Академический Документы
Профессиональный Документы
Культура Документы
By: Alexander P. Ott, Reg. No. 63,110 Roshan Mansinghani, Reg. No. 62,429
McDermott Will & Emery Unified Patents Inc.
500 N. Capitol St., NW 13355 Noel Road, Suite 1100
Washington, DC 20001 Dallas, TX 75240
Tel: (202) 756-8496 Tel: (214) 945-0200
Email: AOtt@mwe.com Email: roshan@unifiedpatents.com
v.
IPR2017-02047
U.S. Patent 8,082,213
____________________________
TABLE OF CONTENTS
I. INTRODUCTION .............................................................................................................. 1
A. Summary ................................................................................................................. 5
A. Ground I: Claims 1-17 are obvious in view of Harris and Owen ........................ 12
-ii-
IPR2017-02047
U.S. Patent 8,082,213
Exhibit Description
-i-
IPR2017-02047
U.S. Patent 8,082,213
I. INTRODUCTION
Under 35 U.S.C. 311 and 37 C.F.R. 42.100, Petitioner Unified Patents
review with respect to claims 117 of U.S. Patent 8,082,213 (the 213 Patent).
exercised control or could exercise control over its participation in this proceeding,
213 Patent by way of a September 29, 2016 assignment from P2FA Security LLC
recorded with the USPTO at Reel 040123 and Frame 0106. Smart Authentication
has filed eight lawsuits in the Eastern District of Texas and one lawsuit in the
District of Delaware asserting the 213 Patent, which are listed in the following
table.
1
IPR2017-02047
U.S. Patent 8,082,213
Mansinghani (Reg. No. 62,429) and Jonathan Stroud (Reg. No. 72,518) will act as
Counsel for Petitioner may be addressed at 500 North Capitol St. NW,
1
Currently pending.
2
IPR2017-02047
U.S. Patent 8,082,213
Patents Inc., 1875 Connecticut Ave. NW, Washington, D.C., 20009, Tel: (650)
999-0899; and Unified Patents Inc., 13355 Noel Road, Suite 1100, Dallas, TX
Petitioner certifies that the patent for which review is sought is available for
inter partes review and that Petitioner is not barred or estopped from requesting an
inter partes review on the grounds set forth in this Petition. (37 C.F.R.
42.104(A)).
requests the Board cancel claims 117 as unpatentable under 35 U.S.C. 103. (35
Petitioner relies upon the following patents and printed publications, none of
1. U.S. Pat. No. 8,751,801 to Harris et al. (Harris) (EX1004) was filed
on April 22, 2005 and issued on June 10, 2014. Harris is prior art to
3
IPR2017-02047
U.S. Patent 8,082,213
published on April 17, 2003. Owen is prior art to the 213 Patent
was published on October 24, 2002. Delany is prior art to the 213
These grounds are not redundant because the prior art addresses different
claims, Harris is prior art under 102(e) whereas Vandergeest is 102(b) prior art,
and because the prior art addresses different purported embodiments of the 213
Patent.
4
IPR2017-02047
U.S. Patent 8,082,213
June 27, 20052, issued from U.S. App. No. 11/477,203 filed on June 27, 2006, and
issued on December 20, 2011. The 213 Patent was filed prior to enactment of the
A. Summary
The 213 Patent is titled Method and System for Personalized Online
method) for authenticating users on behalf of commercial clients, where the user
authenticate the user. Specifically, the 213 Patent discloses that a user interacts
website). (EX1001 at 2:1-4). This allows the user to control the level and
2
Unified Patents does not concede the 213 Patent is entitled to claim priority to
the 288 Provisional and reserves the right to challenge the priority date.
5
IPR2017-02047
U.S. Patent 8,082,213
4:24-28, 7:6-44).
Figure 3 of the 213 Patent, reproduced below, illustrates the claimed system
and discloses interactions between: (i) a user, (ii) the ASP, and (iii) the ASP-clients
In this embodiment, the user (302) first (1) initializes a transaction (304)
with the ASP-client (306) (e.g., an entity requiring user authentication), such as by
requesting to log on to a commercial website. (Id. at 3:48-51). Next (2), the ASP-
6
IPR2017-02047
U.S. Patent 8,082,213
client sends an authentication request (308) to the ASP (310), to determine if the
information provided by the user is sufficient to authenticate the user. (Id. at 3:55-
58). The ASP then (3) carries out an authentication transaction (312) with the user,
protocols established by the user. (Id. at 3:59-62). (In some embodiments, this
takes place over a third communications medium that is different from the first
communications medium (from the user to the client) and the second
(4) returns the authentication results (314) to the ASP-client (or the user returns
results directly), letting the ASP-client know if the user was successfully
authenticated. (Id. at 3:63-65). Finally, the ASP-client (5) uses the authentication
result to complete the transaction and return the requested resources (316) to the
B. Prosecution History
The 213 Patent issued on December 20, 2011, from Patent Application
prosecution for more than five years, the 213 Patent issued after one non-final and
7
IPR2017-02047
U.S. Patent 8,082,213
On August 11, 2008, the Patent Office issued a final rejection, notably
rejecting all claims under 103, stating that the purported invention was rendered
obvious by Steele et al. (U.S. Pub. No. 2006/0179003) in view of Fisher (U.S. Pat.
