IPR2023-01406
`Patent 6,993,658
`UNITED STATES PATENT AND TRADEMARK OFFICE
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`_________________
`EXPERIAN INFORMATION SOLUTIONS, INC.,
`
`Petitioner,
`v.
`DYNAPASS IP HOLDINGS, LLC
`
`Patent Owner.
`__________________
`Inter Partes Review No. IPR2023-01406
`Patent No. 6,993,658
`PATENT OWNER’S PRELIMINARY RESPONSE TO THE PETITION
`FOR INTER PARTES REVIEW OF U.S. PATENT NO. 6,993,658
`PURSUANT TO 37 C.F.R. § 42.107
`
`Filed on behalf of Patent Owner by:
`
`John Wittenzellner (Reg. No. 61,662)
`1735 Market Street, Suite A #453
`Philadelphia, PA 19103
`
`Mark McCarthy (Reg. No. 69,575)
`601 Congress Ave., Suite 600
`Austin, TX 78701
`
`WILLIAMS SIMONS & LANDIS PLLC
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`TABLE OF CONTENTS
`
`I.
`II.
`III.
`
`INTRODUCTION ........................................................................................... 1
`STATEMENT OF THE PRECISE RELIEF REQUESTED .......................... 3
`THE PETITION SHOULD BE DENIED BECAUSE IT DOES NOT
`ESTABLISH A REASONABLE LIKELIHOOD OF SUCCESS ON
`ANY CHALLENEGED CLAIM. ................................................................... 3
`A.
`The ’658 Patent ....................................................................................... 4
`B.
`Level of Ordinary Skill in the Art ........................................................ 11
`C. Claim Construction ............................................................................... 11
`D. Ground 1 – The Combination of Sormunen and Perlman Does Not
`Render Obvious Claims 1-7 of the ’658 Patent. ................................... 12
`1.
`Independent Claim 1 .................................................................17
`i.
`[1.c] “receiving a request . . . for a token . . . over
`the second network” ..........................................................17
`
`ii.
`
`iii.
`
`iv.
`
`v.
`
`[1.d] “generating a new password . . . based at least
`upon the token and a passcode . . .” ..................................20
`
`[1.f] “activating access the user account on the first
`secure computer network” .................................................27
`
`[1.h] “receiving the password from the user via the
`first secure computer network” .........................................30
`
`[1.i] “deactivating access to the user account . . .
`within a predetermined amount of time after said
`activating . . .” ...................................................................31
`
`2.
`3.
`
`Dependent Claims 2-4 ...............................................................34
`Independent Claim 5 .................................................................35
`
`-i-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`i.
`
`ii.
`
`[5.d] “a control module . . . configured to create a
`new password based at least upon a token and a
`passcode . . .” .....................................................................35
`
`[5.f] “an authentication module configured to
`receive the password from the user . . . wherein the
`authentication module activates access to the
`account
`in
`response
`to
`the password and
`deactivates the account within a predetermined
`amount of time after activating the account . . .” ..............36
`
`IV.
`
`B.
`
`Dependent Claims 6 and 7 ........................................................40
`4.
`THE BOARD SHOULD EXERCISE ITS DISCRETION TO DENY THE
`PETITION. ....................................................................................................40
`A.
`The Board Should Exercise Its Discretion to Deny the Petition Under
`35 U.S.C. § 314(a). ............................................................................... 43
`1.
`General Plastic Factor One .......................................................44
`2.
`General Plastic Factor Two .......................................................47
`3.
`General Plastic Factor Three .....................................................48
`4.
`General Plastic Factors Four and Five .....................................49
`5.
`General Plastic Factor Six and Seven ......................................50
`The Board Should Exercise Its Discretion to Deny the Petition Under
`35 U.S.C. § 325(d). ............................................................................... 51
`1.
