`571-272-7822
`
`Paper 33
`Entered: July 12, 2024
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`UNIFIED PATENTS, LLC,
`Petitioner,
`v.
`DYNAPASS IP HOLDINGS LLC,
`Patent Owner.
`
`IPR2023-00425
`Patent 6,993,658 B1
`
`
`
`
`
`
`
`
`
`Before KEVIN F. TURNER, LYNNE H. BROWNE, and
`JASON M. REPKO, Administrative Patent Judges.
`BROWNE, Administrative Patent Judge.
`
`DECISION
`Final Written Decision
`Determining Some Challenged Claims Unpatentable
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`
`INTRODUCTION
`I.
`We have authority to hear this inter partes review under 35 U.S.C.
`§ 6. This Final Written Decision is issued pursuant to 35 U.S.C. § 318(a)
`and 37 C.F.R. § 42.73. For the reasons discussed below, we determine that
`Petitioner, Unified Patents, LLC has shown by a preponderance of the
`evidence that claim 5 of U.S. Patent No. 6,993,658 B1 (Ex. 1001, “the ’658
`Patent”) is unpatentable and has not shown by a preponderance of the
`evidence that claims 1, 3, 4, and 6 are unpatentable. See 35 U.S.C. § 316(e)
`(2018); 37 C.F.R. § 42.1(d) (2019).
`A. Procedural History
`The Petition (Paper 1, “Pet.” or “Petition”) requested inter partes
`review of claims 1 and 3–6 of the ’658 Patent. Patent Owner, Dynapass IP
`Holdings, LLC, filed a Preliminary Response. Paper 8. Based upon the
`record at that time, we instituted inter partes review on all challenged claims
`on the grounds presented in the Petition. Paper 9.
`After institution, Patent Owner filed a Response (Paper 13, “PO
`Resp.”), Petitioner filed a Reply (Paper 16, “Pet. Reply”), and Patent Owner
`filed a Sur-reply (Paper 19, “PO Sur-reply”).
`On April 16, 2024, an oral hearing was held. The transcript of this
`hearing was entered in the record of this proceeding as Paper 31 (“Tr.”).
`During the oral hearing, Petitioner, for the first time, asserted that Patent
`Owner
`the
`filed amended infringement contentions in one of
`corresponding District Court cases . . . which alleged that
`infringement of the claim passcode limitation is met by the
`password that the user uses for login or other information that is
`known to the user, such as the username or in termination that
`references or is an alias to the username.
`
`2
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`Tr. 12.
`On April 17, 2024, we ordered additional briefing on two questions:
`1) is it too late for Petitioner to file a copy of the infringement contentions
`argued at oral argument; and 2) if the infringement contentions are allowed
`to be entered, what if any, weight should we give to a position taken by
`Patent Owner in a different, albeit related, proceeding (i.e., district court
`litigation). Paper 27 (“Order”). Petitioner filed a Supplemental Brief (Paper
`28, “Pet. Supp.”), and Patent Owner filed a Response (Paper 30, “PO Resp.
`to Supp.”).
`B. Real Parties in Interest
`Petitioner identifies itself, Unified Patents, LLC, as the only real
`party-in-interest. Pet. 79. Patent Owner identifies itself, Dynapass IP
`Holdings LLC and DynaPass Inc., as the only real parties-in-interest.
`Paper 3, 1.
`C. Related Matters
`The parties identify the following as related district court matters:
`Dynapass IP Holdings LLC v. Regions Financial Corporation, 2:22-cv-
`00215 (EDTX 6-17-2022), Dynapass IP Holdings LLC v. JPMorgan Chase
`& Co., 2:22-cv-00212 (EDTX 6-17-2022), Dynapass IP Holdings LLC
`v. PlainsCapital Bank, 2:22-cv-00213 (EDTX 6-17-2022), Dynapass IP
`Holdings LLC v. Woodforest National Bank, 2:22-cv-00218 (EDTX 6-17-
`2022), Dynapass IP Holdings LLC v. Bank of America Corporation, 2:22-
`cv-00210 (EDTX 6-17-2022), Dynapass IP Holdings LLC v. Wells Fargo &
`Company, 2:22-cv-00217 (EDTX 6-17-2022), Dynapass IP Holdings LLC
`v. Truist Financial Corporation, 2:22-cv-00216 (EDTX 6-17-2022),
`Dynapass IP Holdings LLC v. PNC Financial Services, 2:22-cv-00214
`
`3
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`(EDTX 6-17-2022), Dynapass IP Holdings LLC v. BOKF, National
`Association, 2:22-cv-00211 (EDTX 6-17-2022), Dynapass Inc. v. Mobile
`Authentication Corporation, 8:18-cv-01173 (C.D. Cal. 7-3-2018). Pet. 80–
`81; Paper 3, 1–2.
