Trials@uspto.gov
`Tel: 571-272-7822
`
`Paper 11
`Date: March 28, 2024
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`EXPERIAN INFORMATION SOLUTIONS, INC.,
`Petitioner,
`v.
`DYNAPASS IP HOLDINGS LLC,
`Patent Owner.
`
`IPR2023-01406
`Patent 6,993,658 B1
`
`Before KEVIN F. TURNER, KRISTEN L. DROESCH, and
`LYNNE H. BROWNE, Administrative Patent Judges.
`BROWNE, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`Tel: 571-272-7822
`
`Paper 11
`Date: March 28, 2024
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`EXPERIAN INFORMATION SOLUTIONS, INC.,
`Petitioner,
`v.
`DYNAPASS IP HOLDINGS LLC,
`Patent Owner.
`
`IPR2023-01406
`Patent 6,993,658 B1
`
`Before KEVIN F. TURNER, KRISTEN L. DROESCH, and
`LYNNE H. BROWNE, Administrative Patent Judges.
`BROWNE, Administrative Patent Judge.
`
`DECISION
`Denying Institution of Inter Partes Review
`35 U.S.C. § 314
`
`
`
`
`
`
`
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`
`
`INTRODUCTION
`Experian Information Solutions, Inc. (“Petitioner”) filed a Petition
`(Paper 2 (“Pet.”)), seeking inter partes review of claims 1–7 (“the
`challenged claims”) of U.S. Patent No. 6,993,658 B1 (Ex. 1001 (“the
`’658 patent”)). See Pet. 2. Dynapass IP Holdings LLC (“Patent Owner”)
`filed a Preliminary Response. Paper 7 (“Prelim. Resp.”).
`Institution of an inter partes review is authorized by statute when “the
`information presented in the petition . . . and any response . . . shows that
`there is a reasonable likelihood that the petitioner would prevail with respect
`to at least 1 of the claims challenged in the petition.” 35 U.S.C. § 314(a);
`see 37 C.F.R. § 42.108 (2022). Upon consideration of the Petition and the
`evidence of record, we conclude that the information presented in the
`Petition does not establish that there is a reasonable likelihood that Petitioner
`would prevail in challenging at least one of claims 1–7 of the ’658 Patent as
`unpatentable under the grounds presented in the Petition. Pursuant to § 314,
`we hereby deny institution of an inter partes review as to the challenged
`claims of the ’658 Patent.
` Real Parties in Interest
`Petitioner identifies itself, Experian Information Solutions, Inc., as the
`only real party-in-interest. Pet. 53. Patent Owner identifies itself, Dynapass
`IP Holdings LLC and DynaPass Inc., as the only real parties-in-interest.
`Paper 4, 1.
` Related Matters
`Petitioner indicates that the ‘658 Patent is at issue in the following
`district court litigation: identify Dynapass IP Holdings, LLC v. Amazon.com
`Inc., No. 2:23-cv-00063 (E.D. Tex.); Dynapass IP Holdings, LLC v. The
`Charles Schwab Corporation, No. 2:23-cv-00064 (E.D.); Dynapass IP
`
`2
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`Holdings, LLC v. Experian Information Services, Inc., No. 2:23-cv-00066
`(E.D. Tex.);; Dynapass IP Holdings, LLC v. Simmons First National
`Corporation, No. 2:23-cv-00068 (E.D. Tex. filed); Dynapass IP Holdings,
`LLC v. Bank of America Corporation, No. 2:22-cv-000210 (E.D. Tex.);
`Dynapass IP Holdings, LLC v. BOKF, National Association, No. 2:22-cv-
`000211 (E.D. Tex.); Dynapass IP Holdings, LLC v. JPMorgan Chase & Co.,
`No. 2:22-cv-000212 (E.D. Tex.);; Dynapass IP Holdings, LLC v. PNC
`Financial Services Group, Inc., No. 2:22-cv-000214 (E.D. Tex.); Dynapass
`IP Holdings, LLC v. Truist Financial Corporation, No. 2:22-cv-000216
`(E.D. Tex.); Dynapass IP Holdings, LLC v. Wells Fargo & Company, No.