`The First Part of the Framework is Satisfied by Every
`Reference Asserted in the Petition. ...........................................52
`The Second Part of the Framework is Satisfied, So Institution
`Should be Denied. .....................................................................52
`THE PETITION SHOULD BE DENIED BECAUSE THE BOARD
`DOES NOT HAVE JURISDICTION OVER EXPIRED PATENTS. ..........53
`VI. CONCLUSION ..............................................................................................55
`
`2.
`
`V.
`
`-ii-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`TABLE OF AUTHORITIES
`
`Cases
`Advanced Bionics, LLC v. MED-EL Elektromedizinische Geräte GmbH,
`IPR2019-01469, Paper 6 (P.T.A.B. Feb. 13, 2020) (precedential) ......................52
`Apple Inc. v. Uniloc 2017 LLC,
`IPR2020-00854, Paper 9 (P.T.A.B. Oct. 28, 2020) (precedential) ......................48
`Cuozzo Speed Techs., LLC v. Lee,
`136 S. Ct. 2131 (2016) .........................................................................................43
`Ericsson Inc. v. Uniloc 2017, LLC,
`IPR2019-01550, Paper 8 (Mar. 17, 2020) ..................................................... 45, 46
`General Plastic Indus. Co. v. Canon Kabushiki Kaisha,
`IPR2016-01357, Paper 19 (P.T.A.B. Sept. 6, 2017) (precedential) ............. passim
`In re Ratti,
`270 F.2d 810 (CCPA 1959) ..................................................................................26
`Meiresonne v. Google, Inc.,
`849 F.3d 1379 (Fed. Cir. 2017) ............................................................................25
`NetApp Inc. v. Realtime Data LLC,
`IPR2017- 01195, Paper 9 (P.T.A.B. Oct. 12, 2017).............................................45
`Oil States Energy Servs., LLC v. Greene’s Energy Grp., LLC,
`138 S. Ct. 1365 (2018) .........................................................................................53
`Valve Corp. v. Electronic Scripting Products, Inc.,
`IPR2019-00064, Paper 10 (P.T.A.B. May 1, 2019) (precedential) ......................50
`Valve Corporation v. Electronic Scripting Products, Inc.,
`IPR2019-00062, Paper 11 (P.T.A.B. April 2, 2019) (precedential) ............. 45, 51
`Statutes
`35 U.S.C. § 314 ................................................................................................. 43, 55
`35 U.S.C. § 325 ........................................................................................... 51, 53, 55
`Other Authorities
`MPEP § 2143 ...........................................................................................................26
`Rules
`37 C.F.R. § 42.100 ...................................................................................................39
`
`-iii-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`EXHIBIT LIST
`
`Exhibit
`
`2001
`
`Description
`Google Patents webpage for U.S. Patent No. 6,993,658,
`
`https://patents.google.com/patent/US6993658B1/
`
`2002
`
`2003
`
`Claim Construction Order, Dynapass Holdings LLC v. JPMorgan
`
`Chase & Co., et al., Case No. 2:22-cv-00212-JRG-RSP, Dkt. 120
`
`(E.D. Tex. Oct. 31, 2023).
`
`Proof of Service of Summons in Civil Action, Dynapass IP
`
`Holdings LLC v. Experian Information Services, Inc., Case No.
`
`2:23-cv-00066 (E.D. Tex.).
`
`-iv-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`I.
`
`INTRODUCTION
`
`Dynapass IP Holdings, LLC (“Patent Owner”) respectfully submits this
`
`Preliminary Response (the “Response”) to the Petition for Inter Partes Review of
`
`U.S. Patent No. 6,993,658 (Paper 1, the “Petition” or “Pet.”) filed by Experian
`
`Information Solutions, Inc. (“Petitioner”). The ’658 Patent relates to “the
`
`authentication of users of secure systems and, more particularly, the invention relates
`
`to a system through which user tokens required for user authentication are supplied
`
`through personal communication devices such as mobile telephones and pagers.”
`
`Ex. 1001 at 1:7-11.
