Unified Patents Inc. v. Smart Authentication IP, LLC, IPR2017-02047 (PTAB Sept. 1, 2017)

IPR2017-02047
U.S. Patent 8,082,213
DOCKET NO.: 098850-0018

Filed on behalf of Unified Patents Inc.
By: Alexander P. Ott, Reg. No. 63,110 Roshan Mansinghani, Reg. No. 62,429
McDermott Will & Emery Unified Patents Inc.
500 N. Capitol St., NW 13355 Noel Road, Suite 1100
Washington, DC 20001 Dallas, TX 75240
Tel: (202) 756-8496 Tel: (214) 945-0200
Email: AOtt@mwe.com Email: roshan@unifiedpatents.com
Jonathan Stroud, Reg. No. 72,518

Unified Patents Inc.
1875 Connecticut Ave. NW
Washington, D.C., 20009
Tel: (214) 945-0200
Email: jonathan@unifiedpatents.com
UNITED STATES PATENT AND TRADEMARK OFFICE

____________________________
BEFORE THE PATENT TRIAL AND APPEAL BOARD

____________________________
UNIFIED PATENTS INC.

Petitioner
v.
SMART AUTHENTICATION IP, LLC

Patent Owner
IPR2017-02047
U.S. Patent 8,082,213
____________________________
METHOD AND SYSTEM FOR PERSONALIZED ONLINE SECURITY

____________________________
PETITION FOR INTER PARTES REVIEW

IPR2017-02047
U.S. Patent 8,082,213
TABLE OF CONTENTS
I. INTRODUCTION .............................................................................................................. 1
II. MANDATORY NOTICES ................................................................................................. 1
A. Real Party-in-Interest 37 C.F.R. 42.8(b)(1) ...................................................... 1
B. Patent Owner and Related Matters 37 CFR 42.8(b)(2)..................................... 1
C. Counsel and Service Information............................................................................ 2
III. CERTIFICATION OF GROUNDS FOR STANDING...................................................... 3
IV. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED ....................................... 3
A. Prior Art Patents and Publications .......................................................................... 3
B. Statutory Grounds of Challenge.............................................................................. 4
V. U.S. Patent 8,082,213 ......................................................................................................... 5
A. Summary ................................................................................................................. 5
B. Prosecution History ................................................................................................. 7
VI. Smart AuthenticationS LITIGATION POSITIONS ......................................................... 8
VII. Level of Ordinary Skill in the Art ....................................................................................... 9
VIII. CLAIM CONSTRUCTION .............................................................................................. 10
A. user-authentication policies ............................................................................... 10
B. specified by the user .......................................................................................... 11
C. variable-factor authentication ............................................................................ 11
D. returning a[n] authentication result ................................................................... 12
IX. THE CHALLENGED CLAIMS ARE UNPATENTABLE ............................................. 12
A. Ground I: Claims 1-17 are obvious in view of Harris and Owen ........................ 12
B. Ground II: Claims 1-10 are obvious in view of Vandergeest and

Delany ................................................................................................................... 50
C. Ground III: Claims 12-17 are obvious in view of Vandergeest ........................... 81

-i-
IPR2017-02047
U.S. Patent 8,082,213
X. CONCLUSION ................................................................................................................. 86
-ii-
IPR2017-02047
U.S. Patent 8,082,213
Initial Exhibit List
Exhibit Description
1001 U.S. Pat. No. 8,082,213 to Lyons (the 213 Patent)
1002 Prosecution History of the 213 Patent
1003 Declaration of Stephen Gray (including Appendices A-C)
1004 U.S. Pat. No. 8,751,801 to Harris et al. (Harris)
1005 U.S. Pat. No. 7,765,580 to Vandergeest et al. (Vandergeest)
1006 WO Pub. No. 03/032126 to Owen at al. (Owen)
1007 U.S. Pub. No. 2002/0156879 to Delany et al. (Delany)
Complaint, Smart Authentication IP, LLC v. Etsy, Inc., No.

1008
2:17-cv-278 (E.D. Tex. Mar. 31, 2017)
-i-
IPR2017-02047
U.S. Patent 8,082,213
I. INTRODUCTION
Under 35 U.S.C. 311 and 37 C.F.R. 42.100, Petitioner Unified Patents
Inc. (Unified or Petitioner) respectfully requests institution of inter partes
review with respect to claims 117 of U.S. Patent 8,082,213 (the 213 Patent).
The 213 Patent is attached to this Petition as EX1001.
II. MANDATORY NOTICES
A. Real Party-in-Interest 37 C.F.R. 42.8(b)(1)

Unified certifies that it is the real party-in-interest, and that no other party
exercised control or could exercise control over its participation in this proceeding,
the filing of this petition, or the conduct of any ensuing trial.
B. Patent Owner and Related Matters 37 CFR 42.8(b)(2)
Smart Authentication IP, LLC (Smart Authentication) purports to own the
213 Patent by way of a September 29, 2016 assignment from P2FA Security LLC
recorded with the USPTO at Reel 040123 and Frame 0106. Smart Authentication
has filed eight lawsuits in the Eastern District of Texas and one lawsuit in the
District of Delaware asserting the 213 Patent, which are listed in the following
table.
Name Case No. District Filed

Smart Authentication IP, LLC v. 2:16-cv-01232 E.D. Tex. Nov. 4, 2016
United Servs. Auto. Assoc. et al.
Evernote Corp.
1
IPR2017-02047
U.S. Patent 8,082,213
Name Case No. District Filed

LogMeIn, Inc.
MongDB, Inc.
Smart Authentication IP, LLC v. 2:17-cv-00277 E.D. Tex. Apr. 7, 2017
Autodesk, Inc.1
Etsy, Inc.
Discover Financial Servs. et al.
CCP hf et al.*
Smart Authentication IP, LLC v. 1:17-cv-00941 D. Del. July 13, 2017
Personal Capital Corp.*
Smart Authentication IP, LLC v. 1:17-cv-00983 D. Del. July 19, 2017
Slack Technologies, Inc.*
C. Counsel and Service Information