`2:22-cv-000217 (E.D. Tex.);; and Jack Henry & Associates, Inc. v.
`Dynapass IP Holdings LLC, No. 1:23-cv-00388 (D. Del.). Pet. 53–55. In
`addition, Patent Owner identifies district court litigation involving the ’658
`patent that was dismissed with prejudice. Paper 4, 1–4. As litigation that is
`dismissed with prejudice cannot affect or be affected by a decision in this
`proceeding, we do not list these matters.
`Petitioner indicates that the ’658 patent is involved in the following
`proceedings before the Board: Unified Patents, LLC v. Dynapass IP
`Holdings, LLC, IPR2023-00425 (PTAB) and JPMorgan Chase & Co. v.
`Dynapass IP Holdings, LLC, IPR2023-01331 (PTAB). Pet. 48–50. Patent
`Owner identifies an additional proceeding in which institution was denied.
`Paper 4, 2–4. As a proceeding in which institution was denied cannot affect
`or be affected by a decision in this proceeding, we do not list it.
` The ’658 patent (Ex. 1001)
`The ’658 Patent is titled “Use of Personal Communication Devices
`For User Authentication.” Ex. 1001, code (54). The invention “relates
`generally to the authentication of users of secure systems and, more
`
`3
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`particularly, the invention relates to a system through which user tokens
`required for user authentication are supplied through personal
`communication devices such as mobile telephones and pagers.” Id. at
`1:7–11.
`One embodiment of the invention provides a password setting system
`that includes a user token server and a communication module wherein a
`user token server generates a random token in response to a request for a
`new password from a user. Ex. 1001, 1:63–2:2. “The server creates a new
`password by concatenating a secret passcode that is known to the user with
`the token” and “sets the password associated with the user’s user ID to be
`the new password.” Id. at 2:2–6. A “communication module transmits the
`token to a personal communication device, such as a mobile phone or a
`pager carried by the user.” Id. at 2:6–8. Then, the user concatenates the
`secret passcode with the received token in order to form a valid password,
`which the user submits to gain access to the secure system. Id. at 2:8–11.
`Figure 1, reproduced below, “illustrates an overview, including
`system components, of a user authentication system 100 according to a
`preferred embodiment of the present invention.” Ex. 1001, 4:2–4.
`
`4
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`
`
`
`User authentication system 100 includes authentication Server 102, text
`messaging Service provider 104, personal communication device 106 carried
`by user 108, and secure system 110 to which the authentication system 100
`regulates access. Id. at 4:9–13. “[P]ersonal communication device 106 is
`preferably a pager or a mobile phone having SMS (short message Service)
`receive capability.” Id. at 4:13–15. Secure system 110 can be “any system,
`device, account, or area to which it is desired to limit access to authenticated
`users.” Id. at 4:18–20.
`User authentication server 102 is configured to require that user 108
`supply authentication information through secure system 110 in order to
`gain access to secure system 110. Ex. 1001, 4:32–35. Authentication
`information provided by the user includes user ID 152, passcode 154 and
`
`5
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`user token 156. Id. at 4:36–37. User ID 152 may be publicly known and
`used to identify the user 108 and passcode 154 is secret and only known to
`the user 108, whereas token 156 is provided only to user 108 by user
`authentication server 102 through personal communication device 106. Id.
`at 4:39–44. To gain access to secure system 100, user 108 combines token
`156 with passcode 154 to form password 158. Id. at 4:52–53. Thus, user
`108 needs to have personal communication device 106 in order to gain
`access to secure system 110. Id. at 4:46–48. Further, token 156 has a
`limited lifespan, such as 1 minute or 1 day. Id. at 4:44–45.