`
`Institution should be denied because the Petition fails to demonstrate a
`
`reasonable likelihood that any challenged claim of the ’658 Patent is unpatentable.
`
`As detailed herein, the combination of references applied by the Petition against the
`
`independent claims of the ’658 Patent has numerous glaring deficiencies. For
`
`example, the independent claims require activation of the user’s account in response
`
`to creation of a new “password” for the user (the “password” in the claims is “based
`
`at least upon a token and a passcode”). The account remains active until the
`
`expiration of “a predetermined amount of time after activating the account.” That
`
`process is depicted in Figure 5, a portion of which is reproduced below:
`
`-1-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`Ex. 1001, Fig. 5 (excerpted).
`
`The asserted references do not discuss activation of a user account. Putting
`
`that aside, Petitioner disregards the requirement that activation occurs in response to
`
`creation of a new “password” for the user.
`
`In addition, the Petition constitutes nothing more than the third bite of the
`
`apple in an attempt to invalidate the claims of the ’658 Patent. Petitioner delayed its
`
`filing until seven months after being served with a complaint, only to retread over
`
`familiar ground by asserting prior art that has been considered by the Patent Office
`
`during prosecution and inter partes review proceedings. As a result, the Petition
`
`satisfies both the (1) General Plastic factors and (2) the two-part framework of 35
`
`-2-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`U.S.C. § 325(d). Accordingly, the Board should exercise its discretion to deny
`
`institution.
`
`Finally, institution should be denied because the Board does not have
`
`jurisdiction over expired patents. For these reasons, institution should be denied.
`
`II.
`
`STATEMENT OF THE PRECISE RELIEF REQUESTED
`
`Petitioner asserts that claims 1-7 of the ’658 Patent are unpatentable under the
`
`following grounds:
`
`Ground
`
`References
`
`Challenged Claims
`
`1
`
`Sormunen in view of Perlman
`
`1-7
`
`Pet., p. 15.
`
`Patent Owner requests that the Board deny institution of the Petition with
`
`respect to all challenged claims and all asserted grounds. A full statement of the
`
`reasons for the relief requested is set forth in Sections III, IV, and V of this Response.
`
`III. THE PETITION SHOULD BE DENIED BECAUSE IT DOES NOT
`ESTABLISH A REASONABLE LIKELIHOOD OF SUCCESS ON ANY
`CHALLENEGED CLAIM.
`
`As shown below, the Petition fails to demonstrate a reasonable likelihood that
`
`Petitioner would prevail with respect to any claim of the ’658 Patent. The Petition
`
`challenges claims 1-7 of the ’658 Patent (the “Challenged Claims”). Pet. at 15. As
`
`-3-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`detailed herein, the proposed Ground fails to disclose key limitations of each
`
`Challenged Claim, so trial should not be instituted.
`
`A.
`
`The ’658 Patent
`
`The ’658 Patent, which is titled “Use of Personal Communication Devices for
`
`User Authentication,” was filed on March 6, 2000, and issued on January 31, 2006.
`
`Ex. 1001. The ’658 Patent relates to “the authentication of users of secure systems
`
`and, more particularly, the invention relates to a system through which user tokens
`
`required for user authentication are supplied through personal communication
`
`devices such as mobile telephones and pagers.” Ex. 1001 at 1:7-11.
`
`At the time of the claimed inventions, “secure systems”1 used “a user ID and
`
`password pair to identify and authenticate system users.” See id. at 1:13-14.
`
`Although user ID/password pairs were ubiquitous, they suffered from several
`
`shortcomings, as recognized by the inventors of the ’658 Patent:
`
`Passwords created by users are often combinations of words and names,
`which are easy to remember but also easily guessed. Guessing
`passwords is a frequent technique used by “hackers” to break into
`systems. Therefore, many systems impose regulations on password
`formats that require mixtures of letters of different cases and symbols
`and that no part of a password be a word in the dictionary. A user’s
`inability to remember complex combinations of letters, numbers, and
`
`1The ’658 Patent describes many non-limiting examples of a “secure system,”
`including Novell NetWare-, Microsoft NT-, Windows 2000-, and UNIX/Linux-
`based computers, as well as “any system, device, account, . . . a user account on a
`network of computer workstations, a user account on a website, or a secure area of
`a building.” Ex. 1001 at 1:13-19, 4:13-23.