`Patent Owner also identifies Bank of America, N.A. v. Dynapass IP
`Holdings LLC, IPR2023-00367 (filed January 3, 2022) as a related matter.
`Paper 3, 2.
`D. The ’658 Patent
`The ’658 Patent is titled “Use of Personal Communication Devices
`For User Authentication.” Ex. 1001, code (54). The invention “relates
`generally to the authentication of users of secure systems and, more
`particularly, the invention relates to a system through which user tokens
`required for user authentication are supplied through personal
`communication devices such as mobile telephones and pagers.” Id. at
`1:7–11.
`One embodiment of the invention provides a password setting system
`that includes a user token server and a communication module wherein a
`user token server generates a random token in response to a request for a
`new password from a user. Ex. 1001, 1:63–2:2. “The server creates a new
`password by concatenating a secret passcode that is known to the user with
`the token” and “sets the password associated with the user’s user ID to be
`the new password.” Id. at 2:2–6. A “communication module transmits the
`token to a personal communication device, such as a mobile phone or a
`pager carried by the user.” Id. at 2:6–8. Then, the user concatenates the
`secret passcode with the received token in order to form a valid password,
`which the user submits to gain access to the secure system. Id. at 2:8–11.
`
`4
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`Figure 1, reproduced below, “illustrates an overview, including
`system components, of a user authentication system 100 according to a
`preferred embodiment of the present invention.” Ex. 1001, 4:2–4.
`
`
`
`As shown in Figure 1, user authentication system 100 includes
`authentication Server 102, text messaging Service provider 104, personal
`communication device 106 carried by user 108, and secure system 110 to
`which the authentication system 100 regulates access. Id. at 4:9–13.
`“[P]ersonal communication device 106 is preferably a pager or a mobile
`phone having SMS (short message Service) receive capability.” Id. at 4:13–
`15. Secure system 110 can be “any system, device, account, or area to
`which it is desired to limit access to authenticated users.” Id. at 4:18–20.
`
`5
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`User authentication server 102 is configured to require that user 108
`supply authentication information through secure system 110 in order to
`gain access to secure system 110. Ex. 1001, 4:32–35. Authentication
`information provided by the user includes user ID 152, passcode 154 and
`user token 156. Id. at 4:36–37. User ID 152 may be publicly known and
`used to identify the user and passcode 154 is secret and only known to the
`user 108, whereas token 156 is provided only to user 108 by user
`authentication server 102 through personal communication device 106. Id.
`at 4:39–44. To gain access to secure system 100, user 108 combines token
`156 with passcode 154 to form password 158. Id. at 4:52–53. Thus, user
`108 needs to have personal communication device 106 in order to gain
`access to secure system 110. Id. at 4:46–48. Further, token 156 has a
`limited lifespan, such as 1 minute or 1 day. Id. at 4:44–45.
`E. Challenged Claims
`Petitioner challenges claims 1 and 3–6. Pet. 1. Claims 1 and 5,
`reproduced below with Petitioner’s identifiers included, are the independent
`claims at issue in this proceeding. Ex. 1001, 11:43–12:13, 12:20–47.
`Claims 3 and 4 depend from claim 1 and claim 6 depends from claim 5. Id.
`at 12:16–19, 12:48–52.
`1.
`[1.0] A method of authenticating a user on a first secure
`computer network, the user having a user account on said first
`secure computer network, the method comprising:
`[1.1] associating the user with a personal communication device
`possessed by the user, said personal communication device in
`communication over a second network, wherein said second
`network is a cell phone network different from the first secure
`computer network;
`
`6
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`[1.2] receiving a request from the user for a token via the
`personal communication device, over the second network;
`[1.3] generating a new password for said first secure computer
`network based at least upon the token and a passcode, wherein
`the token is not known to the user and wherein the passcode is
`known to the user;
`[1.4] setting a password associated with the user to be the new
`password;
`[1.5] activating access the user account on the first secure
`computer network;
`[1.6] transmitting the token to the personal communication
`device;
`[1.7] receiving the password from the user via the first secure
`computer network, and
`[1.8] deactivating access to the user account on the first secure
`computer network within a predetermined amount of time after
`said activating, such that said user account is not accessible
`through any password, via said first secure computer network.