Alexander P. Ott (Reg. No. 63,110) will be the lead counsel. Roshan
Mansinghani (Reg. No. 62,429) and Jonathan Stroud (Reg. No. 72,518) will act as
back-up counsel. Pursuant to 37 C.F.R. 42.10(b), a Power of Attorney
accompanies this Petition.
Unified consents to e-mail service at roshan@unifiedpatents.com,
jonathan@unifiedpatents.com, aott@mwe.com, and IPdocketMWE@mwe.com.
Counsel for Petitioner may be addressed at 500 North Capitol St. NW,
1
Currently pending.
2
IPR2017-02047
U.S. Patent 8,082,213
Washington, DC 20001, Tel: (202) 756-8000, Fax: (202) 756-8087; Unified
Patents Inc., 1875 Connecticut Ave. NW, Washington, D.C., 20009, Tel: (650)
999-0899; and Unified Patents Inc., 13355 Noel Road, Suite 1100, Dallas, TX
75240, Tel: (214) 945-0200.
III. CERTIFICATION OF GROUNDS FOR STANDING
Petitioner certifies that the patent for which review is sought is available for
inter partes review and that Petitioner is not barred or estopped from requesting an
inter partes review on the grounds set forth in this Petition. (37 C.F.R.
42.104(A)).
IV. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED
This Petition is supported by the declaration of Stephen Gray (EX1003) and
requests the Board cancel claims 117 as unpatentable under 35 U.S.C. 103. (35
U.S.C. 314(a); Rules 42.22(a)(1) and 42.104(b)(1)-(2)).
A. Prior Art Patents and Publications
Petitioner relies upon the following patents and printed publications, none of
which were previously considered by the USPTO:
1. U.S. Pat. No. 8,751,801 to Harris et al. (Harris) (EX1004) was filed
on April 22, 2005 and issued on June 10, 2014. Harris is prior art to
the 213 Patent under 35 U.S.C. 102(e)(1).
3
IPR2017-02047
U.S. Patent 8,082,213
2. U.S. Pat. No. 7,765,580 to Vandergeest et al. (Vandergeest)
(EX1005) was filed on May 14, 2001, published on November 14,
2002 (as US 2002/0169988) and issued on July 27, 2010.
Vandergeest is prior art to the 213 Patent under 35 U.S.C. 102(b).
3. WO Pub. No. 03/032126 to Owen at al. (Owen) (EX1006) was
published on April 17, 2003. Owen is prior art to the 213 Patent
under 35 U.S.C. 102(b).
4. U.S. Pub. No. 2002/0156879 to Delany et al. (Delany) (EX1007)
was published on October 24, 2002. Delany is prior art to the 213
Patent under 35 U.S.C. 102(b).
B. Statutory Grounds of Challenge
This Petition presents the following grounds:
Ground I Obviousness of claims 117 by Harris in view of Owen
Ground II Obviousness of claims 110 by Vandergeest in view of Delany
Ground III Obviousness of claims 1217 by Vandergeest
These grounds are not redundant because the prior art addresses different
claims, Harris is prior art under 102(e) whereas Vandergeest is 102(b) prior art,
and because the prior art addresses different purported embodiments of the 213
Patent.
4
IPR2017-02047
U.S. Patent 8,082,213
V. U.S. PATENT 8,082,213

The 213 Patent claims priority to Provisional App. No. 60/694,288 filed on
June 27, 20052, issued from U.S. App. No. 11/477,203 filed on June 27, 2006, and
issued on December 20, 2011. The 213 Patent was filed prior to enactment of the
America Invents Act (AIA) and thus is a pre-AIA patent.
A. Summary
The 213 Patent is titled Method and System for Personalized Online
Security, and relates to a third-party user authentication service (system and
method) for authenticating users on behalf of commercial clients, where the user
decides what combination of rules, secrets, or tangible objects are required to
authenticate the user. Specifically, the 213 Patent discloses that a user interacts
with the authentication service provider (ASP) to establish policies for
subsequent authentication of the user to a client of the ASP (e.g., commercial
website). (EX1001 at 2:1-4). This allows the user to control the level and
complexity of the authentication process. (Id. at 2:3-10). The policies specified by
a user may include variable-factor authentication, including some combination of
2
Unified Patents does not concede the 213 Patent is entitled to claim priority to
the 288 Provisional and reserves the right to challenge the priority date.
5
IPR2017-02047
U.S. Patent 8,082,213
secret information (e.g., a password), rules (e.g., geographic limitations), and/or
evidence of control of a tangible object (e.g., a cellular device). (Id. at 2:15-18,
4:24-28, 7:6-44).
Figure 3 of the 213 Patent, reproduced below, illustrates the claimed system
and discloses interactions between: (i) a user, (ii) the ASP, and (iii) the ASP-clients
that require authentication of users. (EX1001 at 2:29-30, 3:47-67, FIG. 3).
In this embodiment, the user (302) first (1) initializes a transaction (304)
with the ASP-client (306) (e.g., an entity requiring user authentication), such as by
requesting to log on to a commercial website. (Id. at 3:48-51). Next (2), the ASP-
6
IPR2017-02047
U.S. Patent 8,082,213
client sends an authentication request (308) to the ASP (310), to determine if the
information provided by the user is sufficient to authenticate the user. (Id. at 3:55-
58). The ASP then (3) carries out an authentication transaction (312) with the user,
to authenticate the user in accordance with the predetermined authentication
protocols established by the user. (Id. at 3:59-62). (In some embodiments, this
takes place over a third communications medium that is different from the first
communications medium (from the user to the client) and the second
communications medium (from the client to the ASP), such as a telephonic
medium or a text-messaging medium. (Id. at 7:36-40, 8:34-9:3)). The ASP then
(4) returns the authentication results (314) to the ASP-client (or the user returns
results directly), letting the ASP-client know if the user was successfully
authenticated. (Id. at 3:63-65). Finally, the ASP-client (5) uses the authentication
result to complete the transaction and return the requested resources (316) to the
client. (Id. at 3:65-67).
B. Prosecution History
The 213 Patent issued on December 20, 2011, from Patent Application
11/477,203 (EX1002, 213 Prosecution History), filed on June 27, 2006. In
prosecution for more than five years, the 213 Patent issued after one non-final and
one final rejection and an appeal to the BPAI.
7
IPR2017-02047
U.S. Patent 8,082,213
On August 11, 2008, the Patent Office issued a final rejection, notably
rejecting all claims under 103, stating that the purported invention was rendered
obvious by Steele et al. (U.S. Pub. No. 2006/0179003) in view of Fisher (U.S. Pat.
No. 6,957,199).
In response, the applicant filed an appeal with the BPAI. (Id. at 183-231).
The applicant argued that neither reference cited by the examiner disclosed using:
(1) a variable-factor authentication, or (2) an authentication-service client [that]
communicates with the user of the authentication service through a first
communications medium and an authentication service that sends information to
the user of the authentication service through a communications medium different
from the first communications medium. (Id. at 207-209).
The Board of Patent Appeals and Interferences agreed with the applicants
arguments, finding that the invention was patentable based on those two
distinctions. (Id.). This suggests that these specific two elements were the
inventive concepts that were not present in the examined prior art and which
rendered the invention patentable. (Id. at 20, 29).
VI. SMART AUTHENTICATIONS LITIGATION POSITIONS