No. 6,957,199).
In response, the applicant filed an appeal with the BPAI. (Id. at 183-231).
The applicant argued that neither reference cited by the examiner disclosed using:
The Board of Patent Appeals and Interferences agreed with the applicants
arguments, finding that the invention was patentable based on those two
distinctions. (Id.). This suggests that these specific two elements were the
inventive concepts that were not present in the examined prior art and which
interpreting the 213 Patent. Smart Authentication has sued multiple companies
8
IPR2017-02047
U.S. Patent 8,082,213
Smart Authentication IP, LLC v. Etsy, Inc., No. 2:17-cv-278 (E.D. Tex. Mar. 31,
2017))).
In the Etsy litigation (Ex. 1008), for example, Smart Authentication argued
that the 213 Patent covers any two (or more) factor authentication
authentication method. (See id.; see also Complaint (Dkt. 1), Smart Authentication
IP, LLC v. Personal Capital Corp., No. 1:17-cv-00941 (D. Del. Jul. 13, 2017;
Complaint (Dkt. 1), Smart Authentication IP, LLC v. Slack Technologies, Inc., No.
1:17-cv-00983 (D. Del. Jul. 19, 2017)). These broad infringement allegations are
the art of the 213 Patent would have at least a B.S. Degree in electrical
(EX1003 at 28).
9
IPR2017-02047
U.S. Patent 8,082,213
Claim constructions appropriate for these proceedings may be different than claim
proposed in this Petition do not necessarily reflect the constructions that Petitioner
believes should be adopted by a district court. Any term not explicitly construed
below should be interpreted in accordance with its plain and ordinary meaning
A. user-authentication policies
as specifying one or more of: constraints and parameters associated with user-
2:15-18; see also id. at 3:59-63, Fig. 5) (emphases added). Thus, a user-
10
IPR2017-02047
U.S. Patent 8,082,213
the 213 Patent states that [t]he ASP 402 includes policy templates 404 that may
be used to describe the types of policies available to users and to allow users to
specify policies based on templates. (EX1001 at 4:1-4; see also id. at 4:28-30).
C. variable-factor authentication
consistent with the Boards previous construction of the term during prosecution of
the 213 Patent. (EX1002 at 97-98). During prosecution, the Board determined
that one of ordinary skill would have understood that Appellant has defined
11
IPR2017-02047
U.S. Patent 8,082,213
claim 17 states that the authentication result includes the password. (EX1001,
Claim 17). Thus returning a[n] authentication result is necessarily broad enough
16). The authentication system of Harris stores policies within a database for
authenticating a user, generates secrets to send to a second user device, and tells a
website that a user has been authenticated. (EX1004 at 18:26-20:49). The user of
Harris represents a person who has registered an account with the authentication
12
IPR2017-02047
U.S. Patent 8,082,213
web server that has resources and/or services for authenticated users. (Id.).
In some embodiments, the service provider (i.e., client) is within the same
system or network as the authentication system, and the two share interfaces to
interact (720, 722, 724) with the user. (Id. at 19:2-13). As Mr. Gray explains, it is
common for a service provider to have its authentication service as part of its
own server/website so that it handles all tasks and does not need to share sensitive
illustrated in Figure 7, shown annotated below, where the service provider 760 is
13
IPR2017-02047
U.S. Patent 8,082,213
blue box above) communicate with the service provider 760 through internal
20:25-41). Mr. Gray confirms a LAN would be the most common option.
(EX1003 at 76). Each box shown above can be its own computer/device or
modules within a larger device, thus each box must have means of communicating
14
IPR2017-02047
U.S. Patent 8,082,213
with the other boxes. (Id. at 18:26-28 (Authentication and service system 700
Harris also describes the claimed method. First, the system receives a first
the user during a registration process where the user can specify one or more
communications medium, on a device different than was used to submit the initial
request. (Id. at 10:2-4, 18:38-42, 19:35-46). Finally, the user returns the second
and, if it matches what was sent, the user is authenticated and the client returns the
originally requested resources to the client. (Id. at 20:31-41; see also id. at 16:48-
66).
15
IPR2017-02047
U.S. Patent 8,082,213
16
IPR2017-02047
U.S. Patent 8,082,213
Owen describes a system with three participants: (i) a suspect user, (ii) an
17
IPR2017-02047
U.S. Patent 8,082,213
create, modify, enable, or disable the various authentication factors and system
components utilized. (Id. at 24:2-10). The publication states [t]his entirely web-
users 910, protocol modules, network clients 950 and preferences. (Id.)