` Challenged Claims
`Petitioner challenges claims 1–7. Pet. 1. Claims 1 and 5, reproduced
`below with Petitioner’s identifiers included, are the independent claims at
`issue in this proceeding. Ex. 1001, 11:43–12:13, 12:20–47. Claims 2, 3,
`and 4 depend from claim 1 and claims 6 and 7 depend or ultimately depend
`from claim 5. Id. at 12:16–19, 12:48–56.
`1.
`[1.a] A method of authenticating a user on a first secure
`computer network, the user having a user account on said first
`secure computer network, the method comprising:
`[1.b] associating the user with a personal communication device
`possessed by the user, said personal communication device in
`communication over a second network, wherein said second
`network is a cell phone network different from the first secure
`computer network;
`[1.c] receiving a request from the user for a token via the
`personal communication device, over the second network;
`[1.d] generating a new password for said first secure computer
`network based at least upon the token and a passcode, wherein
`the token is not known to the user and wherein the passcode is
`known to the user;
`
`6
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`[1.e] setting a password associated with the user to be the new
`password;
`[1.f] activating access the user account on the first secure
`computer network;
`[1.g] transmitting the token to the personal communication
`device;
`[1.h] receiving the password from the user via the first secure
`computer network, and
`[1.i] deactivating access to the user account on the first secure
`computer network within a predetermined amount of time after
`said activating, such that said user account is not accessible
`through any password, via said first secure computer network.
`5.
`[5.a] A user authentication system comprising:
`[5.b] a computer processor,
`[5.c] a user database configured to associate a user with a
`personal communication device possessed by the user, said
`personal communication device configured to communicate
`over a cell phone network with the user authentication system;
`[5.d] a control module executed on the computer processor
`configured to create a new password based at least upon a token
`and a passcode, wherein the token is not known to the user and
`wherein the passcode is known to the user, the control module
`further configured to set a password associated with the user to
`be the new password;
`[5.e] a communication module configured to transmit the token
`to the personal communication device through the cell phone
`network, and
`[5.f] an authentication module configured to receive the
`password from the user through a secure computer network,
`said secure computer network being different from the cell
`phone network, wherein the user has an account on the secure
`computer network, wherein the authentication module activates
`access to the account in response to the password and
`deactivates the account within a predetermined amount of time
`after activating the account, such that said account is not
`
`7
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`accessible through any password via the secure computer
`network.
`Ex. 1001, 11:43–12:13, 12:20–47.
` The Asserted Grounds of Unpatentability
`Petitioner asserts the following grounds of unpatentability (Pet. 15):
`Claim(s) Challenged
`35 U.S.C. §
`Reference(s)/Basis
`1–7
`103
`Sormunen,1 Perlman2
` Evidence
`In support of its proposed grounds, Petitioner relies on the Declaration
`of Stephen Perkins, Ph.D. (“Dr. Perkins”). Ex. 1003. In our analysis below,
`we consider Dr. Perkin’s testimony.
`
` ANALYSIS
` Level of Ordinary Skill in the Art
`Petitioner asserts that a person of ordinary skill in the art (“POSITA”)
`“would have had a bachelor’s degree in computer science, management of
`information systems, or electrical engineering, or similar field, with one-to-
`two years of experience in the design, support, or implementation of systems
`requiring user authentication.” Pet. 14. Petitioner also asserts that
`“[a]dditional education may substitute for experience with user
`authentication” And “additional relevant experience with user authentication
`may substitute for education.” Id. (citing Ex. 1003 ¶ 48). For the purposes
`of their Preliminary Response, Patent Owner “does not dispute the level of
`
`
`1 WO 97/31306, published August 28, 1997 (“Sormunen”) (Ex. 1004).
`2 U.S. Patent No. 6,173,400 B1, filed July 31, 1998, issued Jan. 9, 2001
`(“Perlman”) (Ex. 1005).
`
`8
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`skill of a” person of ordinary skill in the art identified in the Petition.
`Prelim. Resp. 11.
`
`For purposes of this Decision, we adopt Petitioner’s proposal as
`reasonable and consistent with the prior art. See Okajima v. Bourdeau, 261
`F.3d 1350, 1355 (Fed. Cir. 2001) (the prior art may reflect an appropriate
`level of skill in the art).
