`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`Experian Information Solutions, Inc.,
`
`Petitioner
`
`v.
`
`Dynapass IP Holdings LLC,
`
`Patent Owner.
`
`
`
`
`
`IPR2023-01406
`
`U.S. Patent No. 6,993,658
`
`
`
`PETITION FOR INTER PARTES REVIEW UNDER 37 C.F.R. § 42.101
`
`
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`TABLE OF CONTENTS
`
`Page
`
`I.
`
`II.
`
`INTRODUCTION ........................................................................................... 1
`
`GROUNDS FOR STANDING ........................................................................ 1
`
`III. REASONS FOR THE REQUESTED RELIEF .............................................. 1
`
`IV. BACKGROUND ............................................................................................. 1
`
`A.
`
`B.
`
`C.
`
`D.
`
`E.
`
`The ’658 Patent ..................................................................................... 1
`
`Prosecution History ............................................................................... 6
`
`Claim Construction ............................................................................. 11
`
`1.
`
`2.
`
`“Passcode,” “Token,” and “Password” ..................................... 11
`
`Order of Steps ........................................................................... 12
`
`Priority Date of the Challenged Claims .............................................. 14
`
`Person of Ordinary Skill in the Art ..................................................... 14
`
`V. GROUNDS FOR CHALLENGE .................................................................. 15
`
`VI. CLAIMS 1–7 ARE UNPATENTABLE UNDER 35 U.S.C. § 103 .............. 15
`
`A.
`
`Sormunen, Perlman, and Motivation to Combine ............................... 15
`
`1.
`
`2.
`
`Sormunen .................................................................................. 15
`
`Perlman ..................................................................................... 20
`
`3. Motivation to Combine Sormunen and Perlman ...................... 22
`
`B.
`
`Claims 1–7 are Obvious over Sormunen in view of Perlman ............. 28
`
`1.
`
`Claim 1 ...................................................................................... 28
`
`i
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`a.
`
`b.
`
`c.
`
`d.
`
`e.
`
`f.
`
`g.
`
`h.
`
`i.
`
`A method of authenticating a user on a first secure
`computer network, the user having a user account
`on said first secure computer network, the method
`comprising: ..................................................................... 28
`
`personal
`a
`user with
`the
`associating
`communication device possessed by the user, said
`personal communication device in communication
`over a second network, wherein said second
`network is a cell phone network different from the
`first secure computer network; ....................................... 29
`
`receiving a request from the user for a token via
`the personal communication device, over the
`second network; .............................................................. 32
`
`generating a new password for said first secure
`computer network based at least upon the token
`and a passcode, wherein the token is not known to
`the user and wherein the passcode is known to the
`user; ................................................................................. 34
`
`setting a password associated with the user to be
`the new password; .......................................................... 37
`
`activating access the user account on the first
`secure computer network; ............................................... 38
`
`personal
`the
`to
`token
`the
`transmitting
`communication device; ................................................... 38
`
`receiving the password from the user via the first
`secure computer network; and ........................................ 39
`
`deactivating access to the user account on the first
`secure computer network within a predetermined
`amount of time after said activating, such that said
`user account
`is not accessible
`through any
`password, via said first secure computer network. ......... 40
`
`ii
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`2.
`
`3.
`
`4.
`
`5.
`
`Claim 2: The method of claim 1, wherein the new
`password is generated by concatenating the token and the
`passcode. ................................................................................... 41
`
`Claim 3: The method of claim 1, wherein the personal
`communication device is a mobile phone. ................................ 42
`
`Claim 4: The method of claim 1, wherein the personal
`communication device is a pager. ............................................. 43
`
`Claim 5 ...................................................................................... 44
`
`a.
`
`b.
`
`c.
`
`d.
`
`e.
`
`f.