18
IPR2017-02047
U.S. Patent 8,082,213
Authenticating Users Using Two or More Factors and thus discloses the claimed
servers with resources for authenticated users. (Compare, e.g., EX1004 at 18:26-
20:49 with EX1001 at 2:1-30). The user of Harris corresponds to the user of the
website, generates secrets to send to a second user device, and tells the website that
the system where the service provider (i.e., client) is within the same network as
19
IPR2017-02047
U.S. Patent 8,082,213
In Figure 7, shown annotated above, the service provider 760 contains resources
computer connected to the other modules through some internal network. (Id. at
20
IPR2017-02047
U.S. Patent 8,082,213
Harris discloses the user communicates with the service provider over a first
communications medium (i.e., the Internet) (id. at 18:17-21) whereas the service
18:26-27, Fig. 7). Harris thus discloses the claimed interconnected by two or
containing one or more computers, and [3] a user (who may be using a PC or other
computing device). (See, e.g., id. at 18:9-43). In the annotated Figure 7, shown
above, the service provider is run on a module, or dedicated machine, within the
disclosing a database in which, for each user, the type and mode of authentication
factor(s) is stored. (Id. at 19:35-46). The type and mode of authentication covers
(type), and how the procedure should be carried out (mode), and thus corresponds to
21
IPR2017-02047
U.S. Patent 8,082,213
the authentication policy of the 213 Patent. (Id.) As noted above, the claim term
Figure 7 from Harris, shown below, shows the authentication system includes
22
IPR2017-02047
U.S. Patent 8,082,213
factors is specified by the user. (EX1004 at 19:31-42 (emphasis added); see also id.
(Id. at 15:17-33, 16:48-52; see also id. at 14:53-61, Figs. 4A and 7).
routines for performing registration steps (Id. at 18:28-42, Fig. 7) and therefore
discloses this limitation. Harris explicitly discloses that users may specify, add, and
(Id. at 19:38-42). Although Harris does not explicitly mention an account interface
claimed routine and interface exists in Harriss system because the only way a user
77). At the very least, a POSITA would have found it obvious to implement
Harriss teachings using the claimed routine and interface because interfaces and
23
IPR2017-02047
U.S. Patent 8,082,213
interface-routines are the standard, well-known means for users interacting with
Although Harris does not explicitly disclose that a user may delete an
this feature to Harris because deleting old or unused policies would save memory in
the authentication policy database. (EX1003 at 85). At the least, adding a delete
24:2-10). To the extent it is argued that deleting out authentication policies would
not have been obvious in view of Harris, Mr. Gray confirms it would have been
account interface as claimed. (EX1003 at 86). First, combining the systems would
Owen into Harris would allow the users of Harris to delete old, unused
Both Harris and Owen are in the field of authenticating users, and both specifically
24
IPR2017-02047
U.S. Patent 8,082,213
predictable benefits, described above, of combining these two references and would
interface, to authenticate the user. (EX1003 at 77). Figure 7, annotated below and
discussed above in IX.A.1, shows how Harris discloses the claimed authentication
service, service provider, and a number of interfaces used to authenticate the user.
authentication-interface (as claimed) between the service provider (i.e., client) and
First
authentication modules after a user makes a request for resources communications
of the service
medium
provider, disclosing [w]hen the user makes a request [to the service provider], it
may be made to a portion of the site that PC communication interface 720 identifies
forwards the request to request manager 740 [which is part of the authentication
service] [If authentication is successful, r]equest manager 740 then provides the
request and user identifier to [the service provider], which provides the service.
Harris also discloses that when the service provider forwards the request (via
medium (whereas the user communicates with the service provider over a first
EX1004 at 18:26-28, Fig. 7 (annotated above)) As Mr. Gray confirms, because the
modules within the site (i.e., the service provider and authentication modules) are
LAN, would have been obvious to a POSITA because it is the most common means
26
IPR2017-02047
U.S. Patent 8,082,213
Harriss authentication and service system (which corresponds to the claimed user-
authentication policies (e.g., the type and mode of any subsequent authentication
factor or factors that should be used to authenticate the user for [a specific type of]
user requests resources from the service provider, the system uses these stored
device registered with the authentication service (via a device ID), such as a
phone. (Id.; see also Fig. 2). As noted above, the term variable-factor
and evidence of control of a tangible object (e.g., a cell phone). (Supra VIII.C).
27
IPR2017-02047
U.S. Patent 8,082,213
EX1004 at 2:35-49).
the device used to initiate the request as claimed, such as the authentication-service
to the user communicating with the service provider over a first communications
medium (i.e., the Internet) (id. at 18:17-21) and the service provider communicating
internal network, such as a LAN). (See id. at 18:26-27, Fig. 7; see also supra
site) and illustrates the authentication policy routine, including the authentication-
service providing the user with a secret (i.e., the claimed authentication routine) over
a phone line (i.e., the claim third communications medium). (Id. at 11:7-40, Fig. 2).
28
IPR2017-02047
U.S. Patent 8,082,213
claiming receiving a security code via a phone call or SMS text message through
device different from that employed by the user to initiate the transaction. (See, e.g.,
29
IPR2017-02047
U.S. Patent 8,082,213
system performs the claimed functions for multiple users and clients. Harris
discloses how each user may have stored the type and mode of the authentication
factor or factors. (Id. at 19:35-46). Mr. Gray confirms a POSITA would have
recognized that if each user has types and modes of authentication factors stored, the
system stores authentication policies and has an account interface for multiple users.