` Claim Construction
`We apply the same claim construction standard used in district court
`actions under 35 U.S.C. § 282(b), namely that articulated in Phillips v. AWH
`Corp., 415 F.3d 1303 (Fed. Cir. 2005) (en banc). See 37 C.F.R. § 42.100(b).
`In applying that standard, claim terms generally are given their ordinary and
`customary meaning as would have been understood by a person of ordinary
`skill in the art at the time of the invention and in the context of the entire
`patent disclosure. Phillips, 415 F.3d at 1312–13. “In determining the
`meaning of the disputed claim limitation, we look principally to the intrinsic
`evidence of record, examining the claim language itself, the written
`description, and the prosecution history, if in evidence.” DePuy Spine, Inc.
`v. Medtronic Sofamor Danek, Inc., 469 F.3d 1005, 1014 (Fed. Cir.
`2006) (citing Phillips, 415 F.3d at 1312–17).
`Petitioner asserts that “each claim term be given its plain and ordinary
`meaning as would be understood in the context of the specification and
`prosecution history, and that no specific construction of any claim term is
`required in this proceeding because the ground identified in this Petition
`demonstrates the unpatentability of the claims under any reasonable
`construction.” Pet. 11. Although Petitioner argues that no specific claim
`construction is necessary, it addresses how a person of ordinary skill would
`understand “the terms ‘passcode,’ ‘token,’ and ‘password,’ as well as the
`
`9
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`ordering of steps with respect to the creation of the password and the
`transmission of the token to the user’s personal communication device.”
`Pet. 11.
`Petitioner contends that the ‘658 Patent provides that “a ‘passcode’ is
`a ‘secret [string] known to the user.” Pet. 12 (citing Ex. 1001, 2:13–14
`(“secret information known to the user, such as the passcode”)). Petitioner
`contends that the ‘658 Patent provides that “[a] token is a string ‘that is
`provided to the user through an object possessed by the user.’” Pet. 12
`(citing Ex. 1001, 2:14–15 (“information provided to the user through an
`object possessed by the user, such as the token”)). Petitioner contends that
`the ‘658 Patent provides that the “password is a string generated based on
`the token and the passcode, such as by combining or concatenating them.”
`Pet. 12 (citing Ex. 1001, 2:2–4 (“The server creates a new password by
`concatenating a secret passcode that is known to the user with the token.”)).
`Patent Owner contends that “claim construction is not
`necessary for the Board to determine that the Petition fails to demonstrate a
`reasonable likelihood that any challenged claim of the ’658 Patent is
`unpatentable,” and does not provide an alternate understanding of the plain
`and ordinary meaning of any claim terms. Prelim. Resp. 11.
`
`At this stage of this proceeding, we determine that no claim terms
`require express construction in order to determine whether or not to institute
`inter partes review because doing so would have no effect on the analysis
`below. See Nidec Motor Corp. v. Zhongshan Broad Ocean Motor Co., 868
`F.3d 1013, 1017 (Fed. Cir. 2017) (“[W]e need only construe terms ‘that are
`in controversy, and only to the extent necessary to resolve the controversy.’”
`(quoting Vivid Techs., Inc. v. Am. Sci. & Eng’g, Inc., 200 F.3d 795, 803
`(Fed. Cir. 1999))).
`
`10
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
` Jurisdiction Over the ’659 Patent
`Patent Owner contends that expiration of a patent removes the patent
`from the Patent Office’s jurisdiction and returns it to the sole jurisdiction of
`the Article III courts. Prelim. Resp. 54. Patent Owner contends that “[w]ith
`the expiration of the ‘658 Patent in March 2020, the Board ceased to have
`jurisdiction over the ‘658 Patent, and this inter partes review proceeding
`should be terminated as a result.” Id. at 54–55. We disagree.
`Patent Owner grounds its contentions in the Supreme Court’s
`pronouncement in Oil States, that “the decision to grant a patent is a matter
`involving public rights–specifically, the grant of a public franchise.” Prelim.