`-4-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`symbols often results in the password being written down, sometimes
`on a note stuck to the side of a workstation.
`
`Id. at 1:28-38.
`
`The increasing use of remote connectivity at the time of the claimed
`
`inventions further exacerbated the shortcomings of user ID/password pairs. See id.
`
`at 1:20-26. As a result, then-current systems faced several issues:
`
`Present systems face several problems: users dread frequent password
`changes, frequent password changes with hard-to-remember passwords
`inevitably result in users surreptitiously writing down passwords, and
`security is compromised when users write down their passwords.
`
`Id. at 1:39-43. Two-factor authentication (a form of multi-factor authentication)
`
`improves user ID/password pairs by adding “unpredictable, one-time-only access
`
`codes.” See id. at 1:49-51. The first factor is “a user passcode or personal
`
`identification number.” See id. at 1:46-47. The second factor is the “unpredictable,
`
`one-time-only access codes.” See id. at 1:49-51. In two-factor authentication,
`
`system access is based upon:
`
` “nonsecret information known to the user, such as the user ID;”
`
` secret information known to the user, such as the passcode;” and
`
` “information provided to the user through an object possessed by the user,
`
`such as the token.”
`
`Id. at 2:11-15.
`
`-5-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`The ’658 Patent acknowledges the existence of the RSA Security, Inc.
`
`SecurID product at the time of the claimed inventions, but identified significant
`
`deficiencies in the product:
`
`The SecurID product, however, requires users to carry an additional
`item on their person in order to access a secure system. It would be
`advantageous if the benefits of the SecurID system could be achieved
`using a device
`that many users already carry—a personal
`communication device such as a mobile phone or a pager.
`
`Id. at 1:54-59. The ’658 Patent requires the use of a personal communication device,
`
`which teaches away from a separate device like the SecurID product. See id.
`
`The ’658 Patent solves the deficiencies of the SecurID product and further
`
`improves two-factor authentication in a unique, novel, non-obvious way. Figure 1
`
`of the ’658 Patent, reproduced below, depicts an embodiment of a user
`
`authentication system (identified as “100” in the figure):
`
`-6-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`Id. at Fig. 1; see also id. at 3:31-33.
`
`Authentication system (100) regulates access to secure system (110). Id. at
`
`4:9-13. User authentication server (102) “preferably includes a program or a suite
`
`of programs running on a computer system to perform user authentication services.”
`
`Id. at 4:27-29. “The authentication information preferably includes a user ID 152, a
`
`passcode 154 and a user token 156.” Id. at 4:36-39. Tokens are received on the
`
`user’s personal communication device (106), which can be, for example, “a pager or
`
`mobile phone having SMS (short message service) receive capability.” Id. at 4:13-
`
`15.
`
`-7-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`It is important to be aware of the terminology used by the ’658 Patent. The
`
`“user ID may be publicly known and used to identify the user.” Id. at 4:39-40. The
`
`’658 Patent uses the term “passcode” to refer to what is commonly called a
`
`“password:” “For example, the user 108 can combine a valid, memorized passcode
`
`of ‘abcd’ . . . .” Id. 4:54-55; see also id. at 1:27-29 (“Passwords created by users are
`
`often combinations of words and names, which are easy to remember but also easily
`
`guessed.”), 4:40 (The passcode 154 is preferably secret and known only to the user
`
`108.”). The “token” can be, for example, “a random or pseudo-random sequence of
`
`numbers or digits or both numbers and digits.” Id. at 9:22-24.