Smart Authentication has filed a number of lawsuits asserting and
interpreting the 213 Patent. Smart Authentication has sued multiple companies
for infringement based on systems/methods involving two-factor authentication
8
IPR2017-02047
U.S. Patent 8,082,213
over multiple communications mediums. (See, e.g., Ex. 1008 at 26 (Complaint,
Smart Authentication IP, LLC v. Etsy, Inc., No. 2:17-cv-278 (E.D. Tex. Mar. 31,
2017))).
In the Etsy litigation (Ex. 1008), for example, Smart Authentication argued
that the 213 Patent covers any two (or more) factor authentication
methods/systems where one of the subsequent authentication factors is sent over a
different communications medium , such as using a text-messaging or other phone
authentication method to supplement the standard user ID plus password
authentication method. (See id.; see also Complaint (Dkt. 1), Smart Authentication
IP, LLC v. Personal Capital Corp., No. 1:17-cv-00941 (D. Del. Jul. 13, 2017;
Complaint (Dkt. 1), Smart Authentication IP, LLC v. Slack Technologies, Inc., No.
1:17-cv-00983 (D. Del. Jul. 19, 2017)). These broad infringement allegations are
instructive as to the scope of the claims.
VII. LEVEL OF ORDINARY SKILL IN THE ART

As set forth in the declaration of Stephen Gray, a person of ordinary skill in
the art of the 213 Patent would have at least a B.S. Degree in electrical
engineering, computer science, or a related subject, and at least one year of
experience in designing systems for access control in a network computing
environment. A higher level of education may make up for less experience.
(EX1003 at 28).
9
IPR2017-02047
U.S. Patent 8,082,213
VIII. CLAIM CONSTRUCTION

Claim terms of a patent in inter partes review are given the broadest
reasonable construction in light of the specification. (37 C.F.R. 42.100(b)).
Claim constructions appropriate for these proceedings may be different than claim
constructions appropriate in a federal district court. Thus, the claim constructions
proposed in this Petition do not necessarily reflect the constructions that Petitioner
believes should be adopted by a district court. Any term not explicitly construed
below should be interpreted in accordance with its plain and ordinary meaning
under the broadest reasonable construction.
A. user-authentication policies
The term user-authentication policies, as used in the 213 Patent claims,
should be construed as a stored set, associated with a user, of one or more
constraint(s) and/or parameter(s) associated with user-authentication processes.
(EX1003 at 46). The claims themselves identify the user-authentication policies
as specifying one or more of: constraints and parameters associated with user-
authentication processes. (EX1001, Claim 9). Further, the specification states
that [t]he policies specified by a user may include specification of variable-factor
authentication, in which the user, during the course of an authentication, provides
both secret information as well as evidence of control of a tangible object. (Id. at
2:15-18; see also id. at 3:59-63, Fig. 5) (emphases added). Thus, a user-
10
IPR2017-02047
U.S. Patent 8,082,213
authentication policy is a stored set, associated with a user, of one or more
constraint(s) and/or parameter(s) associated with user-authentication processes.
B. specified by the user

The term specified by the user, as used in the 213 Patent claims, should
be construed, at a minimum, to include the user selecting from policy templates
that describe available types of policies. (EX1003 at 47). The specification of
the 213 Patent states that [t]he ASP 402 includes policy templates 404 that may
be used to describe the types of policies available to users and to allow users to
specify policies based on templates. (EX1001 at 4:1-4; see also id. at 4:28-30).
C. variable-factor authentication
The term variable-factor authentication, as used in the 213 Patent claims,
should be construed as both secret information (e.g., a password) and evidence of
control of a tangible object (e.g., a cell phone). (EX1003 at 48). This is
consistent with the Boards previous construction of the term during prosecution of
the 213 Patent. (EX1002 at 97-98). During prosecution, the Board determined
that one of ordinary skill would have understood that Appellant has defined
variable-factor authentication as a user providing an ASP with both secret
information (e.g., a password) and evidence of control of a tangible object (e.g., a
cell phone). (Id.).
11
IPR2017-02047
U.S. Patent 8,082,213
D. returning a[n] authentication result