`
`A user authentication system comprising: ...................... 44
`
`a computer processor; ..................................................... 45
`
`a user database configured to associate a user with
`a personal communication device possessed by the
`user,
`said personal
`communication device
`configured to communicate over a cell phone
`network with the user authentication system; ................ 46
`
`a control module executed on the computer
`processor configured to create a new password
`based at least upon a token and a passcode,
`wherein the token is not known to the user and
`wherein the passcode is known to the user, the
`control module further configured
`to set a
`password associated with the user to be the new
`password; ........................................................................ 46
`
`a communication module configured to transmit
`the token to the personal communication device
`through the cell phone network; and .............................. 46
`
`an authentication module configured to receive the
`password from the user through a secure computer
`network, said secure computer network being
`different from the cell phone network, wherein the
`user has an account on the secure computer
`
`iii
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`the authentication module
`network, wherein
`activates access to the account in response to the
`password and deactivates the account within a
`predetermined amount of time after activating the
`account, such that said account is not accessible
`through any password via the secure computer
`network. .......................................................................... 47
`
`6.
`
`7.
`
`the
`Claim 6: The system of claim 5, wherein
`communication module is further configured to receive a
`request from the user for the token, and wherein the
`control module is further configured to create the new
`password in response to the request. ......................................... 47
`
`Claim 7: The system of claim 6, wherein the request is
`transmitted by
`the user
`through
`the personal
`communication device. ............................................................. 47
`
`VII.
`
`INSTITUTION DISCRETION ..................................................................... 48
`
`A. General Plastic Factors Favor Petitioner ............................................ 48
`
`B.
`
`Fintiv Factors Favor Petitioner ............................................................ 50
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`whether a stay has been granted or may be granted if a
`proceeding is instituted ............................................................. 51
`
`proximity of the court’s trial date to the Board’s
`projected statutory deadline for a final written decision .......... 51
`
`investment in the parallel proceeding by the court and the
`parties ........................................................................................ 51
`
`overlap between issues raised in the petition and in the
`parallel proceeding .................................................................... 52
`
`whether the petitioner and the defendant in the parallel
`proceeding are the same party ................................................... 52
`
`iv
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`6.
`
`other circumstances that impact the Board’s exercise of
`discretion, including the merits ................................................. 53
`
`VIII. MANDATORY NOTICES ........................................................................... 53
`
`A.
`
`B.
`
`C.
`
`37 C.F.R. § 42.8(b)(1): Real Parties-in-Interest .................................. 53
`
`37 C.F.R. § 42.8(b)(2): Related Matters ............................................. 53
`
`Lead and Back-Up Counsel and Service Information ........................ 55
`
`IX. PAYMENT OF FEES PURSUANT TO 37 C.F.R. § 42.103 ....................... 55
`
`CERTIFICATE OF COMPLIANCE ....................................................................... 57
`
`CERTIFICATE OF SERVICE ................................................................................ 58
`
`
`
`
`
`v
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`TABLE OF AUTHORITIES
`
` Page(s)
`
`Cases
`Allied Erecting & Dismantling Co. v. Genesis Attachments, LLC,
`825 F.3d 1373 (Fed. Cir. 2016) .......................................................................... 25
`Apple Inc. v. Fintiv, Inc.,
`IPR2020-00019, Paper 11 (P.T.A.B. Mar. 20, 2020) ......................................... 50
`Axonics, Inc. v. Medtronic, Inc.,
`73 F.4th 950 (Fed. Cir. 2023) ............................................................................. 25
`Bank of America, NA v. Dynapass IP Holdings LLC,
`IPR2023-00367, Paper 9 (P.T.A.B. July 18, 2023) ............................................ 49
`General Plastic Indus. v. Canon Kabushiki Kaisha,
`IPR2016-01357, Paper 19 (P.T.A.B. Sept. 6, 2017) ..................................... 48, 50
`JPMorgan Chase & Co. v. Dynapass IP Holdings LLC,
`IPR2023-01331, Paper 1 (P.T.A.B. Aug. 16, 2023) ........................................... 48
`In re Keller,
`642 F.2d 413, 425 (CCPA 1981) ........................................................................ 25
`Sotera Wireless, Inc. v. Masimo Corp.,
`IPR2020-01019, Paper 12 (P.T.A.B. Dec. 1, 2020) ........................................... 50
`Unified Patents, LLC v. Dynapass IP Holdings LLC,
`IPR2023-00425, Paper 9 (P.T.A.B. July 18, 2023) ...................................... 48, 49
`Statutes
`35 U.S.C. § 102(a) ................................................................................................... 15
`35 U.S.C. § 102(a) (2002) ........................................................................................ 20
`35 U.S.C. § 102(b) ................................................................................................... 15
`35 U.S.C. § 102(e) (2002) ........................................................................................ 20
`
`vi
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`35 U.S.C. § 311 .......................................................................................................... 1
`35 U.S.C. § 314(a) ............................................................................................. 50, 53
`35 U.S.C. § 325(d) ................................................................................................... 48
`Other Authorities
`USPTO Director Vidal, Interim Procedure for Discretionary Denials
`in AIA Post-Grant Proceedings with Parallel District Court
`Litigation (Memorandum, June 21, 2022) at 3, available at
`https://tinyurl.com/a6x9xnvj ............................................................................... 50
`
`
`
`vii
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`EXHIBIT LIST
`
`Exhibit No.