`5.
`[5.0] A user authentication system comprising:
`[5.1] a computer processor,
`[5.2] a user database configured to associate a user with a
`personal communication device possessed by the user, said
`personal communication device configured to communicate
`over a cell phone network with the user authentication system;
`[5.3] a control module executed on the computer processor
`configured to create a new password based at least upon a token
`and a passcode, wherein the token is not known to the user and
`wherein the passcode is known to the user, the control module
`further configured to set a password associated with the user to
`be the new password;
`[5.4] a communication module configured to transmit the token
`to the personal communication device through the cell phone
`network, and
`
`7
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`[5.5] an authentication module configured to receive the
`password from the user through a secure computer network,
`said secure computer network being different from the cell
`phone network, [5.6] wherein the user has an account on the
`secure computer network, wherein the authentication module
`activates access to the account in response to the password and
`deactivates the account within a predetermined amount of time
`after activating the account, such that said account is not
`accessible through any password via the secure computer
`network.
`Ex. 1001, 11:43–12:13, 12:20–47.
`F. Prior Art and Asserted Grounds
`Petitioner asserts that claims 1 and 3–6 would have been unpatentable
`on the following grounds:
`Claim(s) Challenged
`35 U.S.C. §
`5
`103
`1, 3–6
`103
`
`Reference(s)/Basis
`Veneklase,1 Jonsson2
`Kew, 3 Sormunen4
`
`
`
`G. Evidence
`Petitioner supports its challenged with the Declaration of Bruce
`McNair (Ex. 1003) and the Supplement Declaration of Bruce McNair (Ex.
`1024). Patent Owner supports its Response with the Declaration of Rajeev
`Surati (Ex. 2003).
`H. Consideration of Infringement Contentions
`Petitioner contends that “(1) the Board may consider a party’s
`inconsistent positions from a different venue at the oral argument state of
`
`
`1 EP 0 844 551 A2, published May 27, 1998 (“Veneklase”) (Ex. 1005).
`2 WO 96/00485, published January 4, 1996 (“Jonsson”) (Ex. 1006).
`3 WO 95/19593, published July 20, 1995 (“Kew”) (Ex. 1007).
`4 WO 97/31306, published August 28, 1997 (“Sormunen”) (Ex. 1008).
`
`8
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`this proceeding; and (2) [Patent Owner’s] contradictory statements should be
`given significant weight.” Pet. Supp. 1. Petitioner contends that “[t]he
`Board has broad discretion as to the conduct of the proceeding, including for
`issues not specifically addressed by the rules, and “may waive or suspend a
`requirement . . . . and place conditions on the waiver or suspension,” citing
`37 C.F.R. §§ 42.5(a) and (b). Id.
`Turning to the specifics of this Proceeding and the Board’s first
`question for which additional briefing was authorized, Petitioner contends
`that it was Patent Owner’s “noncompliance with mandatory discovery (Rule
`42.51(b)(1)(iii)) and duty of candor” that led Petitioner to identify during
`oral argument what Petitioner asserts is Patent Owner’s inconsistent
`position. Id. Petitioner contends that while there is a general prohibition to
`the introduction of new evidence at an oral hearing, Patent Owner’s failure
`to serve amended infringement contentions (Ex. 1026) when it filed its Sur-
`reply was in violation of mandatory disclosure requirements and the duty of
`candor owed by parties to the Board. Id. Under these circumstances
`Petitioner contends the Board can and should waive this rule. Id. at 2 (citing
`Dell Inc. v. Acceleron, LLC, 884 F.3d 1364, 1369-70 (Fed. Cir. 2018)).
`In answer to the Board’s second question, Petitioner contends that
`“Ex. 1026 should be afforded significant weight because it refutes [Patent
`Owner’s] arguments and discredits its expert’s verbatim assertions, while
`supporting Kew’s disclosure of the claimed ‘passcode’ of limitation [5.3].”
`Pet. Supp. 2.