The term returning a[n] authentication result, as used in the 213 Patent
claims, should be construed to at least cover returning a password. Dependent
claim 17 states that the authentication result includes the password. (EX1001,
Claim 17). Thus returning a[n] authentication result is necessarily broad enough
to encompass, at a minimum, returning a password. (EX1003 at 50).
IX. THE CHALLENGED CLAIMS ARE UNPATENTABLE
A. Ground I: Claims 1-17 are obvious in view of Harris and Owen
1. Summary of U.S. Pat. No. 8,751,801 to Harris et al. (Harris)

Harris describes a System and Method for Authenticating Users Using a
Plurality of Authentication Factors and discloses an authentication service for
authenticating a user based on multiple authentication factors.
Harris describes an authentication system for authenticating a user to a
computer system (e.g., a service provider or a web server). (EX1004 at 18:9-
16). The authentication system of Harris stores policies within a database for
authenticating a user, generates secrets to send to a second user device, and tells a
website that a user has been authenticated. (EX1004 at 18:26-20:49). The user of
Harris represents a person who has registered an account with the authentication
system/ASP, including selecting authentication policies or constraints to
authenticate the user during subsequent requests to a service provider. (EX1004 at
12
IPR2017-02047
U.S. Patent 8,082,213
18:9-20:49, 19:47-20:49). Finally, the service provider of Harris represents a
web server that has resources and/or services for authenticated users. (Id.).
In some embodiments, the service provider (i.e., client) is within the same
system or network as the authentication system, and the two share interfaces to
interact (720, 722, 724) with the user. (Id. at 19:2-13). As Mr. Gray explains, it is
common for a service provider to have its authentication service as part of its
own server/website so that it handles all tasks and does not need to share sensitive
client information with third parties. (EX1003 at 75). This embodiment is
illustrated in Figure 7, shown annotated below, where the service provider 760 is
within the authentication system 700. (Id. at Fig. 7, 18:9-20:50).
13
IPR2017-02047
U.S. Patent 8,082,213
In this embodiment, the authentication service modules (annotated with the
blue box above) communicate with the service provider 760 through internal
communications media, such as an internal network or LAN. (Id. at 19:47-49,
20:25-41). Mr. Gray confirms a LAN would be the most common option.
(EX1003 at 76). Each box shown above can be its own computer/device or
modules within a larger device, thus each box must have means of communicating
14
IPR2017-02047
U.S. Patent 8,082,213
with the other boxes. (Id. at 18:26-28 (Authentication and service system 700
includes a conventional computer system containing one or more computers.)).
Harris also describes the claimed method. First, the system receives a first
authentication factor (e.g., an ID and password of the user), originally supplied by
the user during a registration process where the user can specify one or more
authentication policies. (Id. at 2:35-38, 19:35-46). Next, the user receives a
second authentication factor from the authentication system, over a different
communications medium, on a device different than was used to submit the initial
request. (Id. at 10:2-4, 18:38-42, 19:35-46). Finally, the user returns the second
authentication factor back to the client or ASP (depending on the embodiment)
and, if it matches what was sent, the user is authenticated and the client returns the
originally requested resources to the client. (Id. at 20:31-41; see also id. at 16:48-
66).
As illustrated in Figures 4B-4C, reproduced and annotated below, Harris
discloses a system that can act as an authentication service provider between a
client and user by virtue of communication over multiple communication
mediums/devices (e.g., PC and/or phone). (Id. at 5:20-25).
15
IPR2017-02047
U.S. Patent 8,082,213
Site with authentication service receives

request for service/resources from user,
along with users ID and password
Site with authentication service determines

whether a second and/or third factor
authentication is required, based on pre-
configured settings for the client and
requested resources
Site with authentication service generates a

secret to send to a second user device (going
to , which goes to Fig. 4C)
Site with authentication service

transmits the secret to a second
user device (different from the
device that made the initial
request), user inputs the secret
into the site using the first user
device, and the site confirms that
the secret matches (going to ,
which goes to Fig. 4D)
16
IPR2017-02047
U.S. Patent 8,082,213
If all required authentication

policies have been met, the site
then provides the user with
access to the requested service
2. Summary of WO Publication 03/032126 to Owen et al. (Owen)
Owen describes a Multi-Factor Authentication System, and generally
relates to an authentication system for authenticating a suspect user based on
multiple authentication factors. (EX1006, Abstract).
Owen describes a system with three participants: (i) a suspect user, (ii) an
authentication authority (i.e., an authentication service), and (iii) an access
authority (e.g., a website a user is trying to access). Figure 1, shown below, is
illustrative of the system and method claimed by Owen.
17
IPR2017-02047
U.S. Patent 8,082,213
Additionally, Owen discloses a web-based administrative utility used to
create, modify, enable, or disable the various authentication factors and system
components utilized. (Id. at 24:2-10). The publication states [t]his entirely web-
based system provides administration of wireless devices 922, security domains,
users 910, protocol modules, network clients 950 and preferences. (Id.)
18
IPR2017-02047
U.S. Patent 8,082,213
3. Independent Claim 1 is obvious in view of Harris and Owen
a) A user-authentication service implemented as routines that