`
`The ’658 Patent uses the term “password” to refer to the combination of at
`
`least the “passcode” and a “token.” Id. at 4:52-53 (“In the preferred embodiment,
`
`the user 108 combines the token 156 with the passcode 154 to form a password
`
`158.”). For example, if the passcode is “abcd” and the token is “1234,” the password
`
`could be “abcd1234” or “1234abcd.” See id. at 4:54-56. The components of the
`
`password (e.g., the passcode and token) can be combined or sent to the system as
`
`separate components. See id. at 4:52-65.
`
`Figure 5, reproduced below, depicts an embodiment of how the system
`
`provides tokens and authenticates users.
`
`-8-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`Id. at Fig. 5; see also id. at 3:41-43.
`
`In step 502, the system associates the user’s user ID and passcode with the
`
`user’s personal communication device. Id. at 8:53-60. By doing so, the system
`
`transmits the token only to the associated user. See id. In steps 504, 506, and 508,
`
`the system receives a request for a token, determines which user made the request
`
`(i.e., associates the request with a user ID), and generates the token. See id. at 9:3-
`
`-9-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`27, Fig. 5. Those steps differ from other systems that continually generate access
`
`codes. See, e.g., id. at 1:49-51 (“The SecurID card generates and displays
`
`unpredictable, one-time-only access codes that automatically change every 60
`
`seconds.”). In step 510, the system generates a new “password” based on at least
`
`the “token” and “passcode.” Id. at 9:28-33, Fig. 5. That password is then stored and
`
`the user’s account can be activated if it was deactivated. Id. at 9:34-41, Fig. 5 (step
`
`512).
`
`In step 514, the system transmits the token to the user’s personal
`
`communication device. See id. at 9:44-53, Fig. 5. Claim 1 of the ’658 Patent
`
`requires that the “personal communication device” be “in communication over a
`
`second network, wherein said network is a cell phone network. . . .” Id. at 11:47-50.
`
`Claim 5 requires that the token is transmitted to the “personal communication
`
`device” through a “cell phone network.” Id. at 12:34-36. The claims also require
`
`that the user’s account is deactivated “within a predetermined amount of time” after
`
`the account is activated. Id. at 12:9-13 (claim 1), 12:41-47 (claim 5).
`
`The Patent Office issued the ’658 Patent issued after several office actions.
`
`Since then, the ’658 Patent has been cited by more than 200 patent applications. Ex.
`
`2001, https://patents.google.com/patent/US6993658B1/. Amongst those patent
`
`applications are patent applications filed by major industry entities, including IBM
`
`Corporation, Microsoft Corporation, Lucent Technologies, Honeywell International,
`
`-10-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`Inc., British Telecommunications PLC, AT&T, Visa, and Google Inc. See id. They
`
`also include a patent application filed by JPMorgan Chase Bank, N.A., a defendant
`
`in the parallel district court proceedings in the Eastern District of Texas. See id.
`
`B.
`
`Level of Ordinary Skill in the Art
`
`For the purposes of this Response only, Patent Owner does not dispute the
`
`level of skill of a person of ordinary skill in the art (“POSITA”) identified in the
`
`Petition. See Pet., p. 14. Patent Owner notes, however, that the United States
`
`District Court for the Eastern District of Texas found that a POSITA would have at
`
`least an undergraduate degree in electrical engineering, computer science, computer
`
`engineering, or a closely related field, and two years experience in online security,
`
`such as user authentication technologies. Ex. 2002 at 6-7.
`
`C.
`
`Claim Construction
`
`Except as noted below, Patent Owner contends that claim construction is not
`
`necessary for the Board to determine that the Petition fails to demonstrate a
`
`reasonable likelihood that any challenged claim of the ’658 Patent is unpatentable.
`
`Patent Owner reserves the right to address claim construction of any term in the
`
`challenged claims if the Board institutes inter partes proceedings.
`
`-11-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`D.