`Patent Owner responds that it complied with mandatory discovery and
`the duty of candor. PO Resp. to Supp. 1–3. Specifically, Patent Owner also
`responds that the “infringement contentions have been publicly available
`
`9
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`since December 8, 2023, on the EDTX docket in the JPMorgan Chase
`consolidated case (exhibits to Dkt. 153), more than four months before oral
`argument” and “that proceeding was identified as a related matter in Patent
`Owner’s Mandatory Notices.” Id. at 1 (citing Paper 3). Patent Owner
`further responds that Rule 42.51(b)(1)(iii) applies only to “relevant
`information that is inconsistent with a position advanced by the party during
`the proceeding” and that the rule does not apply in the present instance
`because “the infringement contentions do not contain an inconsistent
`position.” Id. at 2.
`Turning to the Board’s first question, Patent Owner contends that its
`position in the infringement contentions is not inconsistent with its position
`in this Proceeding because it has never argued that the claimed ‘passcode’
`could not be a username. Instead, Patent Owner argued that “the claimed
`‘passcode’ could not be Kew’s ‘user identification code.’” Id. at 3. Thus,
`Patent Owner contends that “it is too late for Petitioner to file a copy of the
`infringement contentions.” PO Resp. to Supp. 1.
`In answer to the Board’s second question, Patent Owner contends that
`“the infringement contentions should be afforded no weight because they do
`not contain an inconsistent position.” PO Resp. to Supp. 3.
`We agree with Patent Owner that it is too late for Petitioner to file a
`copy of the infringement contentions and argue that Patent Owner’s position
`in this Proceeding is inconsistent with its position in that proceeding.
`Petitioner had ample opportunity to raise its arguments about the
`infringement contentions well before the oral hearing. PO Resp. to Supp. 2.
`Patent Owner complied with our mandatory notice provision. Further, we
`agree with Patent Owner that its position in the infringement contentions is
`
`10
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`not inconsistent with its position in this proceeding. Paper 3, 1. For these
`reasons, we decline to exercise our authority under 37 C.F.R. § 42.5(b) to
`consider the infringement contentions and the new arguments during an oral
`hearing.
`
`II. ANALYSIS
`Principles of Law: Obviousness
`A.
`A claim is unpatentable as obvious under 35 U.S.C. § 103 if the
`differences between the subject matter sought to be patented and the prior art
`are such that the subject matter as a whole would have been obvious to a
`person having ordinary skill in the art to which said subject matter pertains.
`KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The question of
`obviousness is resolved on the basis of underlying factual determinations,
`including: (1) the scope and content of the prior art; (2) any differences
`between the claimed subject matter and the prior art; (3) the level of skill in
`the art; and (4) objective evidence of nonobviousness, i.e., secondary
`considerations.5 See Graham v. John Deere Co. of Kansas City, 383 U.S. 1,
`17–18 (1966).
`The Supreme Court has made clear that we apply “an expansive and
`flexible approach” to the question of obviousness. KSR, 550 U.S. at 415.
`Whether a patent claiming the combination of prior art elements would have
`been obvious is determined by whether the improvement is more than the
`predictable use of prior art elements according to their established functions.
`Id. at 417. Reaching this conclusion, however, requires more than a mere
`showing that the prior art includes separate references covering each
`
`
`5 The current record does not present or address any evidence of
`nonobviousness.
`
`11
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`separate limitation in a claim under examination. Unigene Labs., Inc. v.
`Apotex, Inc., 655 F.3d 1352, 1360 (Fed. Cir. 2011). Rather, obviousness
`requires the additional showing that a person of ordinary skill would have
`selected and combined those prior art elements in the normal course of
`research and development to yield the claimed invention. Id.
`B. Level of Ordinary Skill in the Art
`In determining the level of skill in the art, we consider the type of
`problems encountered in the art, the prior art solutions to those problems, the
`rapidity with which innovations are made, the sophistication of the
`technology, and the educational level of active workers in the field.
`Custom Accessories, Inc. v. Jeffrey-Allan Indus. Inc., 807 F.2d 955, 962
`(Fed. Cir. 1986); Orthopedic Equip. Co. v. U.S., 702 F.2d 1005, 1011
`(Fed. Cir. 1983).
`Petitioner contends that a person of ordinary skill in the art
`(“POSITA6”) “for the ’658 Patent would have had at least (1) an
`undergraduate degree in electrical and computer engineering or a closely
`related field; and (2) two or more years of experience in security. EX1001,
`generally; EX1003, ¶¶49-51.” Pet. 5. Patent Owner does not address the
`level of ordinary skill in the art. See generally PO Resp.