`1001
`
`Description1
`U.S. Patent No. 6,993,658
`
`1002
`
`1003
`
`1004
`
`1005
`
`1006
`
`1007
`
`1008
`
`1009
`
`1010
`
`1011
`
`1012
`
`Certified File History for U.S. Patent No. 6,993,658
`
`Declaration of Stephen Perkins, Ph.D.
`
`PCT Publication No. WO 97/31306 (“Sormunen”)
`
`U.S. Patent No. 6,173,400 (“Perlman”)
`
`U.S. Patent No. 6,731,731 (“Ueshima”)
`
`U.S. Patent No. 5,881,226 (“Veneklase”)
`
`Japanese Patent Publication No. P2000-10927 (“Katou”)
`
`European Patent Publication No. EP1107089 (“Williamson”)
`
`U.S. Patent No. 5,787,169 (“Eldridge”)
`
`Hopcroft & Ullman, Introduction to Automata Theory, Languages,
`and Computation (1979) (ISBN: 0-201-02988-X)
`
`Carlo Ghezzi & Mehdi Jazayeri, Programming Language Concepts
`(1982) (ISBN 0-471-82173-X)
`
`1013
`
`Robert Sedgewick, Algorithms (1983) (ISBN 0-201-06672-6)
`
`1014
`
`Brian Kernighan & Dennis Ritchie, The C Programming
`Language (2d ed. 1988) (ISBN 0-13-110370-9))
`
`1015
`
`U.S. Patent No. 6,496,477 (Stephen J. Perkins, et al.)
`
`
`1 Descriptions are for convenience only and are not admissions or evidence.
`
`viii
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`Description1
`M. Wahl, “A Summary of the X.500(96) User Schema for use
`with LDAPv3,” RFC2256, Dec. 1997
`
`June 14, 2023, Docket Control Order, Dynapass IP Holdings LLC
`v. Amazon.com, Inc., No. 2:23-cv-00063 (Lead Case) (E.D. Tex.)
`(ECF No. 57)
`
`April 21, 2023, Defendant Experian Information Solutions, Inc.’s
`Corporate Disclosure Statement, Dynapass IP Holdings LLC v.
`Amazon.com, Inc., No. 2:23-cv-00063 (Lead Case) (E.D. Tex.)
`(ECF No. 20)
`
`July 7, 2023, Dynapass IP Holdings LLC’s First Supplemental
`Disclosure of Asserted Claims and Infringement Contentions
`
`April 17, 2023, Consolidation Order, Dynapass IP Holdings LLC
`v. Experian Information Services, Inc., No. 2:23-cv-00066 (E.D.
`Tex.) (ECF No. 7)
`
`September 27, 2023, Defendant’s Stipulation Regarding
`Invalidity Contentions, Dynapass IP Holdings LLC v.
`Amazon.com, Inc., No. 2:23-cv-00063 (Lead Case) (E.D. Tex.)
`(ECF No. 90)
`
`Exhibit No.
`
`1016
`
`1017
`
`1018
`
`1019
`
`1020
`
`1021
`
`
`
`
`ix
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`I.
`
`INTRODUCTION
`
`Experian Information Solutions, Inc. (“Experian” or “Petitioner”) hereby
`
`petitions for an inter partes review of claims 1–7 (“the Challenged Claims”) of
`
`U.S. Patent No. 6,993,658 (“the ’658 Patent”) (Ex-1001). Petitioner respectfully
`
`submits that the Challenged Claims are unpatentable under 35 U.S.C. § 103 and
`
`requests their cancellation. See 35 U.S.C. § 311.