(EX1003 at 77.)
the type of request could include which service provider (i.e., client) the user is
trying to gain access to. (EX1003 at 78). At the very least, it would have been
obvious for a POSITA to modify the Harris system so it works with multiple clients;
this would have the expected benefit of allowing a single authentication system to
provide authentication results for multiple clients and allow users to store different
30
IPR2017-02047
U.S. Patent 8,082,213
authentication factor or factors that should be used for each type of request, and
[that] subsequent authentication identifier 744 retrieves it based on the user identifier
processes; thus the type and mode of the authentication factor or factors that
policies of the 213 Patent. Further, a POSITA would have understood that the user
all policies. (EX1003 at 87). At the least, given that Harris discloses retrieving
the stored factors, it would have been obvious to a POSITA to retrieve all policies
since the plural factors could be associated with separate policies. (Id.) Thus,
31
IPR2017-02047
U.S. Patent 8,082,213
IX.A.5.a) require said procedure in order to authenticate the user. (E.g., EX1004
claimed, thereby letting the client know whether it should transmit the requested
resources to the client. For example, Harris discloses providing the user with a
secret (i.e., password) to return to the authentication service in order for the service
to authenticate the user to the client. (Id. at 8:30-42, 16:43-52; see also Figs. 4C and
4D (below).) Next, the user inputs the secret back into the authentication service,
which compares the inputted secret to the generated secret and if the secrets match
456, the method continues at step 470. (Id. at 16:43-52). As noted above, the term
32
IPR2017-02047
U.S. Patent 8,082,213
In Figure 4D, shown below, if the authorization is complete (i.e., the retrieved
provider (i.e., the claimed client) with the request and user identifier [i.e.,
authentication result] (id. at 20:25-33, Fig. 7) and [w]hen service provider receives
the request and user identifier, it fulfills the request as described above. (Id. at
33
IPR2017-02047
U.S. Patent 8,082,213
Harris teaches both uni- and bi-directional exchange of information over the
third communications medium. Harris discloses that when a user enters his or her
username to sign onto a website (i.e., service provider), the authorization service
can immediately call the users phone number and provide a unique code to the
telephonic communications medium. (Id.; see also Ex. 1008 at 20.) The user then
enters this code into the site using the first communications medium (such as the
Internet), demonstrating that the communications over the telephone network was
receiving the code by sending the code back over the phone (i.e., third
34
IPR2017-02047
U.S. Patent 8,082,213
embodiment where when a user enters his username to sign onto a Web site, the
[authentication service in the] site can immediately call the users phone number and
provide a unique code to the user, which the user then enters into the site. (Id. at
8:39-42; see also id. at Fig. 2, 11:9-46) (emphasis added). By entering the code into
the site, the user has proven to the client it has been authenticated by the service.
Further, a POSITA would have recognized the unique code or generated secret
transmitted to the user, and subsequently inputted to the client, is simply a password
93).
35
IPR2017-02047
U.S. Patent 8,082,213
should grant the user access to the requested resources. As discussed above, the user
returns the password to the authentication service portion of a site, proving it has
possession of the user device and is authenticated. (See e.g., EX1004 at 16:43-52,
returns an indication that the user was authenticated to request manager 740.
Request manager 740 then provides the request and user identifier to service
provider 760, which provides the service. (Id. at 20:25-33). This user identifier,
i.e., authentication result, which is returned to the client may include the password,
which is a unique code. (Id. at 8:39-42, 11:41-46). At the least, it would have
been obvious to use the password as the user identifier because the generated
password is unique to the authenticated user (and session) and thus is an already-
36
IPR2017-02047
U.S. Patent 8,082,213
the user, device identifiers, biometric data, or other identifiers. (EX1004 at 15:17-
33, 16:48-52). Thus, Harris discloses this limitation. Further, a POSITA would
identify a user. (EX1003 at 81). At the least, it would have been obvious to a
POSITA to use other user information, such as those categories mentioned above, to
37
IPR2017-02047
U.S. Patent 8,082,213
system communicating with a users phone; thus, the stored users contact
information must include contact information for the users trusted secondary
device. (Id. at Fig. 2; EX1003 at 81.) A POSITA would have recognized the
users landline telephone number, email address, or internet address, falls within the
broad category of other identifiers as disclosed by Harris, as they can all be used
to contact/identify the user. (EX1003 at 81). At the least, it would have been
38
IPR2017-02047
U.S. Patent 8,082,213
based on the policies (which specify the authentication constraints and parameters)
associated with a specific user and type of request. (Id. at 19:38-42). Harris also
behalf of a client, stating that when a user makes a request to a service provider, the
authentication service carries out the authentication procedure on behalf of the client
and, after authenticating the user, tells the client the user is authenticated. (Id. at
19:21-49).
claimed whether a phone call or text message authentication has been enabled and
39
IPR2017-02047
U.S. Patent 8,082,213
of a user that would meet this limitation. (See, e.g., Ex. 1008 at 26 (discussing
Claim 9)). Harris discusses these same constraints and parameters. (See, e.g.,
EX1004 at 16:43-52, 19:38-42). Accordingly, for this and the reasons discuss above,
stating each user may have stored the type and mode of the authentication factor or
factors that should be used for each type of request, and subsequent authentication
identifier 744 retrieves it based on the user identifier, type of request or both. (Id.
at 19:38-42).
include:
(i) event constraints (i.e., authentication can only occur when a message to a
(ii) geographic constraints (i.e., users must log in from a secure physical
location);
40
IPR2017-02047
U.S. Patent 8,082,213
A POSITA would have recognized each user, by storing the type and mode of
policies will be used, as the type plus a mode is all that a policy entails (e.g., use a
phone line [i.e., mode/template] to call this phone number [i.e., type/factor]).