`Resp. 53; Oil States Energy Servs., LLC v. Greene’s Energy Grp., LLC, 138
`S. Ct. 1365, 1373 (2018). According to Patent Owner, “[w]hen a patent
`expires . . . the public franchise ceases to exist and the franchisee (e.g., the
`patent owner) no longer has the right to exclude others” and “because the
`public franchise no longer exists, the Patent Office has nothing in its
`authority to cancel or amend.” Id. at 54.
`In Oil States, the Supreme Court explained that “[i]nter partes review
`is ‘a second look at an earlier administrative grant of a patent.’” Oil States,
`138 S. Ct. at 1374 (quoting Cuozzo Speed Techs., LLC v. Lee, 579 U.S. 261,
`279 (2016)). The Board has relied on this statement to conclude that the
`Patent Office has jurisdiction over expired patents in inter partes review
`proceedings. Google LLC and YouTube, LLC v. Robocast, Inc., IPR2023-
`00593, Paper 14 at 8–12 (PTAB Sept. 18, 2023); Apple, Inc. v. Gesture
`Tech. Partners, LLC, IPR2021-00922, Paper 10 at 17–18 (PTAB Nov. 29,
`2021); Apple, Inc. v. Gesture Tech. Partners, LLC, IPR2021-00921,
`Paper 24 at 36–38 (PTAB Dec. 5, 2022).
`The Federal Circuit has also affirmed the Board’s determination with
`
`11
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`respect to expired claims in inter partes review. See, e.g., Wasica Fin.
`GmbH v. Cont'l Auto. Sys., Inc., 853 F.3d 1272, 1279 (Fed. Cir. 2017)
`(noting that ‘[t]he Board construes claims of an expired patent in accordance
`with Phillips . . . [and] [u]nder that standard, words of a claim are generally
`given their ordinary and customary meaning’).”). This is consistent with our
`contemporaneous interpretation of our regulations as demonstrating that
`expired patents are properly considered to be within our jurisdiction. 37
`C.F.R. § 42.100(b); see also, e.g., 83 Fed. Reg. 51,341 (Oct. 11, 2018)
`(Changes to the Claim Construction Standard for Interpreting Claims in
`Trial Proceedings Before the Patent Trial and Appeal Board) (“The claim
`construction standard adopted in this final rule also is consistent with the
`same standard that the Office has applied in interpreting claims of expired
`patents and soon-to-be expired patents.).
`Furthermore, the statutes governing inter partes review do not limit
`them to unexpired patents. See 35 U.S.C. §§ 311(b), 311(c), 315; see also
`Sony Corp. v. Iancu, 924 F.3d 1235, 1239–41 (Fed. Cir. 2019) (affirming
`that a case or controversy before the PTAB existed when a patent was
`expired; articulating the importance of the Board's review of expired patents
`since expired patents can be asserted for past infringement).
`Even if none of these factors alone is dispositive, they are collectively
`consistent with the Board's jurisdiction extending to cover expired patents.
`More particularly, Patent Owner does not adequately explain why the
`Board’s authority to take “a second look at an earlier administrative grant of
`a patent” ends when the patent term expires even though the rights granted
`by the patent are not yet exhausted. Oil States, 138 S. Ct. at 1374. We
`accordingly disagree that the Board lacks jurisdiction over expired patents.
`
`12
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
` Patentability Challenge
`1. Legal Standards
`Petitioner bears the burden to demonstrate unpatentability, and that
`burden never shifts to Patent Owner. Dynamic Drinkware, LLC v. Nat’l
`Graphics, Inc., 800 F.3d 1375, 1378 (Fed. Cir. 2015).