`
`II. GROUNDS FOR STANDING
`
`Petitioner certifies under 37 C.F.R. § 42.104(a) that the ’658 Patent is
`
`available for inter partes review and that Petitioner is not barred or estopped from
`
`requesting an inter partes review of the Challenged Claims on the grounds
`
`identified herein. This Petition is complete pursuant to 37 C.F.R. § 42.106(a).
`
`III. REASONS FOR THE REQUESTED RELIEF
`
`As explained below and in the attached Declaration of Petitioner’s expert,
`
`Dr. Stephen Perkins (Ex-1003), the authentication method and system of the
`
`Challenged Claims was obvious over the prior art to a person of ordinary skill in
`
`the art (“POSA”) at the time of the claimed invention.
`
`IV. BACKGROUND
`A. The ’658 Patent
`The ’658 Patent is titled “Use of Personal Communication Devices for User
`
`Authentication,” and was filed on March 6, 2000. The ’658 Patent relates
`
`1
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`“generally
`
`to
`
`the authentication of users of secure systems and, more
`
`particularly, . . . to a system through which user tokens required for user
`
`authentication are supplied through personal communication devices such as
`
`mobile telephones and pagers.” Ex-1001, 1:7–11. The ’658 Patent has seven
`
`claims: method claims 1–4 and system claims 5–7.
`
`The ’658 Patent notes that systems “typically require the submission of a
`
`user ID and password combination” for access. Id., 1:15–20. The ’658 Patent
`
`provides that “[p]asswords created by users are often combinations of words and
`
`names, which are easy to remember but also easily guessed” by “hackers.” Id.,
`
`1:28–31. As a consequence, “many systems impose regulations on password
`
`formats,” but this can make passwords hard to remember and can “result[] in the
`
`password being written down,” creating a security risk. Id., 1:31–43.
`
`The ’658 Patent indicates that “requiring a two-factor authentication
`
`process” was a known solution. Id., 1:44–46. The ’658 Patent notes that RSA
`
`Security Inc. was distributing the “SecurID product” for two-factor authentication.
`
`Id., 1:44–46. The first factor is something the user knows (“a user passcode or
`
`personal identification number”) and the second factor is a something “possessed
`
`by the user”—“a SecurID card.” Id., 1:46–48. The ’658 Patent provides that “[t]he
`
`SecurID card generates and displays unpredictable, one-time-only codes that
`
`automatically change every 60 seconds. The user supplies the displayed code upon
`2
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`logging into a system.” Id., 1:49–52. The system verifies it with “a corresponding
`
`code generator.” Id., 1:52–53.
`
`The ’658 Patent notes that instead of carrying an “additional item,” it would
`
`be more convenient “[i]t would be advantageous if the benefits of the SecurID
`
`system could be achieved using a device that many users already carry—a personal
`
`communication device such as mobile phones or pagers.” Id., 1:55–60.
`
`The ’658 Patent discloses “a password setting system for setting user
`
`passwords for a secure system, such as a computer system or a secure area of a
`
`building.” Id., 1:63–66. FIG. 1 of the ’658 Patent depicts “user authentication
`
`system 100 according to a preferred embodiment of the present invention.” Id.,
`
`4:2–4.
`
`Ex-1001, FIG. 1.
`
`3
`
`
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`The ’658 Patent provides that “access to the system is based upon: nonsecret
`
`information known to the user, such as the user ID; secret information known to
`
`the user, such as the passcode; and information provided to the user through an
`
`object possessed by the user, such as the token.” Id., 2:11–15.
`
`Instead of getting the second factor from a code generator, the ’658 Patent
`
`discloses requesting one through a phone call or text, or through a user interface.
`
`See, e.g., id., 4:63–65, FIGs. 2C-D, 6:26–32. The ’658 Patent refers to this
`
`requested information as the “token.” The requesting personal communication
`
`device is identified as a user’s device because of an association of the user ID with
`
`the phone number, which can be stored in “any database capable of storing user ID
`
`and password data.” Id., 2:33–35, 5:20–21. The ’658 Patent discloses that a
`
`“token” is generated by “any number of methods that preferably produces a
`
`random or pseudorandom sequence of numbers and/or digits.” Id., 6:53–55. This
`
`“token” is then sent to the personal communication device, and may be time-
`
`limited. Id., 4:42–45, 9:61–54.