execute one or more computer systems interconnected by two
or more communications media with both an authentication-
service client, and a user, the user-authentication service
comprising
Like the 213 Patent, Harris is directed to a System and Method for
Authenticating Users Using Two or More Factors and thus discloses the claimed
user-authentication service. (EX1004). The service provider of Harris
corresponds to the authentication-service client of the claimboth represent web
servers with resources for authenticated users. (Compare, e.g., EX1004 at 18:26-
20:49 with EX1001 at 2:1-30). The user of Harris corresponds to the user of the
claimboth represent a person who has registered an account with the
authentication system/ASP and selected authentication policies or constraints. (Id.)
The authentication system of Harris corresponds to the user-authentication service
of the claimeach stores policies within a database for authenticating a user to a
website, generates secrets to send to a second user device, and tells the website that
a user has been authenticated. (Compare, e.g., EX1004 at 18:26-20:49 with
EX1001 at 2:1-30). Figure 7, shown annotated below, discloses an embodiment of
the system where the service provider (i.e., client) is within the same network as
the authentication service. (Id. at Fig. 7, 18:9-20:50).
19
IPR2017-02047
U.S. Patent 8,082,213
Harris discloses the claimed authentication routines implemented as
software on a conventional computer system containing one or more computers
connected to the service provider, which contains resources. (EX1004 at 18:9-28).
In Figure 7, shown annotated above, the service provider 760 contains resources
and can either be one software module on a computer, or may be on a dedicated
computer connected to the other modules through some internal network. (Id. at
18:26-28, 19:47-49, 20:32-33).
20
IPR2017-02047
U.S. Patent 8,082,213
Harris discloses the user communicates with the service provider over a first
communications medium (i.e., the Internet) (id. at 18:17-21) whereas the service
provider communicates with the authentication-service over a second
communications medium (e.g., an internal network, such as a LAN). (See id. at
18:26-27, Fig. 7). Harris thus discloses the claimed interconnected by two or
more communications media limitation. (Id. at 18:19-26, 19:8-13). Thus, to the
extent the preamble is considered limiting, Harris discloses this limitation.
b) the one or more computer systems
Harris discloses this limitation by disclosing [1] a service provider, [2] an
authentication and service system that includes a conventional computer system
containing one or more computers, and [3] a user (who may be using a PC or other
computing device). (See, e.g., id. at 18:9-43). In the annotated Figure 7, shown
above, the service provider is run on a module, or dedicated machine, within the
same network as the authentication service. (Id. at 18:26-28, 19:47-49, 20:32-33).
c) stored user-authentication policies specified by the user
Harris discloses the claimed stored user-authentication policies by
disclosing a database in which, for each user, the type and mode of authentication
factor(s) is stored. (Id. at 19:35-46). The type and mode of authentication covers
what authentication factors/constraints needs to be fulfilled to authenticate the user
(type), and how the procedure should be carried out (mode), and thus corresponds to
21
IPR2017-02047
U.S. Patent 8,082,213
the authentication policy of the 213 Patent. (Id.) As noted above, the claim term
user-authentication policies, as used in the 213 Patent claims, should be construed
as a stored set, associated with a user, of one or more constraint(s) and/or
parameter(s) associated with user-authentication processes. (Supra VIII.A).
Figure 7 from Harris, shown below, shows the authentication system includes
a subsequent authentication identifier 744 which uses an internally stored lookup
table (or separate database 732) to retrieve user-authentication policies. (Id. at
18:32-49, 19:19-46, Fig. 7).
22
IPR2017-02047
U.S. Patent 8,082,213
Additionally, Harris discloses the stored type and mode of authentication
factors is specified by the user. (EX1004 at 19:31-42 (emphasis added); see also id.
at 18:38-51, 18:63-19:7). Thus, Harris discloses the claimed policies specified by
the user limitation.
d) stored user information;
Harris discloses storing user information, including secrets, passwords, device
identifiers, biometric, or other identifiers (e.g., as part of a user registration process).
(Id. at 15:17-33, 16:48-52; see also id. at 14:53-61, Figs. 4A and 7).
e) account interface routines that implement an account

interface by which the user specifies, modifies, adds, and
deletes user-authentication policies; and
Harris describes a registration manager 730 that has account interface
routines for performing registration steps (Id. at 18:28-42, Fig. 7) and therefore
discloses this limitation. Harris explicitly discloses that users may specify, add, and
modify user-authentication policies as claimed, through the registration manager.
(Id. at 19:38-42). Although Harris does not explicitly mention an account interface
routine or an account interface, a POSITA would have recognized that the
claimed routine and interface exists in Harriss system because the only way a user
could specify, add, or modify policies is through an account-interface. (EX1003 at
77). At the very least, a POSITA would have found it obvious to implement
Harriss teachings using the claimed routine and interface because interfaces and
23
IPR2017-02047
U.S. Patent 8,082,213
interface-routines are the standard, well-known means for users interacting with
remote systems. (Id.).
Although Harris does not explicitly disclose that a user may delete an
authentication policy as claimed, it would have been obvious to a POSITA to add
this feature to Harris because deleting old or unused policies would save memory in
the authentication policy database. (EX1003 at 85). At the least, adding a delete
function for anything data-related would be exceedingly obvious to a POSITA. (Id.)
Finally, as noted above in IX.A.2, Owen discloses a web-based
administrative utility with an account interface allowing administrators to create,
modify, or delete various authentication policies and user information. (EX1006 at
24:2-10). To the extent it is argued that deleting out authentication policies would
not have been obvious in view of Harris, Mr. Gray confirms it would have been
obvious to combine Harris with the administrator-controlled account management
of Owen (EX1006) to allow users to delete authentication policies through an
account interface as claimed. (EX1003 at 86). First, combining the systems would
alleviate the burden on administrators by allowing users to manage the
authentication policies. (Id.) Additionally, combining the administrative utility of
Owen into Harris would allow the users of Harris to delete old, unused
authentication policies, granting the predictable benefits mentioned above. (Id.)
Both Harris and Owen are in the field of authenticating users, and both specifically
24
IPR2017-02047
U.S. Patent 8,082,213
teach account-management utilitiesthus a POSITA would have recognized the
predictable benefits, described above, of combining these two references and would
have been motivated to combine their teachings. (Id.)
f1) authentication-interface routines that implement an