(EX1003 at 88). At the very least, including these categories of constraints would
have been obvious to a POSITA, for instance to maximize the options a user can
SMS/text Message or Phone Call authentication has been enabled would meet this
3
Although this sections disclosure is unclear whether the user is selecting these
options, the earlier cited disclosure (EX1004 at 19:38-42) makes clear the user
41
IPR2017-02047
U.S. Patent 8,082,213
such as, for example, requiring the possession of a user device. (EX1004 at 14:3-
32.) Further, Harris discloses providing alerts upon detecting specified events, such
as displaying an error to the user if the secret (i.e., password) inputted did not match
the generated secret. (See, e.g., id. at 16:4-8, Fig. 4B (shown annotated below)).
halted if the secret inputted by the user does not match the generated secret (while in
the specification of the 213 Patent, Harris discloses a method for authenticating
42
IPR2017-02047
U.S. Patent 8,082,213
method where the user sends requests to the client over a network (such as the
service 410 and provides the user identifier and password of the user [to the client].
The user identifier identifies the user, and this information is sent from the client to
at 15:30-33, FIG. 4B (see below)). Step 410 of Figure 4B, highlighted below, shows
the user) using a communications medium (e.g., a telephone network) different than
43
IPR2017-02047
U.S. Patent 8,082,213
the first communications medium (e.g., the Internet). (E.g., id. at 8:39-42). Harris
teaches that when a user enters his username to sign onto a web site, the request is
forwarded to the authorization service managers which can immediately call the
users phone number and provide a unique code to the user, which the user then
enters into the site along with his password. (Id.; see also supra IX.A.1
(discussing the authorization service modules in the site of Fig. 7)). Figure 4B,
shown below with the relevant steps highlighted, discloses [a]t step 414, an
authentication method [is] identified based on the type of service requested, the user
authenticate the user in response to the initial user identifier. (See, e.g., id. at 7:17-
client.
44
IPR2017-02047
U.S. Patent 8,082,213
information] over a phone network, that the user then subsequently transmits to the
are thus likewise met for the reasons discussed above in relation to claim 3. (Supra
IX.A.5a-b).
are thus likewise met for the reasons discussed above in relation to claim 4. (Supra
IX.A.6).
45
IPR2017-02047
U.S. Patent 8,082,213
are thus likewise met for the reasons discussed above in relation to claim 5. (Supra
IX.A.7).
are thus likewise met for the reasons discussed above in relation to claim 6. (Supra
IX.A.8).
channel different than the primary communications channel (e.g., the Internet),
shown below.
46
IPR2017-02047
U.S. Patent 8,082,213
authentication code and sends the code to a third unit (i.e., another user device)
(306) via the second unit (302), choosing the third unit based on the primary
been previously registered to be associated with the third unit). (Id. at 3:18-29).
The code from the third unit (306) is transmitted to, or manually entered by the
user to, the first device (300), which sends the code back to the AU (304) (via the
second unit (302)) to authenticate the first unit/user. (Id.). The AU, having thus
47
IPR2017-02047
U.S. Patent 8,082,213
authenticated the user, can tell the second unit that the user has been authenticated
and should be granted access to the requested resources. (Id. at 3:15-29, 4:10-55).
Manager (within an Identity Server) that manages the identity profiles [and
Server to authorize entities (e.g., users) to access network resources. (Id. at 106-
107). Figure 1, below, shows the Access Server 34 and the User Manager 42
(within the Identity Server 40) in the context of the system. (See, e.g., id. at 96-
98).
48
IPR2017-02047
U.S. Patent 8,082,213
identities and access privileges, including creation and deletion of user identity
[Thus the user can] create, delete, and modify functions of user identity
functions of user identity management through the User Manager can be delegated
to the individual users. (Id. at 109). Table 1 from Delany, shown annotated
below, describes the types of different tasks that can be performed with workflows
49
IPR2017-02047
U.S. Patent 8,082,213
The attribute a user may change, which will later be used to authenticate
service provider (ASP) of the 213 Patentboth the AU and ASP function to
(iii) a first unit and third unit that correspond to the user device and
different user device of the 213 Patent, respectivelythe first and third units of
EX1005 at 3:15-29, 4:10-55, Fig. 3 with EX1001 at 2:1-18, 3:47-67, Fig. 3).
