a misunderstanding of the claim limitation that the predetermined
`
`amount of time must include the entire time from activation of the account to
`
`deactivation of the account. However, as discussed above, this is simply not what
`
`the claim recites. Rather, the claim recites “deactivates the account within a
`
`predetermined amount of time after activating the account.” Thus, the
`
`predetermined amount of time begins at some point after activation. Accordingly,
`
`this limitation is met by Veneklase’s teaching that the password must be “received
`
`within a predetermined period of time” (EX1005, 8:40-49) applied to Jonsson’s
`
`sending of the response code after receiving the challenge code EX1005, 8:40-49.
`
`Thus, the “authentication module” (i.e., “code compare module 416” in the “host
`
`computer”) is responsible for account deactivation.
`
`21. Finally, Patent Owner alleges that “the predetermined period of time”
`
`varies by when the user decides to send back the response code. This completely
`
`ignores Veneklase’s teaching that the password must be “received within a
`
`predetermined period of time.” As explained above, the combination of Veneklase
`
`12
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 14 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`and Jonsson meets the deactivation limitation. EX1005, 8:40-49.
`
`III. GROUND 2
`
`22.
`
`Patent Owner makes several arguments in an attempt to distinguish
`
`from the combination of Kew and Sormunen. Again, Patent Owner’s analysis fails
`
`to understand and apply the teachings of the cited references from the perspective of
`
`a POSITA. Patent Owner’s arguments are limited to limitations [5.3], [5.6], and
`
`[1.2], which I address below.
`
`A.
`
`23.
`
`Limitation [5.3]- the “passcode”
`
`In my previous declaration, I identified the User ID/IdentityCode as the
`
`“passcode” limitation. The reason for this is simple, as the disclosure of Kew
`
`requires the use of a user-known “identification code” to allow for the identification
`
`of the correct “identity code,” which is used to generate the password. In particular,
`
`a POSITA would have understood that the “identity code” “corresponds” to a user-
`
`known identification code, which is entered by the user during the authentication
`
`process. EX1007, 3:1-6; 8:2-9. For example, Kew states:
`
`When the user enters his user identification code, the host
`computer system identifies the corresponding transformation
`algorithm in a database from the code and transforms the random
`code (Code A) to a new Code B in such a manner that the Code C,
`produced by the user's receiver from the transmitted code, will be
`identical to Code B with which it is compared. Thus, only a user
`both with knowledge of the user identification code and holding the
`
`13
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 15 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`corresponding receiver can gain access to the host system. The
`transformation algorithms associated with each receiver may be
`completely different, or may be the same base algorithm which is
`convoluted with a code corresponding to the user's identification
`code so as to generate characteristic transformed codes.
`EX1006, 2:28-3:6.
`When the user seeks access to the host system 1 via the terminal 2 ,
`he enters his user identification code. This code may take any
`suitable form, for example his actual name or preferably a more
`secure code such as a PIN. The security server 5 includes a database
`of all authorised users and their authorised receiver units 6, and
`identifies the corresponding identity code for the appropriate
`receiver unit 6. The security server 5 then generates a random
`code (Code A) and subjects this number to an encryption using the
`same one-way algorithm as is stored in the user's receiver 6
`together with the corresponding identity code. In this way a
`transformed code (Code B) is produced.
`
`EX1006, 7:34-8:10.
`
`24. A POSITA would have readily understood that both the user ID and the
`
`“corresponding identity code” are used to generate a password in the event that they
`
`are not identical. In particular, I cited both the user identity code (user ID) and the
`
`corresponding identity code to demonstrate that a Code B (e.g., password) is
`
`generated based on: 1) Code A (e.g., token) and 2) the user ID and the
`
`“corresponding identity code” (e.g., passcode) . A POSITA would have understood
`
`14
`
`
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 16 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`that the “corresponding identity code” is linked with the user ID such that the user
`
`ID (known to the user) is necessary to identify the identity code in instances when
`
`they are not the same. Thus, in order for the process of Kew to function, the
`
`password (Code B) must be based on at least the user ID provided by the user.
`
`25.
`
`This process is illustrated in Ex. 1007, Fig. 2, which I previously
`
`cited:
`
`26. As shown above, and explained in Kew, FIG. 2 shows how new
`
`password Code B is created based on both the User ID/Identity Code (passcode) and
`
`randomly generated Code A. A POSITA would appreciate that the User ID is
`
`involved in the generation of the password, as the process of generating Code B
`
`cannot begin without the User ID to identify the correct algorithm associated with
`
`the Identity Code of the device. Thus, a POSITA would have understood that the
`
`password generated by Kew is “based on” the User ID at least because it cannot be
`
`generated without out the User ID, and is also “based on” the identity code because
`
`that is what is used to identify the algorithm used by the receiver.