`Based on the record presented, including our review of the ’658 Patent
`and the types of problems and solutions described in the patent and the cited
`prior art, we adopt Petitioner’s assessment of the level of ordinary skill in
`the art and apply it for purposes of this Decision.
`
`
`6 Person of ordinary skill in the art.
`
`12
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`C. Claim Construction
`We apply the claim construction standard articulated in Phillips
`v. AWH Corp., 415 F.3d 1303 (Fed. Cir. 2005) (en banc), and its progeny.
`Only terms that are in controversy need to be construed, and then only to the
`extent necessary to resolve the controversy. Nidec Motor
`Corp. v. Zhongshan Broad Ocean Motor Co. Matal, 868 F.3d 1013, 1017
`(Fed. Cir. 2017) (in the context of an inter partes review, applying Vivid
`Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803 (Fed. Cir. 1999)).
`Petitioner states that “all terms should be given their plain meaning.”
`Pet. 6. Yet, Petitioner proposes claim construction for “cell phone network”
`and “[n]ot known to the user.” Pet. 9–13. 7 As these terms are not in
`controversy, we do not construe them.
`“Patent Owner contends that the Board instituted inter partes
`proceedings based, in part, on an incorrect interpretation of claim 5.”
`PO Resp. 9. Specifically, Patent Owner contends that “[t]he plain language
`of claim 5 requires activation of account access in response to generation of
`the claimed ‘new password.’” Id. (citing Ex. 2003 ¶¶ 65–67). Patent Owner
`contends further that “it follows, from the plain language of the claim, that
`creation of that password is a prerequisite to the ‘authentication module
`activat[ing] access to the account in response to the password.’” Id. at 10
`(citing Ex. 1001, 12:27–47; Ex. 2003 ¶¶ 65–67). In addition, Patent Owner
`contends that its “interpretation of claim 5 is also consistent with the
`preliminary construction issued by the Eastern District of Texas” and that we
`
`
`7 Petitioner also acknowledges that the Board may construe some limitations
`as means-plus-function limitations. Pet. 6.
`
`13
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`are “required to apply the same claim-construction standard as in Federal
`district court.” Id. at 11.
`Petitioner replies that Patent Owner’s “proposed construction
`improperly attempts to import limitations from the specification into the
`claims, and should be rejected.” Pet. Reply 1 (citing Phillips, 415 F.3d at
`1323). Petitioner replies further that “[n]onetheless, this construction has no
`bearing on the patentability of the challenged claims at least because . . . the
`prior art cited in the Petition renders the challenged claims obvious, even
`under the district court’s construction.” Id. Thus, according to Petitioner, “a
`construction of this term is not necessary to resolve this proceeding.” Id. at
`1–2 (citing Nidec Motor Corp. v. Zhongshan Broad Ocean Motor Co. Matal,
`868 F.3d 1013, 1017 (Fed. Cir. 2017)).
`Patent Owner responds by reiterating its argument that “[t]he Board
`should adopt the same claim construction as the court.” PO Sur-reply 1.
`For there reasons discussed in Section II.D.3 below, we agree with
`Petitioner that for Ground 1, the prior art cited in the Petition renders
`challenged claim 5 obvious, even under the district court’s construction.
`Pet. Reply 1. For the reasons discussed in Section II.D.4 below, Petitioner’s
`challenge is deficient regardless of our construction of this term.
`Accordingly, construction of the term is not necessary to resolve this
`proceeding.
`
`14
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`D. Patentability Challenges
`1. Prior Art
`a) Veneklase (Ex. 1005)
`Veneklase is a European Patent application published May 27, 1998.
`Petitioner asserts that Veneklase is prior art under pre-AIA 35 U.S.C. §
`102(a) and (b). Pet. 1.
`Veneklase’s “invention relates to a security and/or access restriction
`system . . . adapted to grant only authorized users access to a computer
`system and/or certain data.” Ex. 1005, 1:5–9. Veneklase is directed to
`preventing exposure and hacking of user passwords (id. at 2:2–21), theft of
`user access cards (id. at 2:22–37), and interception and decryption of
`encryption of keys (id. at 2:37-57). The invention provides “a technique to
`substantially prevent the unauthorized interception and use of transmitted
`data . . . by splitting the data into a plurality of separate communication
`channels, each of which must be ‘broken’ for the entire data stream to be
`obtained.” Id. at 3:3–11.