50
IPR2017-02047
U.S. Patent 8,082,213
communications medium (such as a telephone or SMS line) (id. at 7:1-5). (See also
authentication-service client, and user of the 213 Patent, which are one or more
51
IPR2017-02047
U.S. Patent 8,082,213
destination unit data 22 on a per user basis. (E.g., EX1005 at 4:31-40, 7:40-46).
used to carry of the authentication, as described above. (See supra IX.B.1). The
between a user device and the second unit and uses the destination unit data as a
constraint for the policies stored in the database. (Id.) (emphasis added). The user
destination unit, during the registration process. (EX1005 at 4:31-40, 7:40-46). The
destination unit data in combination with a policy template (e.g., send password to
As noted above in VIII.B, the claim term specified by a user should be construed
to at least include the user selecting from policy templates that describe available
types of policies; thus the disclosure from Vandergeest meets this limitation.
52
IPR2017-02047
U.S. Patent 8,082,213
shown highlighted below, illustrates the authentication database in the system and
the stored set of one or more constraints associated with a user (i.e., policies). (Id. at
Fig. 3).
whether a phone call or text message authentication has been enabled and the
corresponding telephone numbers is a policy that would meet this limitation. (See,
e.g., Ex. 1008 at 26). Thus, even under the patent owners reading, the destination
unit information, coupled with the requirement of a phone call or text (i.e., a policy
53
IPR2017-02047
U.S. Patent 8,082,213
(EX1003 at 103-104).
password 26 (if used) and destination unit data 22. (EX1005 at 4:31-40; see also id.
54
IPR2017-02047
U.S. Patent 8,082,213
combined with the authentication routine templates, are the stored authentication-
policies.
routines by which the user can delete or modify existing policies; including such a
routine would have been obvious based on prior art solutions where account
below.
Delany teaches the Identity System provides for the creation, removal,
editing and other managing of identity information stored in various types of data
stores. The identity information pertains to users [and f]or each entry in the data
store, a set of attributes are stored. (EX1007 at 11). Using a User Manager,
55
IPR2017-02047
U.S. Patent 8,082,213
i.e., an account interface, a user can create, delete, and modify functions of user
requested resources to an end user are determined based on rules that are evaluated
based on the end users identity profile. (Id. at 107-116) (emphasis added). This
allows for [c]ompanies [to] assign the responsibility for maintaining user identity
data to the people closest to it. For example, individual users can be allowed to: (1)
determine their access rights. (Id. at 109). Because this User Manager is an
interface through which a user can modify their account details, it corresponds to the
Mr. Gray confirms a POSITA would have been motivated to combine the
combine, noting that its user-controlled account interface routines provide the
number of users is enormous and the task of adding and removing users can be
policies would result in the predictable benefits of saving memory and ensuring
56
IPR2017-02047
U.S. Patent 8,082,213
there are no policies associated with old user devices that are no longer used/under
the control of the user, thus increasing the security of the authentication procedure.
combine the user-controlled account interface routines of Delany into the account
management of Vandergeest.
contact the second unit 302 [i.e., the authentication-service client] via primary
wireless channel 310 wherein the second unit 302 has access-controlled resources
as both are used to initially connect the user to the client; the suitable link of
Patent, as both are communications links connecting the authentication unit to the
57
IPR2017-02047
U.S. Patent 8,082,213
second unit 302 contacts the authenticator 304 [i.e., the authentication service] via a
suitable communication link or bus, and passes the sent primary authentication
information, namely the sent user ID, so that the authentication unit can determine if
the user is listed in the authentication database 18. (Id. at 8:52-56) (emphases
added). Subsequently, [i]f the received user ID is listed in the database, the
authentication unit retrieves the authentication record associated with the user. For
example, this may include, for example, a user ID, SMS address, and other
58
IPR2017-02047
U.S. Patent 8,082,213
authentication policies),
(ii) the user communicating with the authentication service through a third
(iii) a user device different from that employed by the user to initiate the
transaction.
user device of the 213 Patent; the second unit of Vandergeest corresponds to the
corresponds to the authentication service provider (ASP) of the 213 Patent; the
medium of the 213 Patent and is generally the Internet; the suitable link of
Patent and refers to an internal communications medium (such as a LAN); the third
device of Vandergeest corresponds to the user device different from that employed
by the user to initiate the transaction of the 213 Patent; and the back channel of
third communications medium different from the first and second communications
media of the 213 Patent. (Compare EX1005 at 3:15-29, 4:10-55, Fig. 3 with
59
IPR2017-02047
U.S. Patent 8,082,213
the received user ID is listed in the database, the authentication unit retrieves the
authentication record associated with the user. For example, this may include, for
example, a user ID, SMS address, and other authentication information. (EX1005
to the other factors that can be used to authenticate a user, as will be discussed
below.
through a third communications medium (different from the first and second) to a
user device different from that employed by the user to initiate the transaction. For
that the user has a third unit (i.e., a user device, different than the first), the
authentication unit generat[es] the authentication code to send to the third device.