`
`A claim is unpatentable for obviousness if “the differences between
`the subject matter sought to be patented and the prior art are such that the
`subject matter as a whole would have been obvious at the time the invention
`was made to a person having ordinary skill in the art to which said subject
`matter pertains.” 35 U.S.C. § 103; see also KSR Int’l Co. v. Teleflex Inc.,
`550 U.S. 398, 406 (2007). The question of obviousness is resolved on the
`basis of underlying factual determinations including (1) the scope and
`content of the prior art; (2) any differences between the claimed subject
`matter and the prior art; (3) the level of ordinary skill in the art; and (4)
`when in evidence, objective evidence of nonobviousness.3 Graham v. John
`Deere Co., 383 U.S. 1, 17–18 (1966).
`2. Prior Art
`a. Sormunen (Ex. 1004)
`Sormunen is a Patent Cooperation Treaty application published
`August 28, 1997. Petitioner asserts that Sormunen is prior art under pre-
`AIA 35 U.S.C. § 102(a) and (b). Pet. 15.
`Sormunen’s “invention relates to a method and system for obtaining at
`least one item of user specific authentication data, such as a password and/or
`a user name.” Ex. 1008, 1:3–5. Sormunen disclose that its method and
`
`
`3 The parties have not directed our attention to any objective evidence of
`obviousness or non-obviousness.
`
`13
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`system “can be applied also for obtaining a personal identity number (PIN)
`of bank and credit cards and corresponding charge cards.” Id. at 9:26–28.
`Sormunen discloses the use of mobile communication systems including
`cellular systems, paging systems, and mobile phone systems. Id. at 4:36–
`5:1. For illustrative purposes, Sormunen’s Figure 2 is reproduced below:
`
`
`Figure 2 shows a preferred embodiment of a two-way method for
`transmitting a username and password in response to user specific
`authentication data. Id. at 5:26–27, 5:33–34.
`One way the user can obtain a password for use of protected service 1
`is by sending short message 2 with the sender’s authentication data from
`paging terminal 3. Ex. 1001, 5:35–38; 6:3–4. Password server 5 transmits
`the password and/or the user name to short message service center 4, which
`forms reply message 6, which is sent to the paging terminal 3 in enciphered
`form. Id. at 6:35–38. As further shown in Figure 2, reply message 6 can be
`shown to the user by display means 7 on paging terminal 3 to allow use of
`protected service 1. Id. at 6:35–7:7.
`
`14
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`The second way the user can obtain a password is by inputting a
`username and a password into data processor 8 for subsequent verification in
`service 9. Ex. 1001, 7:9–7:11. “[V]erification service 9 transmits the given
`data to the [protected] service 1, which sends a check request 11 of the user
`name and the password to the password server 5.” Id. at 7:9–11. Password
`server 5 examines the data and communicates in reply message 12 to
`protected service 1 whether the inputted username and password are correct.
`Id. at 7:14–16. Data processor 8 can have a data transmission connection to
`mobile station 3. Id. at 7:25–26. As further shown in Figure 2, reply
`message 6 may be processed in the application software of mobile station 3
`“and transmitted to the data processor 8, whereby the user is given his or her
`user-specific authentication data for using the information service.” Id. at
`7:32–34.
`
`b. Perlman (Ex. 1005)
`Perlman is a U.S. patent for “Methods and Systems for Establishing a
`Shared Secret Using an Authentication Token.” Ex. 1005, code (54).
`Petitioner asserts that Perlman is prior art under pre-AIA 35 U.S.C. § 102(a)
`and (e). Pet. 20. Perlman discloses “a method for establishing a shared
`secret among a plurality of devices, compris[ing] the steps of providing an
`authentication token; and utilizing the authentication token to establish a
`shared secret among the plurality of devices.” Ex. 1005, 3:14–19.
`
`15
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`For illustrative purposes, Perlman’s Figure 4a is reproduced below:
`
`
`Figure 4a shows the generation of a character string on a time-synchronized
`token 170 (step 400), which is then communicated to workstation 120 along
`with a PIN (step 410). Id. at 8:55–60. After receiving the character string,
`the workstation executes a commercially available hash program to generate
`a hash of the character string and the PIN (step 420), which is sent to server
`130 (step 430). Id. at 8:63–66, Fig. 4a.