authentication interface by which, following initiation of a
transaction by the user with the authentication-service client,
the authentication-service client submits an authentication
request, through the first communications medium or
through a second communications medium, to authenticate
the user,
Harris discloses this limitation by describing that a service provider (i.e., the
claimed client) submits an authentication request through a second
communications medium to the authenticating service, via an authentication
interface, to authenticate the user. (EX1003 at 77). Figure 7, annotated below and
discussed above in IX.A.1, shows how Harris discloses the claimed authentication
service, service provider, and a number of interfaces used to authenticate the user.
For example, Harris discloses the PC communication interface serves as an
authentication-interface (as claimed) between the service provider (i.e., client) and
First
authentication modules after a user makes a request for resources communications
of the service
medium
provider, disclosing [w]hen the user makes a request [to the service provider], it
may be made to a portion of the site that PC communication interface 720 identifies
as a request, and so [the service provider, via] PC communication interface 720

Second
communications
25 medium
IPR2017-02047
U.S. Patent 8,082,213
forwards the request to request manager 740 [which is part of the authentication
service] [If authentication is successful, r]equest manager 740 then provides the
request and user identifier to [the service provider], which provides the service.
(EX1004 at 19:19-30). Thus the PC communication interface discloses the claimed
authentication interface, as it submits an authentication request to the authentication-
service (i.e., the authentication-interface routine).
Harris also discloses that when the service provider forwards the request (via
the PC interface) to the request manager, it does so over a second communications
medium (whereas the user communicates with the service provider over a first
communications medium (i.e., the Internet) (id. at 18:17-21)), which, as discussed
above in IX.A.1, could be a LAN or other local communications medium. (See
EX1004 at 18:26-28, Fig. 7 (annotated above)) As Mr. Gray confirms, because the
modules within the site (i.e., the service provider and authentication modules) are
a conventional computer system containing one or more computers (EX1004 at
18:27-28), they must have a communication medium to communicate with each
other. (EX1003 at 76). Moreover, using a communications medium such as a
LAN, would have been obvious to a POSITA because it is the most common means
of connecting two local computer systems to each other to communicate. (Id.).
26
IPR2017-02047
U.S. Patent 8,082,213
f2) the authentication-interface routines employing a variable-

factor authentication, when specified to do so by stored user-
authentication policies, to authenticate the user on behalf of
the authentication-service client during which the user
communicates with the user-authentication service through a
third communications medium different from the first and
second communications media and a user device different
from that employed by the user to initiate the transaction with
the authentication-service client.
First, Harris discloses a system employing a variable-factor authentication
routine to authenticate the user to a client, as claimed. (See supra IX.A.1).
Harriss authentication and service system (which corresponds to the claimed user-
authentication service) includes an authentication identifier which uses an
internally stored lookup table (or a separate database) to retrieve user-
authentication policies (e.g., the type and mode of any subsequent authentication
factor or factors that should be used to authenticate the user for [a specific type of]
request). (EX1004 at 18:32-49, 19:19-46, Fig. 7) (emphases added). When the
user requests resources from the service provider, the system uses these stored
policies and additional authentication factors to perform the authentication
procedure/routine, including requiring that the user be in possession of a physical
device registered with the authentication service (via a device ID), such as a
phone. (Id.; see also Fig. 2). As noted above, the term variable-factor
authentication should be construed as both secret information (e.g., a password)
and evidence of control of a tangible object (e.g., a cell phone). (Supra VIII.C).
27
IPR2017-02047
U.S. Patent 8,082,213
Harris thus discloses employing a variable-factor authentication, when specified to
do so by stored user-authentication policies as claimed. (EX1003 at 54; see also
EX1004 at 2:35-49).
Next, Harris discloses using a third communications medium for
communication between the authentication-service and a user device different from
the device used to initiate the request as claimed, such as the authentication-service
communicating with a user-device over a telephone network or SMS or similar text-
messaging-service. (E.g., EX1004 at 8:39-45, 10:11-37, 12:1-9). This is in contrast
to the user communicating with the service provider over a first communications
medium (i.e., the Internet) (id. at 18:17-21) and the service provider communicating
with the authentication-service over a second communications medium (e.g., an
internal network, such as a LAN). (See id. at 18:26-27, Fig. 7; see also supra
IX.A.3.f1). Thus the telephone network or SMS in Harris is a third communications
medium, different from the first two media.
For example, Figure 2 of Harris, shown annotated below, discloses a user in
communication with the authentication-service and authentication-service client
(which are grouped together on an internal network, collectively referred to as the
site) and illustrates the authentication policy routine, including the authentication-
service providing the user with a secret (i.e., the claimed authentication routine) over
a phone line (i.e., the claim third communications medium). (Id. at 11:7-40, Fig. 2).
28
IPR2017-02047
U.S. Patent 8,082,213
Harriss disclosure also corresponds with Patent Owners litigation assertions
claiming receiving a security code via a phone call or SMS text message through
a mobile phone is a communication over a third communications medium to a user
device different from that employed by the user to initiate the transaction. (See, e.g.,
Ex. 1008 at 20).
29
IPR2017-02047
U.S. Patent 8,082,213
4. Dependent Claim 2 is obvious in view of Harris and Owen
a) The user-authentication service of claim 1 wherein the

authentication service stores user-authentication policies and
user information for multiple users, provides an account
interface to the multiple users, and provides an authentication
interface to multiple authentication-service clients.
Harris discloses the only additional requirement of this claimthat the
system performs the claimed functions for multiple users and clients. Harris
discloses how each user may have stored the type and mode of the authentication
factor or factors. (Id. at 19:35-46). Mr. Gray confirms a POSITA would have
recognized that if each user has types and modes of authentication factors stored, the
system stores authentication policies and has an account interface for multiple users.
(EX1003 at 77.)
Similarly, Harris discloses the authentication policies can be retrieved based
on the type of request. (EX1004 at 19:35-46). A POSITA would have recognized
the type of request could include which service provider (i.e., client) the user is
trying to gain access to. (EX1003 at 78). At the very least, it would have been
obvious for a POSITA to modify the Harris system so it works with multiple clients;
this would have the expected benefit of allowing a single authentication system to
provide authentication results for multiple clients and allow users to store different
policies for different sites. (See id. at 79; EX1004 at 14:3-39).
30
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 1 wherein the user-