(Id. at 9:9-11; see also id. at Fig. 3). Next, to authenticate itself, the user obtains
the authentication code from the third unit and enters it into the first unit. (Id. at
tangible object (e.g., a cell phone). (Supra VIII.C). The third unit of
60
IPR2017-02047
U.S. Patent 8,082,213
communications medium such an SMS or telephone line] is used during the session
provide multi-factor authentication. (Id. at 13:61-67; see also id. at 3:24-29, 6:50-
medium than the primary channel)) (emphasis added). Mr. Gray confirms that by
requiring a third unit (i.e., second user-device) that communicates over a back
channel, Vandergeest discloses a variable-factor (e.g., requiring the third unit and
code) authentication during which the user communicates with the user-
114).
Vandergeest teaches the registration process, during which the user supplies the
basis. (EX1005 at 4:38-61; see also id. at Fig. 1 (showing database information per
61
IPR2017-02047
U.S. Patent 8,082,213
performed on a per user basis, that the authentication interface also performs on a
entity than the second unit (i.e., the authentication-service client) in some
embodiments. (EX1005 at 6:58-62). In this case, the second unit may be any other
unit that has access to [the] authentication unit. (Id. at 3:51-57). Thus a POSITA
would have recognized that there may be multiple second units (i.e., clients) that
unit to authenticate clients because the second unit represents any other unit that
has access to the authentication service. (EX1003 at 200). At the very least, it
would have been obvious to a POSITA to have multiple second unit[s] that have
access to the authentication service because having one authentication service for
multiple clients would provide the predictable benefit of being more efficient (as
interface (to register and store user data) and authentication interface (to thereafter
authenticate the registered user), that works on a per user basis (i.e., for multiple
62
IPR2017-02047
U.S. Patent 8,082,213
other than the first unit 300, will receive an authentication code [i.e., retrieving the
stored user-authentication policy for the user] via the wireless back channel 312.
which destination unit should receive the authentication code and the method of
As can be seen in Figure 3, highlighted below, each user has one stored policy
authentication information); thus by retrieving the policy, the system has retrieved
63
IPR2017-02047
U.S. Patent 8,082,213
retrieved authentication policies, to authenticate a first unit (i.e., first user device) to
second unit (i.e., a client), whereby the authentication result is returned to the second
unit to give the user access to the requested resources. Referring to Figures 3 and 4,
procedure (i.e., generating and sending the authorization code to the user-controlled
third device) (steps 406-412 of Fig. 4), authenticating the user (step 414 of Fig. 4),
and then returning the authentication code (i.e., authentication result) to the second
unit (i.e., client) (id. at 9:30-31 (because the user is granted access to the resources,
authentication results must have been returned to the second)). (See also id. at 6:58-
7:34, 7:57-8:5, 9:32-37; EX1003 at 115). At the least, it would have been obvious
to modify the system so the AU returns the authentication result to the second unit
so that the second unit (i.e., the claimed client) has reassurances that the user has
same server as the second unit (authentication-service client) then the user, in step
64
IPR2017-02047
U.S. Patent 8,082,213
414 of Figure 4, directly returns the authentication code (i.e., authentication result)
above, the term returning a[n] authentication result, should be construed to at least
cover returning a password, thus returning the authentication code to the client
65
IPR2017-02047
U.S. Patent 8,082,213
below) the authentication unit sends secondary authorization information to the user
over a back channel (i.e., third communications medium) and then the user resends
the information back to the second device over the original communications
the second unit (client) 302 and third unit (user device) 306 over the third
authorization information over the third communications medium 312 and returns
the information over the same communications medium. (Id. at Fig. 3, 6:58-7:5).
66
IPR2017-02047
U.S. Patent 8,082,213
device different than the first unit/user device) that the user subsequently inputs to
authenticated, can be a simple authentication code. (See e.g., id. at 9:24-32 (The
first unit returns the authentication code obtained as received by the third unit back
to the second unit via the primary wireless channel as shown in block 412[i]f they
correlate, the user is authenticated and proceeds to use the appropriate resources via
the second unit 302.); see also Fig. 4) (emphasis added). This authentication
113).
result is, or includes, the generated code (i.e., password) that was sent to the user.
As discussed above, in one embodiment the user returns the code it received from
67
IPR2017-02047
U.S. Patent 8,082,213
the AU (i.e., authentication result) directly to the second device (i.e., client), proving
that it has possession of the third device and is authenticated. (See e.g., EX1005 at
9:24-32). This authentication result thus is, or includes, the code that was sent to the
user by the authentication service. (Id.). In another embodiment, the user returns
the code to the authentication service (via the second unit) and the authentication
unit 304 compares the resent authentication code with the authentication code that
was sent to the third unit 306. (Id. at 7:28-34). If the codes match, then the AU
tells the second unit that the user was authenticated and should be granted access.