`
`Ground 1 – The Combination of Sormunen and Perlman Does Not
`Render Obvious Claims 1-7 of the ’658 Patent.
`
`Petitioner contends that the combination of Sormunen and Perlman renders
`
`obvious claim 1-7 of the ’658 Patent. Pet. at 15, 28-47. That combination does not
`
`render obvious claims 1-7 of the ’658 Patent for at least the following reasons.
`
`Sormunen discloses a system for obtaining passwords for a “protected service
`
`1.” See Ex. 1004, 1:1-5, Fig. 2. The system includes a user’s “access terminal 8,” a
`
`user’s “mobile terminal 3,” a “service center 4,” and a “password server 5.” See Ex.
`
`1004, 5:35-7:18, Fig. 2. Figure 2 of Sormunen is reproduced below:
`
`-12-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`Ex. 1004, Fig. 2 (annotated). To use “protected service 1,” the user “sends a short
`
`message 2” including “a password request and possibly also a subscription request
`
`for a new user” from the “mobile terminal 3” to “service center 4.” See Ex. 1004,
`
`5:35-6:3, Fig. 2. The “service center 4 processes the incoming messages . . . and
`
`transmits the inquiry” to “password server 5.” See Ex. 1004, 6:20-23, Fig. 2. The
`
`“password server 5 transmits the password and/or the user name to the [] service
`
`center 4, which forms . . . a reply message 6, which is sent to the [mobile] terminal
`
`3.” Ex. 1004, 6:35-37, Fig. 2. The password in “reply message 6” may be displayed
`
`to the user on the “mobile terminal.” Ex. 1004, 7:4-6, Fig. 2.
`
`The user forms a connection between “data processor 8” and “a verification
`
`service 9 of the [protected] service 1.” See Ex. 1004, 7:9-10, Fig. 2. The user name
`
`and password (as set forth in “reply message 6”) are transmitted by “data processor
`
`8” to the “password server 5” via the “verification service 9.” See Ex. 1004, 7:11-
`
`14, Fig. 2. The “password server 5” determines “whether the user name and the
`
`password are given correctly.” Ex. 1004, 7:14-16, Fig. 2. If the user name and
`
`password are correct, the user is given access to “protected service 1.” Ex. 1004,
`
`7:16-18, Fig. 2.
`
`Through that mechanism Sormunen’s system purportedly provides “fast and
`
`safe[]” transmission of at least a password to the user. Ex. 1004, 4:18-21. “A
`
`-13-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`further advantage of the fast data transmission is that the validity of passwords can
`
`be shortened remarkably and security may thus be improved.” Ex. 1004, 5:16-18.
`
`Sormunen also discloses one embodiment for “obtaining a personal identity
`
`number (PIN) of bank and credit cards and corresponding charge cards. Thus when
`
`the charge card is being ordered, the number of the orderer’s paging device or mobile
`
`station can be given, wherein the supplier of the charge card transmits the personal
`
`identity number connected to the charge card to the paging device or the mobile
`
`station of the user.” Ex. 1004, 9:26-32.
`
`But Sormunen fails to disclose at least generating a “new password” based on
`
`a “token” and a “passcode,” as independent claims 1 and 5 require. Further,
`
`Sormunen fails to disclose deactivating access to a user account “within a
`
`predetermined amount of time after activating the account,” as independent claims
`
`1 and 5 also require. Further still, Sormunen fails to disclose “receiving a request . .
`
`. for a token via the personal communication device,” over a cell phone network, as
`
`independent claim 1 requires.
`
`Perlman discloses a “system 100” including an “authentication token 170,” a
`
`“workstation 120” and a “server 140.” Ex. 1005, 4:65-5:8, Fig. 1. Figure 1 of
`
`Perlman is reproduced below:
`
`-14-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`Ex. 1005, Fig. 1 (excerpted and annotated). Perlman discloses generating a
`
`“character string” using time-synchronized “authentication token 170.” See Ex.