`
`The disclosed password-setting system of the ’658 Patent generates a
`
`password based on the passcode and token. Id., FIG. 3. The ‘658 Patent discloses
`
`that the new password is “preferably create[d]” by “combining the user’s passcode
`
`154, which is stored by the user token server 116, with the newly generated token
`
`156.” Id., 6:59–63. The ’658 Patent further discloses that the password is
`4
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`“preferably generated by concatenating the passcode 154 and the token 156.” Id.,
`
`9:31–32. The only example given by the ’658 Patent is a passcode of “abcd” and a
`
`token of “1234,” and the password being “abcd1234.” Id., 4:52–56. The ’658
`
`Patent discloses that in the preferred embodiment, the user enters the password in a
`
`login screen, as shown in FIG. 2A. Id., 4:52–63. Alternatively, the user enters the
`
`passcode and token separately, as shown in FIG. 2B. Id.
`
`The user is able to access the secure system by “logging in using the
`
`supplied token 156.” Id., 9:55–60. The user uses it for logging in by submitting it
`
`with the user’s passcode (see, e.g., FIG. 2B), or by concatenating the passcode and
`
`token to form a “password” (see, e.g., FIG. 2A). See, e.g., id., 5:8–10
`
`(“authenticating a user based upon a supplied user ID 152 supplemented by a
`
`supplied password 158 or a
`
`passcode 154 and a token 156
`
`combination”), 7:42–45, 9:54–60
`
`(“The
`
`user
`
`108
`
`preferably
`
`concatenates
`
`his memorized
`
`secret passcode 154 with the valid
`
`token 156 to create the password
`
`158.”).
`
`5
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`B.
`Prosecution History
`The application from which the ’658 Patent issued, U.S. Patent Application
`
`No. 09/519,829 (“the ’829 application”), was filed on March 6, 2000.
`
`All original 27 claims were cancelled and 26 new claims (28–53) presented
`
`in a preliminary amendment, starting with claim 28, shown below.
`
`
`
`Ex-1002, 157.
`
`The claims were rejected on December 15, 2003. Ex-1002, 181–187. Claims
`
`37–39 were rejected as anticipated by Australian Patent Application No. 63545/98
`
`by Schmitz. Id., 184. Claims 28–36 and 40–53 were rejected as obvious over
`
`Schmitz in view of the Handbook of Applied Cryptography by Menezes. Id., 185–
`
`86. The examiner identified that “it would be obvious to one of ordinary skill in the
`
`art at the time the invention was made to modify the system disclosed by Schmitz
`
`by creating a password using the user’s password information in addition to an ID
`
`for the device (the token), using a hashing function, as disclosed by Menezes, in
`
`order to make dictionary attacks less effective.” Id., 186.
`
`6
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`In response, the applicants argued that Schmitz makes and receives a request
`
`from the same device and that Schmitz does not teach associating a user with a
`
`personal communication device possessed by the user. Id., 234–239.
`
`Claims 28–31 and 43–53 were subsequently rejected again on May 24, 2004,
`
`as anticipated by U.S. Patent No. 5,323,146 to Glaschick. Id., 245. Claims 37–39
`
`were rejected as anticipated by U.S. Patent No. 6,226,364 to O’Neil. Id., 245–246.
`
`Claims 32–36 and 40–42 were rejected as obvious over O’Neil and Glaschick. See
`
`id., 242–248.
`
`In response, the applicants argued that Glaschick failed to “associating the
`
`user with a personal communication device possessed by the user,” “wherein the
`
`request is transmitted from a personal communication device,” and “transmitting
`
`the token to the personal communication device.” Ex-1002, 258–260. The
`
`applicants also argued that there was no teaching, suggestion, or motivation to
`
`combine Glaschick with O’Neil. Id., 262–263.
`
`All claims were rejected again on February 7, 2005, in a final rejection that
`
`maintained the rejections based on Glaschick and O’Neil. Id., 266–274. The
`
`examiner found: “[T]he data station as disclosed by Glaschick may be a computer
`
`with programs (see column 1, line 15), and clearly has communication capability.