`
`15
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 17 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`27.
`
`Patent Owner also asserts that “identity code” would not be known to
`
`the user. However, Patent Owner’s arguments relate to the programming of the
`
`receiver and do not support a conclusion that the identity code would not be known
`
`to the user. The programming of the receiver and storage of the identify code in the
`
`EPROM is not relevant to whether the user has knowledge of the identity code.
`
`Also, the reprogramming of the EPROM using ultraviolet light is similarly
`
`irrelevant to whether the user knows the identity code. EPROM means “erasable
`
`programmable read-only memory.” This meaning says nothing about who can
`
`read the memory, just that it cannot be written to (without having been first erased
`
`using ultraviolet light) . Nothing about the design of the EPROM storage of the
`
`“identity code” prevents the user from knowing its contents or value. Indeed, as the
`
`name indicates, EPROM is necessarily readable.
`
`28. Kew does not say that the identity code is unknown to the user, and
`
`Patent Owner does not give any reason why the identity code would be secret or
`
`hidden from the user. Rather, a POSITA would have understood that it would be
`
`practical for the user know the identity code. For example, if the user were to
`
`forget his user ID, the user would need to use the identity code as a back-up
`
`verification in order for the system to locate the correct algorithm to produce a
`
`password. Otherwise, the receiver would be useless and the user would not be able
`
`to access the system. As noted by Patent Owner, reprogramming the EPROM
`
`16
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 18 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`requires exposing the chip to ultraviolet light, which is a process that would be
`
`impractical for a layperson user. Further, as Patent Owner indicates, changing the
`
`identity code would also require updating the database to also include the new
`
`identity code. As such, a POSITA reading Kew would not have concluded that the
`
`identity code was a secret, as such an interpretation would be impractical and
`
`provide no benefit to the user. Instead, a POSITA would have understood that it
`
`would have been beneficial for the user to know the identity code of the device to
`
`avoid the burdensome process of reprogramming the receiver in the event that the
`
`user forgets the PIN.
`
`29.
`
`I also note that there is no disclosure in Kew that prevents the user
`
`identification code from being the same as the identity code. In fact, Claim 1 of
`
`Kew supports such a situation, as the “input user identification code” is performing
`
`the same function as the identity code of identifying the transformation algorithm
`
`to generate Code B.
`
`1. A method of preventing unauthorised access to a host
`computer system (1) by a user at a remote terminal (2)
`comprising the steps of accepting a user identification code input
`to the terminal by the user; generating a random code (Code A) ;
`subjecting Code A to a transformation characteristic of a
`transformation algorithm identified by the input user
`identification code so as to generate a transformed code
`(Code B); transmitting Code A via a paging system (7) , to a
`receiver (6) held by the user, the receiver (6) comprising
`transformation means adapted to transform the received Code
`
`17
`
`UNIFIED PATENTS EXHIBIT 1024
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 19 of 29
`
`

`

`Supplemental Declaration of Bruce McNair
`U.S. Patent No. 6,993,658
`
`Thus, claim 1 of Kew supports the user ID as the same as the identity code.
`
`B.
`
`Limitation [5.6] “activates access to the account in response to the
`password”
`
`30.
`
`In my previous declaration, I demonstrated how Kew discloses that
`
`access to the account is activated in response to the password, as claimed. I am
`
`informed that a district court has interpreted this limitation to include the words
`
`“the creation of” such that the court’s interpretation of this limitation is “activates
`
`access to the account in response to the creation of the password.” While I disagree
`
`with this interpretation injecting extraneous words into the claim, it does not
`
`change the fact that Kew discloses this limitation even under the court’s
`
`interpretation. In particular, it appears that Patent Owner is taking the position that
`
`“activates access” is something that happens before access is granted. However,
`
`this is a gratuitous point, as access to the account has to be activated in order for
`
`the created password to work, i.e, access is granted. In other words, the account
`
`cannot be used when the account is deactivated. I am not aware of any system that
`
`does not “activate access” to the account when generating a new password as this
`
`would undermine the purpose of generating a new password, i.e., accessing an
`
`account.
`
`31. Kew disclos