`
`1005, 4:38-55, 8:55-9:9, Fig. 1. The “character string” is communicated to
`
`“workstation 120” along with an existing secret value known to the user. See Ex.
`
`1005, 4:38-55, 8:55-9:9, Fig. 1. The “workstation 120” generates a “second
`
`character string” based on the existing secret value known to the user and the
`
`“character string” from the time-synchronized “authentication token 170.” See id.
`
`The “workstation 120” transmits the “second character string” from the “workstation
`
`120” to “server 140” to authenticate the user. See id. Perlman’s system has an
`
`enhanced or “more secure” password because a new “character string” from the
`
`time-synchronized “authentication token 170” is used each time the user needs to be
`
`authenticated. See Ex. 1005, 6:20-38 (“the character string is the time of day in
`
`minutes . . . To allow for clock skew and delays in typing and transmission, the
`
`-15-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`server will accept any one of several character strings, based on character strings the
`
`token might have displayed in the last seven minutes or the next three minutes”). In
`
`other words, Perlman’s “character string” is only good for a single authentication
`
`attempt.
`
`But Perlman fails to disclose at least deactivating access to a user account
`
`“within a predetermined amount of time after activating the account,” as independent
`
`claims 1 and 5 require. Further, Perlman fails to disclose “transmitting the token to
`
`the personal communication device” through the cell phone network as independent
`
`claims 1 and 5 also require. Further still, Perlman fails to disclose “receiving a
`
`request . . . for a token via the personal communication device,” over a cell phone
`
`network, as independent claim 1 requires.
`
`Additionally, Perlman’s “authentication token” is similar to RSA’s SecurID
`
`product disclosed in the ’658 Patent. See Ex. 1001, 1:44-59. Both Perlman’s
`
`“authentication token” and RSA’s SecurID product are additional devices (i.e., not
`
`the user’s cellphone, not the user’s pager) that the user must carry with him/her and
`
`that locally generate one-time access codes based on time, not receiving the token.
`
`Compare Ex. 1005, 5:46-64, 6:20-38 with Ex. 1001, 1:44-59. But the ’658 Patent
`
`expressly discloses the claimed invention is designed to operate with the user’s
`
`personal communication device to save the user from having to carry around yet
`
`another device like RSA’s SecurID product, and thus Perlman’s “authentication
`
`-16-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`token.” See Ex. 1001, 1:56-59 (“It would be advantageous if the benefits of the
`
`SecurID system could be achieved using a device that many users already carry—a
`
`personal communication device such as a mobile phone or a pager.”) (emphasis
`
`added). Accordingly, Perlman with its necessary “authentication token” teaches
`
`away from the claimed invention. Moreover, by relying on Perlman, the Petition is
`
`effectively taking the same prior art (i.e., RSA’s SecurID product) and recasting it
`
`through impermissible hindsight.
`
`Independent Claim 1
`1.
`The combination of Sormunen and Perlman does not render obvious
`
`independent claim 1 because the combination does not teach or suggest the following
`
`elements of the claim.
`
`i.
`
`[1.c] “receiving a request . . . for a token . . . over the
`second network”
`Claim element [1.c] recites “receiving a request from the user for a token via
`
`the personal communication device, over the second network.” The “second
`
`network” is a “cell phone network.” Compare claim element [1.c] with claim
`
`element [1.b] (“wherein said second network is a cell phone network”). Petitioner
`
`mapped Sormunen’s “short [request] message 2” from the “mobile terminal” to the
`
`claimed “request from the user” and “personal communication device,” respectively.
`
`See Pet. at 32-33. Petitioner also mapped Sormunen’s “PIN” of a bank/credit card
`
`to the claimed “token.” See Pet. at 34 (“the new password to be combination of the
`-17-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`known password (passcode) and the PIN (token)”) (emphasis added). But Sormunen
`
`fails to disclose that the “short [request] message 2” (the identified “request from the
`
`user”) is a request for the “PIN” (the identified “token”), as claim element [1.c]
`
`requires.