`In Veneklase’s system individual 18, desiring access to and within
`computer 80, utilizes a first communication channel 82 (e.g., a first
`telephone line, radio channel, and/or satellite channel) and communicates,
`by use of his or her voice or by use of a computer 19, a first password to
`analyzing means 12. Ex. 1005, 6:5–10. “Analyzing means 12 then checks
`and/or compares this first received password with a master password list
`which contains all of the authorized passwords associated with authorized
`entry and/or access to computer 80.” Id. at 6:10–14. If the received
`password matches an entry of the master password list, analyzing means
`12 causes the random code generation means 14 to generate a pseudo-
`
`15
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`random number or code and to transmit the number and/or code via a second
`communications channel 84, to the individual 85 associated with the
`received password 202 in the master password list. Id. at 6:27–37. “Once
`the pseudo-random number is received by the analyzing means 12, from
`channel 82, it is compared with the number generated by generation means
`14.” Id. at 6:51–54. If the two codes are substantially the same, entry to
`computer 80 or to a certain part of computer 80 such as the hardware,
`software, or firmware portions of computer 80 is granted to individual 18.
`Id. at 6:54–58.
`b) Jonsson (Ex. 1006)
`Jonsson is a Patent Cooperation Treaty application published January
`4, 1996. Petitioner asserts that Jonsson is prior art under pre-AIA 35
`U.S.C. § 102(a) and (b). Pet. 1.
`Jonsson provides an authentication procedure wherein the user carries
`a personal unit not limited to use with or physically connected to a terminal
`of any one specific electronic service. Ex. 1006, 2:30–34. Jonsson’s
`personal unit includes a receiver for receiving a transmitted challenge code
`and an algorithm unit which processes the challenge code, a user input such
`as a personal identification number (PIN) or electronically recognizable
`signature, and an internally stored security key for calculating a response
`code according to a pre-stored algorithm. Id. at 6:24–29.
`c) Kew (Ex. 1007)
`Kew is a Patent Cooperation Treaty application published July 20,
`1995. Petitioner asserts that Kew is prior art under pre-AIA 35 U.S.C. §
`102(a) and (b). Pet. 1.
`
`16
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`Kew’s invention relates to a method for “preventing unauthori[z]ed
`access to a host computer system.” Ex. 1007, 1:3–5. Specifically, Kew
`describes a “method of preventing unauthorized access to a host computer
`system by a user at a remote terminal.” Id. at 1:21–23. In Kew’s method the
`host computer system accepts a user identification code input to the terminal
`by the user and generates a random code (Code A). Id. at 1:24–26. Using a
`transformation algorithm, Kew’s computer system transforms Code A to
`transformed Code B. Id. at 1:27–30. The computer system also transmits
`Code A to user’s receiver which transform’s Code A to transformed Code C.
`Id. at 1:31–34. The user inputs Code C into the remote terminal and the
`computer system compares Code B with Code C, and if the Codes match
`permits access to the host computer system. Id. at 1:36–2:3.
`d) Sormunen (Ex. 1008)
`Sormunen is a Patent Cooperation Treaty application published
`August 28, 1998. Petitioner asserts that Sormunen is prior art under
`pre-AIA 35 U.S.C. § 102(a) and (b). Pet. 1.
`Sormunen’s “invention relates to a method and system for obtaining at
`least one item of user specific authentication data, such as a password and/or
`a user name.” Ex. 1008, 1:3–5. Sormunen discloses the use of mobile
`communication systems including cellular systems, paging systems, and
`mobile phone systems. Id. at 4:36–5:1.
`2. Ground 1: Alleged Obviousness of Independent Claim 5 Based on
`the Combined Teachings of Veneklase and Jonsson
`Petitioner asserts that claim 5 is unpatentable over the combined
`teachings of Veneklase and Jonsson. Pet. 13. Petitioner addresses each
`limitation of claim 5 and provides the testimony of Dr. McNair in support of
`
`17
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`its position with respect to each limitation. Pet. 17–46; Ex. 1003 ¶¶ 71–111.
`Patent Owner does not contest Petitioner’s assertions for limitations [5.0]–
`[5.2] of claim 5. For these uncontested limitations, we have considered
`Petitioner’s evidence and arguments, including the relevant testimony of Dr.
`McNair, and find it to be sufficient to show by a preponderance of the
`evidence that Veneklase, either alone or in combination with Jonsson,
`teaches or suggests these limitations. Accordingly, we focus our discussion
`on contested limitations [5.3]–[5.6] and Patent Owner’s arguments regarding
`these limitations.