authentication service undertakes the authentication
procedure by: using the electronically-encoded information
about the user to retrieve all stored user-authentication
policies for the user
Harris discloses that each user may have stored the type and mode of the
authentication factor or factors that should be used for each type of request, and
[that] subsequent authentication identifier 744 retrieves it based on the user identifier
[i.e., electronically encoded information], type of request or both. (EX1004 at
19:35-46) (emphases added). As noted above in VIII.A, the term user-
authentication policies, should be construed as a stored set, associated with a user,
of one or more constraint(s) and/or parameter(s) associated with user-authentication
processes; thus the type and mode of the authentication factor or factors that
should be used for each type of request corresponds to the user-authentication
policies of the 213 Patent. Further, a POSITA would have understood that the user
identifier information sent by the user is the claimed electronically-encoded
information (i.e., information is encoded into bits so it may be electronically sent)
and that retrieving user-associated authentication factor or factors means it retrieves
all policies. (EX1003 at 87). At the least, given that Harris discloses retrieving
the stored factors, it would have been obvious to a POSITA to retrieve all policies
since the plural factors could be associated with separate policies. (Id.) Thus,
31
IPR2017-02047
U.S. Patent 8,082,213
Harris discloses using electronically-encoded information to retrieve all stored user-
authentication policies for a user as claimed.
b) when the retrieved stored user-authentication policies permit

the authentication procedure to proceed, conducting the
authentication procedure in order to authenticate the user to
the authentication-service client; and returning an
authentication result to the authentication-service client.
Harris discloses conducting an authentication procedure (i.e., sending
required authentication information to the user) over a communications medium if
the stored authentication policies (which are retrieved as described above in
IX.A.5.a) require said procedure in order to authenticate the user. (E.g., EX1004
at 8:39-42; see supra IX.A.1, IX.A.3a, IX.A.3.f1-f2).
Next, Harris also discloses returning an authentication result to the client, as
claimed, thereby letting the client know whether it should transmit the requested
resources to the client. For example, Harris discloses providing the user with a
secret (i.e., password) to return to the authentication service in order for the service
to authenticate the user to the client. (Id. at 8:30-42, 16:43-52; see also Figs. 4C and
4D (below).) Next, the user inputs the secret back into the authentication service,
which compares the inputted secret to the generated secret and if the secrets match
456, the method continues at step 470. (Id. at 16:43-52). As noted above, the term
returning a[n] authentication result, should be construed to at least cover
32
IPR2017-02047
U.S. Patent 8,082,213
returning a password; thus, inputting the secret back to the authentication
service/service provider satisfies this limitation. (Supra VIII.D).
In Figure 4D, shown below, if the authorization is complete (i.e., the retrieved
authentication policy does not require an additional authentication factor), the
authentication manager modules of the authentication service provides the service
provider (i.e., the claimed client) with the request and user identifier [i.e.,
authentication result] (id. at 20:25-33, Fig. 7) and [w]hen service provider receives
the request and user identifier, it fulfills the request as described above. (Id. at
20:40-41; see also id. at 16:65-66).
33
IPR2017-02047
U.S. Patent 8,082,213

authentication procedure for any single policy may comprise:
a uni-directional or bi-directional exchange of information
with the user through the third communications medium.
Harris teaches both uni- and bi-directional exchange of information over the
third communications medium. Harris discloses that when a user enters his or her
username to sign onto a website (i.e., service provider), the authorization service
can immediately call the users phone number and provide a unique code to the
user. (Id. at 8:39-42). In this embodiment, the third communications medium is a
telephonic communications medium. (Id.; see also Ex. 1008 at 20.) The user then
enters this code into the site using the first communications medium (such as the
Internet), demonstrating that the communications over the telephone network was
uni-directional. (EX1004 at 8:39-42).
In another embodiment, the user can authenticate him or herself after
receiving the code by sending the code back over the phone (i.e., third
communications medium), and thus the communications over the third
communications medium are bi-directional. (Id. at 11:24-31, Fig. 2). Figure 2,
shown annotated below, shows embodiments illustrating both the bi-directional
(annotated in green) and uni-directional communications (annotated in orange) over
a third communications medium (e.g., phone line).
34
IPR2017-02047
U.S. Patent 8,082,213

information is a password that the user can subsequently
input to the authentication-service client to prove to the
authentication-service client that the user has been
authenticated by the user-authentication service.
Harris discloses the user authenticating itself to a client using a password
received from the authentication service. For example, Harris discloses an
embodiment where when a user enters his username to sign onto a Web site, the
[authentication service in the] site can immediately call the users phone number and
provide a unique code to the user, which the user then enters into the site. (Id. at
8:39-42; see also id. at Fig. 2, 11:9-46) (emphasis added). By entering the code into
the site, the user has proven to the client it has been authenticated by the service.
Further, a POSITA would have recognized the unique code or generated secret
transmitted to the user, and subsequently inputted to the client, is simply a password
because it is a secret sequence of specific alpha-numeric characters designed to be
used to gain access to something, which is the definition of a password. (EX1003 at
93).
35
IPR2017-02047
U.S. Patent 8,082,213