`
`Sormunen discloses that “[t]he short [request] message 2 includes a password
`
`request and possibly also a subscription request for a new user.” Ex. 1004, 5:38-6:2.
`
`But neither a “password request” nor a “subscription request” is the same as a request
`
`for Sormunen’s “PIN” (the identified “token”). In fact, Petitioner concedes that
`
`Sormunen’s “password” and Sormunen’s “PIN” are not the same. See Pet. at 34 (“A
`
`POSA would have found it obvious for the new password to be combination of
`
`[Sormunen’s] known password (passcode) and [Sormunen’s] PIN (token)”).
`
`Accordingly, Sormunen fails to disclose claim element [1.c].
`
`Further, Sormunen also discloses
`
`the present invention can be applied also for obtaining a personal
`identity number (PIN) of bank and credit cards and corresponding
`charge cards. Thus when the charge card is being ordered, the number
`of the orderer’s paging device or mobile station can be given, wherein
`the supplier of the charge card transmits the personal identity number
`connected to the charge card to the paging device or the mobile station
`of the user.
`
`Ex. 1004, 9:26-32 (emphasis added). That paragraph is the first and only disclosure
`
`of Sormunen’s “PIN” (the identified “token”). To the extent that passage discloses
`
`a request for Sormunen’s “PIN” (the identified “token”), that passage in Sormunen
`
`-18-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`still fails to disclose that the request for the “PIN” (the identified “token”) is received
`
`over a “cell phone network” and via Sormunen’s “mobile terminal” (the identified
`
`“personal communication device”), as claim element [1.c] requires. To the contrary,
`
`because Sormunen discloses “when the charge card is being ordered, the number of
`
`the . . . mobile station can be given” (Ex. 1004, 9:28-29) (emphasis added), that
`
`disclosure indicates that the request for Sormunen’s “PIN” is not being received over
`
`a “cell phone network” or via Sormunen’s “mobile terminal,” but rather over some
`
`other network and via some other device (e.g., Sormunen’s “access terminal 8”).
`
`Otherwise, if the request for Sormunen’s “PIN” was being received over a “cell
`
`phone network” and via Sormunen’s “mobile terminal,” the phone number of
`
`Sormunen’s “mobile terminal” would already be known to the component that
`
`receives the request for Sormunen’s “PIN,” and there would be no need for the user
`
`to “give[]” the phone number. This is also consistent with other disclosures in
`
`Sormunen, where the “mobile terminal” is not used to request data. See, e.g., Ex.
`
`1004, 6:17-18 (“Thus the mobile station is not needed in the data inquiry phase.”).
`
`Further, it only makes sense that Sormunen’s “PIN” for a bank/credit card (the
`
`identified “token”) is not requested via Sormunen’s “mobile terminal” (the identified
`
`“personal communication device”). Sormunen stresses the importance of not letting
`
`the PIN “fall[] into the wrong hands.” Ex. 1004, 9:33-34. A person often carries
`
`both their credit card and their cellphone on their person. If both items are misplaced
`
`-19-
`
`

`

`IPR2023-01406
`Patent 6,993,658
`
`or stolen, the “PIN” could be requested using the cellphone, and the thief could use
`
`the stolen cellphone to obtain a new PIN for the stolen credit card, and gain access
`
`to the victim’s money. Accordingly, Sormunen does not teach or suggest claim
`
`element [1.c].
`
`Perlman does not cure the deficiencies of Sormunen, and the Petition does not
`
`contend otherwise. See Pet., pp. 32-34. In view of the above, the combination of
`
`Sormunen and Perlman fails to teach or suggest claim element [1.c], and thus fails
`
`to render claim 1 obvious.
`
`ii.
`
`[1.d] “generating a new password . . . based at least upon
`the token and a passcode . . .”
`Claim element [1.d] recites “generating a new password for said