`a) Limitation [5.3]: a control module executed on the computer
`processor configured to create a new password based at least
`upon a token and a passcode, wherein the token is not known
`to the user and wherein the passcode is known to the user, the
`control module further configured to set a password associated
`with the user to be the new password;
`(1) Petitioner’s Assertions
`Petitioner asserts that “Veneklase in combination with Jonsson teaches
`this limitation.” Pet. 26 (citing Ex. 1003 ¶¶ 83–90). Regarding Veneklase,
`Petitioner asserts that Veneklase discloses assigning a password to the user;
`receiving the password by use of a first communication channel; generating
`a code in response to the received password; transmitting the code to the
`user via a second communications channel; transmitting the code to the
`computer; and allowing access to the computer only after the code is
`transmitted to the computer. Id. (citing Ex. 1005, 4:8–15).
`Specifically, Petitioner asserts that “Veneklase discloses a
`user/password check module (i.e., a control module) located on the host
`computer system 402 (i.e., the computer processor)” and that the
`“user/password check module assigns two passwords, one that is known to
`
`18
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`the user and one that is not previously known to the user.” Pet. 26–27
`(citing Ex. 1005, Fig. 6). 8 Petitioner asserts further that “[w]hile Veneklase
`teaches an authentication system in which the user inputs both a token that is
`not known to the user beforehand (e.g., the random code) and a passcode
`that is known to the user (e.g., the received password), it does not disclose
`creating a new password based on those two items.” Id. at 28.
`Turning to Jonsson, Petitioner asserts that Jonsson discloses an
`authentication system that “includes a service node that ‘generates a
`challenge code and requests that the challenge code be sent to the personal
`unit 20 via an authentication challenge network 28’” and that “[t]his
`challenge code generated by the system is a token because it is not known to
`the user before it is generated and sent to the user.” Pet. 28 (citing Ex. 1006,
`4:24–5:6; Ex. 1003 ¶¶ 86–87). Petitioner asserts further that “Jonsson
`discloses the use of a ‘user input such as a personal identification number
`(PIN),’ which by its very nature of being a user defined input, is known to
`the user beforehand” and that “Jonsson discloses an algorithm that
`‘calculates a response code [e.g., new password] based on the received
`challenge code [e.g., token], the user input (e.g., PIN) [e.g., passcode], and
`optionally [a] secret key.’” Pet. 29 (citing Ex. 1006, 3:3–10, 7:5–10, 8:12–
`14, 9:23–25).
`Petitioner asserts that it would have been obvious to combine
`Veneklase’s token and passcode to “create a new password based on both of
`them.” Id. at 28. Petitioner then asserts that “Veneklase’s authentication
`system would incorporate Jonsson’s teachings related to using an algorithm
`
`
`8 Here and for the remainder of this decision, we do not reproduce the
`colored font or bold emphasis used in the Petition.
`
`19
`
`
`
`IPR2023-00425
`Patent 6,993,658 B1
`to create a new password (e.g., response code) based on a known passcode
`(e.g., the received password/PIN) and an unknown token (e.g., the random
`code/challenge code).” Id. at 30 (citing Ex. 1003 ¶¶ 83–89). Thus,
`according to Petitioner,
`Veneklase in combination with Jonsson teaches a control module
`(e.g., user/password check module) executed on the computer
`processor configured to create a new password (e.g., assigning
`a password to the user) based at least upon a token (e.g., random
`code) and a passcode (e.g., received password), wherein the
`token is not known to the user (e.g., generated by the system) and
`wherein the passcode is known to the user (e.g., received from
`the user), the control module further configured to set a
`password associated with the user to be the new password (e.g.,
`set an expected response code).
`Id. (citing Ex. 1003 ¶¶ 83–90).
`In support of these assertions, Petitioner reasons that “[a] POSITA
`would have been motivated to make such a combination because having
`only the one password transmitted via the computer system is more efficient
`and secure.” Pet. 31 (citing Ex. 1003 ¶ 91). According to Petitioner,
`“Veneklase’s system allows for authentication through user input of a known
`and unknown code at separate times in a two-step process, while a POSITA
`would look to Jonsson because it would provide the added benefit of
`reducing the steps to a single step and thus reducing the amount of time
`required for the authentication process.” Id. Petitioner reasons further that
`“a POSITA would have been motivated to make such a combination because
`implementing Veneklase’s authentication system with the algorithm of
`Jonsson’s system provides an additional layer of sec