(Id.) Although Vandergeest does not explicitly say that the authentication result
includes the password in this embodiment, it would have been obvious to include the
code within the authentication result because the code itself is what authenticates the
user, as noted above. (EX1003 at 115). Thus because the password is the
68
IPR2017-02047
U.S. Patent 8,082,213
password 26 (if used) [i.e., passwords specified by the user] and destination unit
data 22 [i.e., user address and/or contact information]. (Id. at 4:31-40) (emphasis
added). Vandergeest also discloses that the stored information may include, for
example, a user ID, SMS address [i.e. user address and/or contact information],
POSITA would have recognized that the users billing information, employment
because it can all be used to identify a user. (EX1003 at 105). At the least, it
would have been obvious to a POSITA to use other user information, such as those
69
IPR2017-02047
U.S. Patent 8,082,213
destination unit data [i.e., contact information for users trusted hand-held
computing device], sufficient information in order to allow the third unit 306 to be
communicated to, SMS address [i.e., contact information for users cell
for users trusted hand-held computing device]. (Id. at 4:31-40, 7:10-19, 8:63-67,
Fig. 3). A POSITA would have recognized that the users landline telephone
number, email address, or internet address, falls within the broad category of
obvious to a POSITA to store and use other user contact information, such as those
70
IPR2017-02047
U.S. Patent 8,082,213
or third device (i.e., different user device) must be in possession of the user and must
service client. (See, e.g., id. at 4:31-40, 8:63-67, Figs. 3-4). These requirements,
whether a phone call or text message authentication has been enabled and the
a user that would meet this limitation. (See, e.g., Ex. 1008 at 26). Because
71
IPR2017-02047
U.S. Patent 8,082,213
related constraint based on the particular type of third unit that they register during
the registration process. (EX1005 at 7:1-5, 9:1-8). For example, the user can
register a cell phone that communicates via an SMS channel or a pager that
constraint, such as requiring that the authentication code input happens within a
certain period of time (i.e., the event must happen in a certain period of time). (Id. at
6:19-22). At the very least, including these categories of constraints would have
been obvious to a POSITA to maximize the options that a user can select for
whether SMS/text Message or Phone Call authentication has been enabled would
meet this limitation. (See, e.g., Ex. 1008 at 27). Because Vandergeest discloses
constraints based on SMS/text messages and phone calls, it renders this limitation
obvious.
72
IPR2017-02047
U.S. Patent 8,082,213
that communicates with the user of the authentication service through a primary
information from the client. For example, Figure 4 discloses that in step 404,
[t]he second unit 302 [i.e., client] contacts the authenticator 304 via a suitable
communication link or bus, and passes the sent primary authentication information,
namely the sent user ID, so that the authentication unit can determine if the user is
highlighted below)).
73
IPR2017-02047
U.S. Patent 8,082,213
ID and/or password. (Id.; see also id. at Fig. 4 (step 404)) Figure 4 of
or code to the third device via the alternate channel. (EX1005 at 9:9-24, Fig. 4
74
IPR2017-02047
U.S. Patent 8,082,213
Figure 3 of Vandergeest also shows the primary channel 310 to first unit
300 and wireless back channel 312 to third unit 306. (EX1005 at 6:50-57,
6:66-7:4, Fig. 3 (shown below with primary channel in red, back channel in blue)).
service client.
annotated below) where the first unit (i.e., user) 10 connects to the second unit (i.e.,
authentication-service client) 12 over a primary channel 14, where the second unit
75
IPR2017-02047
U.S. Patent 8,082,213
information to the user over a back channel (i.e., third communications medium,
as described in claim element 1[f2]) and then the user resends the information back
to the second device over the original communications medium. (EX1005 at Fig. 1,
4:10-55).
76
IPR2017-02047
U.S. Patent 8,082,213
are thus likewise met for the reasons discussed above in relation to claim 3. (Supra
IX.B.5a-b).
are thus likewise met for the reasons discussed above in relation to claim 4. (Supra
IX.B.6).
are thus likewise met for the reasons discussed above in relation to claim 5. (Supra
IX.B.7)
are thus likewise met for the reasons discussed above in relation to claim 6. (Supra
IX.B.7).
X. CONCLUSION
Unified respectfully requests that a trial be instituted and claims 117 of the
213 Patent be cancelled. The Director is authorized to charge for the fees set in 37
C.F.R. 42.15(a) for this Petition for Inter Partes Review, and further authorizes
77
IPR2017-02047
U.S. Patent 8,082,213
payment for any additional fees to be charged to McDermott Will & Emery
/Alexander P. Ott/
Alexander P. Ott, Reg. No. 63,110
Roshan Mansinghani, Reg. No. 62,429
Jonathan Stroud, Reg. No. 72,518
78
IPR2017-02047
U.S. Patent 8,082,213
13,968 words as determined by the Microsoft Office Word 2010 word processing
system used to prepare the petition, excluding the parts of the petition exempted by
37 C.F.R. 42.24(a)(1).
/Alexander P. Ott/
Alexander P. Ott
McDermott Will & Emery
500 N. Capitol St., NW
Washington, DC 20001
1
IPR2017-02047
U.S. Patent 8,082,213
CERTIFICATE OF SERVICE
I hereby certify that on September 1, 2017, I caused a true and correct copy
of the following to be served via Federal Express on the addresses listed below.
Exhibits for Petition for Inter Partes Review of U.S. Patent 8,082,213
(EX1001-1008)
/Alexander P. Ott/
Alexander P. Ott
McDermott Will & Emery
500 N. Capitol St., NW
Washington, DC 20001