`
`Applicant’s personal communication device, as viewed in light of Applicant’s
`
`specification, is simply a type of computer with programs; therefore, the claimed
`7
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`invention is anticipated.” Ex-1002, 271. Regarding combining Glaschick with
`
`O’Neil for obviousness, the examiner further found that “one skilled in the art
`
`would recognize that the motivation supplied by Glaschick would apply to any
`
`computerized system having authentication.” Id., 272–273.
`
`Following an examiner’s interview (id., 276–277), the applicants amended
`
`the claims to overcome the final rejection (id., 280–285). The amendments to
`
`independent claim 28 (issued claim 1) are reproduced below.
`
`Ex-1002, 281.
`
`8
`
`
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`Following the amendments to the claims (including cancellation of claims
`
`30–31 and 37–53), a notice of allowance was issued on August 8, 2005. Ex-1002,
`
`289–296. The examiner’s “statement of reasons for allowance” was that “no art
`
`could be found wherein the transaction for determining the password in setting up
`
`of a new calling-card-derived temporary network account is performed entirely
`
`over a connection other than that used by [the] eventual network account.” Id.,
`
`294–295. The examiner also found: “Some of the closest art, the ‘Monkey
`
`Technical Overview’ (see IDS filed 23 May 2000), sets up a password for a
`
`temporary account, but the user request is sent over the network account
`
`connection.” Id., 295.
`
`The Monkey Technical Overview, dated July 15, 1999, discloses:
`
`The mobile network key (“monkey”) one-time password system for
`secure two-factor ‘what you have and what you know’ user
`authentication. In contrast to other hardware-based solutions, which
`depend on their own proprietary infrastructure to be established – by
`handing a hardware authentication token to each user -, monkey
`employs an existing world-wide infrastructure, the global GSM
`network for digital telephony, and thus turns any GSM mobile
`telephone into an authentication token.
`
`Ex-1002, 94. The reference discloses transmitting requested passwords to users
`
`over a cell phone network that is separate from the “network account connection”:
`
`9
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`monkey makes use of this GSM service to efficiently transmit one-
`time passwords via a separate channel, i.e. the GSM network, to users
`requesting authentication. Suppose Alice would like to authenticate
`herself. To do so, she initiates a connection to the point of
`authentication, e.g. a telnet session to a firewall machine. After having
`identified herself by means of a user name and, at the discretion of her
`security administrator, a fixed password, a temporary one-time
`password, transmitted by monkey, appears on the display of her
`mobile phone. Alice reads the password off the display, types it in
`and, in case she performed well, is granted access.
`
`Id.; Ex-1003, ¶¶ 71–73. As indicated by the examiner, the Monkey Technical
`
`Overview discloses:
`
`
`
`A secure computer network on which the user has an account: the user
`
`“initiates a connection to the point of authentication, e.g. a telnet
`
`session to a firewall machine” where the user identifies herself with a
`
`
`
`
`
`
`
`“user name.”
`
`A database of users and their mobile phone numbers.
`
`A passcode known to the user: “a fixed password.”
`
`A token not known to the user (at least prior to it being generated and
`
`sent to her in response to her request): “a temporary one-time
`
`password” that is sent to the user’s mobile phone and she reads “off
`
`10
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`the display, types it in and,” if entered correctly, “the user is granted
`
`access.”
`
`Ex-1002, 94–99; Ex-1003, ¶ 73. Thus, according to the examiner, the missing
`
`teaching in the prior art was the user’s request being sent over the separate cell
`
`phone network rather than “over the network account connection.” Ex-1002, 295;
`
`Ex-1003, ¶ 73.
`
`C. Claim Construction
`Petitioner proposes that each claim term be given its plain and ordinary
`
`meaning as would be understood in the context of the specification and prosecution
`
`history, and that no specific construction of any claim term is required in this
`
`proceeding because the ground identified in this Petition demonstrates the
`
`unpatentability of the claims under any reasonable construction. Petitioner
`
`addresses the terms “passcode,” “token,” and “password,” as well as the ordering
`
`of steps with respect to the creation of the password and the transmission of the
`
`token to the user’s personal communication device.
`
`1.