`As further shown in Figure 4a, server 130 then computes a plurality of
`acceptable character strings using the PIN, which is already known to the
`
`16
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`server, and compares these acceptable character strings with the hash of the
`character string and the PIN received from workstation 120 (step 440 and
`450). Id. at 8:66–9:5. “If a match is found, the server and workstation use a
`function of the character string and the PIN (e.g., a hash of the character
`string concatenated with a PIN concatenated with a constant) as a shared
`secret (step 470).” Id. at 9:6–10.
`3. Alleged Obviousness of Claims 1–7
`Petitioner asserts that claims 1–7 are unpatentable over the combined
`teachings of Sormunen and Perlman. Pet. 15–47. Patent Owner disagrees.
`Prelim. Resp. 12–40. In particular, Patent Owner disputes Petitioner’s
`assertions regarding limitations [1.c], [1.d], [1.f], [1.h], and [1.i] of
`independent claim 1 and limitations [5.d] and [5.f] of independent claim 5.
`Id. at 17–40. Our determination with respect to limitations [1.c], [1.d], and
`[5.d] is dispositive. Accordingly, we focus our analysis on these limitations.
`Central to Petitioner’s challenge is its identification of Somunen’s
`PIN as corresponding to the claimed “token.” Pet. 32–37 (addressing
`limitations [1.c]–[1.d]), 46 (addressing limitation [5.d]). For the reasons
`discussed below, we do not agree with Petitioner that Somunen’s bank or
`credit card PIN is a token, per our understanding of that limitation in the
`context of the ‘658 Patent.
`4. Limitation [1.c]: receiving a request from the user for a token
`via the personal communication device, over the second
`network
`Petitioner asserts that Sormunen’s step of receiving request message 2
`corresponds to the claimed “receiving a request from the user,” Sormunen’s
`paging or mobile terminal corresponds to the claimed “personal
`communication device,” and Sormunen’s cell phone network corresponds to
`
`17
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`the claimed “second network.” Pet. 33 (citing Ex. 1003, ¶ 166; Ex. 1004,
`Fig. 2). Petitioner asserts further that because Sormunen’s short message 2
`can include a password request, one of ordinary skill in the art would have
`understood “that this password would have the same role or function as the
`claimed ‘passcode.” Id. (citing Ex. 1003 ¶ 167). In addition, Petitioner
`asserts that Sormunen discloses requesting and receiving a PIN over a cell
`phone network. Pet. 33–34 (citing Ex. 1003 ¶ 168; Ex. 1004, 9:26–37).
`Petitioner asserts further that a person of skill “would appreciate that a
`password and a PIN could be used together for greater security” and that
`such a person “would have found it obvious for the new password to be [a]
`combination of the known password (passcode) and the PIN (token)
`generated in response to the request.” Pet. 34 (citing Ex. 1003 ¶ 168).
`Turning to Perlman, Petitioner asserts that it “teaches using a
`character string generated by an authentication token to augment an existing
`character string” such that a person of skill “would have appreciated that
`Perlman teaches augmenting a known character string using a requested
`character string unknown to the user, at least at that point (token).” Pet. 34
`(citing Ex. 1003 ¶ 169; Ex. 1005, 4:38–64, 8:49–9:9,11:8–20).
`Patent Owner contends that Sormunen does not disclose a request for
`its PIN. Prelim. Resp. 18. Patent Owner contends further that, to the extent
`that Sormunen discloses a request for its PIN, the PIN is not received over a
`cell phone network. Id. at 18–19.
`
`Patent Owner’s arguments are not convincing. Sormunen discloses
`that “the present invention can be applied also for obtaining a . . . PIN.” Ex.
`1004, 9:26–27. Moreover, Sormunen explicitly states that the PIN “is
`transmitted to the paging device or the mobile station of the user.” Id. at
`9:36–37. We agree with Petitioner that such transmission would be over a
`
`18
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`cell phone network. Pet. 33–34. We do not, however, agree that Petitioner
`has adequately demonstrated that Sormunen discloses receiving a request
`from the user for a token as required by limitation [1.c].