`
`“Passcode,” “Token,” and “Password”
`
`A POSA would understand that “passcode,” “token,” and “password” refer
`
`to strings with different labels according to their function or role. Ex-1003, ¶ 125;
`
`see also Ex-1003, ¶¶ 89–102. The example in the ’658 Patent is a “memorized
`
`passcode of ‘abcd,’ a valid token of ‘1234,’” and forming the password
`
`11
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`“abcd1234.” Ex-1001, 4:52–56. The ’658 Patent provides that a “passcode” is a
`
`“secret [string] known to the user.” Id., 2:13–14 (“secret information known to the
`
`user, such as the passcode”); Ex-1003, ¶ 125; see also Ex-1003, ¶¶ 88–101. It is
`
`information that can be associated with a user ID. Ex-1001, 8:53–55 (“[T]he
`
`control module 402 associates a user ID with a passcode 154 and phone number of
`
`a user’s personal communication device 106.”). A token is a string “that is
`
`provided to the user through an object possessed by the user.” Id., 2:14–15; Ex-
`
`1003, ¶ 125; see also Ex-1003, ¶¶ 89–102. The password is a string generated
`
`based on the token and the passcode, such as by combining or concatenating them.
`
`Ex-1001, 2:2–4 (“The server creates a new password by concatenating a secret
`
`passcode that is known to the user with the token.”); Ex-1003, ¶ 124; see also Ex-
`
`1003, ¶¶ 89–102.
`
`2. Order of Steps
`
`Claim 1 recites: “generating a new password for said first secure computer
`
`network based at least upon the token and a passcode, wherein the token is not
`
`known to the user and wherein the passcode is known to the user.” Claim 1 also
`
`recites: “transmitting the token to the personal communication device.”
`
`Similarly, claim 5 recites: “a control module executed on the computer
`
`processor configured to create a new password based at least upon a token and a
`
`passcode, wherein the token is not known to the user and wherein the passcode is
`
`12
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`known to the user, the control module further configured to set a password
`
`associated with the user to be the new password.” Claim 5 also recites: “a
`
`communication module configured to transmit the token to the personal
`
`communication device through the cell phone network.”
`
`It could be assumed that the token becomes known to the user when it is
`
`transmitted to the personal communication device. Thus, the password would have
`
`to be created prior to transmission of the token to the personal communication
`
`device. Ex-1003, ¶ 123. FIGs. 2A and 2B, for example, show that the user is given
`
`the token so that he or she can type it into the user interface. Ex-1001, FIGs. 2A
`
`and 2B. The ’658 Patent also provides: “In the preferred embodiment, the user 108
`
`combines the passcode 154 and the token 156 by concatenation to form the
`
`password 158.” Ex-1001, 7:42–45; Ex-1001, 9:54–60 (“The user 108 preferably
`
`concatenates his memorized secret passcode 154 with the valid token 156 to create
`
`the password 158.”). The user could not do so if the token did not become known
`
`to the user. Ex-1003, ¶ 123.
`
`However, it does not affect the unpatentability of the Challenged Claims on
`
`the ground asserted in this Petition. The prior art teaches the token being requested
`
`by and transmitted to a user over a cellular network via a personal communication
`
`device and then automatically provided by the personal communication device to a
`
`computer terminal through which the user authenticates to an account on a secure
`13
`
`
`
`Petition for Inter Partes Review of U.S. Patent No. 6,993,658
`IPR2023-01406
`
`computer network. Ex-1003, ¶¶ 124, 176. The prior art also teaches using a mobile
`
`device’s display to show the token to the user. Id. Thus, the prior art teaches at a
`
`minimum for purposes claims 1 and 5 that the token is not known to the user at the
`
`time the password is created, and at a maximum does not become known to the
`
`user even when the password is submitted. Thus, while the prior art also teaches
`
`that the token may subsequently become known to the user, it does not alter the
`
`unpatentability of the claims. Id.
`
`D.
`Priority Date of the Challenged Claims
`The earliest priority date for the ’658 Patent is the filing date: March 6,
`
`2000.
`
`E.
`Person of Ordinary Skill in the Art
`A POSA with respect to the ’658 Patent would have had a bachelor’s degree
`
`in computer science, management of
`
`information systems, or electrical
`
`engineering, or similar field, with one-to-two years of experience in the design,
`
`support, or implementation of systems requiring user authentication. Additio