`
`Petitioner’s reasoning as set forth in the Petition is incomplete.
`Petitioner shows that Sormunen discloses receiving a request from the user
`for a password and that a person of skill in the art would understand
`Sormunen’s password to be a passcode as claimed. Pet. 32–33. Petitioner
`further shows that Sormunen discloses that its method can be applied to
`obtain a PIN for a bank or credit card. Id. at 19. Petitioner, however, does
`not adequately explain why one skilled in the art would understand
`Sormunen’s PIN to be a token. Id.
`Sormunen describes a method for a user to obtain an item of user
`authentication data such as a password. Ex. 1004, 1:1–5. After describing
`its method for obtaining a password, Sormunen discloses that its method can
`be used to obtain other user authentication data such as a PIN for a bank or
`credit card. Id. at 9:26–28. As such, both Sormunen’s password and its PIN
`correspond to the claimed passcode. In other words, Sormunen’s PIN is
`simply a numerical password.
`Lacking an adequate explanation of why a person of skill in the art
`would understand Sormunen’s PIN to be a token, Petitioner’s reasoning that
`a person of skill in the art would understand Sormunen to disclose receiving
`a request for a token lacks rational underpinning. Pet. 34. Further, given
`that Sormunen’s PIN, like its password, corresponds to the claimed
`passcode, Petitioner’s reasoning that a person of skill in the “would have
`found it obvious for the new password to be a combination of the known
`password (passcode) and the PIN (token) generated in response to the
`request” also lacks rational underpinning. Id.
`
`19
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`Petitioner does not rely on Perlman to cure these deficiencies in
`Petitioner’s reasoning. Pet. 34. In fact, it is unclear what role Petitioner’s
`statements about Perlman’s disclosure and a person of skill’s understanding
`of that disclosure play in the proposed combination.
`5.
`Limitation [1.d]: generating a new password for said
`first secure computer network based at least upon the token and
`a passcode, wherein the token is not known to the user and
`wherein the passcode is known to the user
`Petitioner asserts that “Sormunen discloses that upon account setup,
`the new user may have a password assigned or selected” and that a person of
`skill in the art “would have understood that this initial password teaches the
`claimed ‘passcode.’” Pet. 35 (citing Ex. 1004, 3:25–32; Ex. 1003 ¶ 173).
`Petitioner asserts further that a person of skill in the art “would understand
`that security can be improved by augmenting the string known to the user
`with a PIN to create a more secure password,” and thus, “would know from
`Sormunen to combine the disclosed initial password with the new PIN to
`create a new password.” Id.
`Petitioner asserts further that a person of ordinary skill in the art
`“would have understood that concatenation was a predetermined function for
`modifying a first character string with another character string to produce a
`second character string” and “would have appreciated that Perlman teaches
`concatenating a known secret character string with a generated character
`string provided through a token.” Id. at 36 (citing Ex. 1003 ¶¶ 174–175).
`According to Petitioner, one of ordinary skill in the art “would have
`appreciated that the resulting character string could be used more securely as
`a password than the original known secret character string” and “would have
`been motivated to combine the teachings of Perlman with Sormunen” by
`augmenting “[t]he original password set for the user (including one proposed
`
`20
`
`
`
`IPR2023-001406
`Patent 6,993,658 B1
`by the user) . . . by concatenating it with a generated PIN.” Pet. 36 (citing
`Ex. 1003 ¶ 175).
`Patent Owner argues that “the Petition conveniently glosses over the
`fact that Sormunen’s ‘PIN’ is for a bank/credit card” and “is reused multiple
`times (i.e., multiple visits to ATMs, multiple visits to merchants) over
`months, if not years.” Prelim. Resp. 22 (quoting Ex. 1004, 9:26–28).
`According to Patent Owner, “[t]hat is in stark contrast to Perlman’s
`“character string,” which, as discussed above, can only be used for a single
`authe
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