authentication result includes the password.
Harris discloses returning the authentication result to the client to confirm it
should grant the user access to the requested resources. As discussed above, the user
returns the password to the authentication service portion of a site, proving it has
possession of the user device and is authenticated. (See e.g., EX1004 at 16:43-52,
19:54-59.) The authentication manager(s) within the authentication service then
returns an indication that the user was authenticated to request manager 740.
Request manager 740 then provides the request and user identifier to service
provider 760, which provides the service. (Id. at 20:25-33). This user identifier,
i.e., authentication result, which is returned to the client may include the password,
which is a unique code. (Id. at 8:39-42, 11:41-46). At the least, it would have
been obvious to use the password as the user identifier because the generated
password is unique to the authenticated user (and session) and thus is an already-
existing way to identify the user. (EX1003 at 93).
36
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 1 wherein the stored

user information includes one or more of: the user's name; the
user's address; passwords specified by the user; the user's
contact information; the user's billing information; and the
user's employment information.
Harris discloses stored user information as discussed above in IX.A.3.d.
Harris discloses storing user information, including secrets, passwords specified by
the user, device identifiers, biometric data, or other identifiers. (EX1004 at 15:17-
33, 16:48-52). Thus, Harris discloses this limitation. Further, a POSITA would
have recognized the users billing information, employment information, or other
similarly identifying information, falls within the broad category of other
identifiers as disclosed by Harris because those types of information can be used to
identify a user. (EX1003 at 81). At the least, it would have been obvious to a
POSITA to use other user information, such as those categories mentioned above, to
identify the user. (Id.).
37
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 7 wherein the user's

contact information includes one or more of: the user's
computer's trusted communications addresses; trusted
telephone numbers of the user's landline and cell phones;
contact information for the user's trusted hand-held
computing devices; the user's email addresses; and internet
addresses for interne[t]-related accounts through which the
user can receive information.
Harris discloses storing user contact information, including device
identifiers (i.e., a user trusted communications address) and other [user]
information. (Id. at 15:17-33, 16:48-52). Further, Figure 2 illustrates the Harris
system communicating with a users phone; thus, the stored users contact
information must include contact information for the users trusted secondary
device. (Id. at Fig. 2; EX1003 at 81.) A POSITA would have recognized the
users landline telephone number, email address, or internet address, falls within the
broad category of other identifiers as disclosed by Harris, as they can all be used
to contact/identify the user. (EX1003 at 81). At the least, it would have been
obvious to a POSITA to use other user information, such as those categories
mentioned above, to contact the user. (Id.).
38
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 1 wherein a user-

authentication policy specifies one or more of: constraints and
parameters associated with user-authentication processes
carried out by the user-authentication service on behalf of one
or more, specified authentication-service clients.
As noted above, Harris discloses an authentication policy that includes
constraints and parameters requiring the user to be in possession of a device, such as
a phone, to be authenticated. (See e.g., EX1004 at 16:43-52, Fig. 2). In such
embodiments, the authentication service carries out the authentication processes
based on the policies (which specify the authentication constraints and parameters)
associated with a specific user and type of request. (Id. at 19:38-42). Harris also
discloses the authentication procedure is carried out by the authentication service on
behalf of a client, stating that when a user makes a request to a service provider, the
service provider identifies the communication as a request and forwards it to the
request manager of the authentication service. (Id. at 19:19-22). Next, the
authentication service carries out the authentication procedure on behalf of the client
and, after authenticating the user, tells the client the user is authenticated. (Id. at
19:21-49).
Patent Owner agrees. In lawsuits filed by Smart Authentication, it has
claimed whether a phone call or text message authentication has been enabled and
the corresponding telephone numbers is a constraint or parameter for authentication
39
IPR2017-02047
U.S. Patent 8,082,213
of a user that would meet this limitation. (See, e.g., Ex. 1008 at 26 (discussing
Claim 9)). Harris discusses these same constraints and parameters. (See, e.g.,
EX1004 at 16:43-52, 19:38-42). Accordingly, for this and the reasons discuss above,
it discloses this element.
a) The user-authentication service of claim 9 wherein

constraints include one or more of: geographical constraints;
time-of-day constraints; date constraints; communications-
medium-related constraints; user-authentication service
actions; and event constraints.
Harris explicitly discloses users may specify user-authentication policies,
stating each user may have stored the type and mode of the authentication factor or
factors that should be used for each type of request, and subsequent authentication
identifier 744 retrieves it based on the user identifier, type of request or both. (Id.
at 19:38-42).
Examples of constraints that can be added to a user-authentication policy
include:
(i) event constraints (i.e., authentication can only occur when a message to a
specific device and user response, occurs);
(ii) geographic constraints (i.e., users must log in from a secure physical
location);
40
IPR2017-02047
U.S. Patent 8,082,213
(iii) dates or time-of-day constraints (i.e., limiting access based on pre-
specified maximum daily transactions or total amounts per day); or
(iv) user-authentication service actions (such as a challenge/response
voiceprint). (Id. at 14:3-32, 18:51-55).3
A POSITA would have recognized each user, by storing the type and mode of
authentication factor(s) to use, has the ability to specify which authentication-
policies will be used, as the type plus a mode is all that a policy entails (e.g., use a
phone line [i.e., mode/template] to call this phone number [i.e., type/factor]).
(EX1003 at 88). At the very least, including these categories of constraints would
have been obvious to a POSITA, for instance to maximize the options a user can
select for authentication policies. (Id.)
Further, in lawsuits filed by Smart Authentication, it has claimed constraints
[that] include a communications-medium-related constraint, such as whether
SMS/text Message or Phone Call authentication has been enabled would meet this
limitation. (See, e.g., Ex. 1008 at 27 (discussing claim 10)).
3
Although this sections disclosure is unclear whether the user is selecting these
options, the earlier cited disclosure (EX1004 at 19:38-42) makes clear the user
selects and stores its own authentication policies and constraints.
41
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 10 wherein user-

authentication service actions include one or more of: halting
authorization service after detecting a specified event;
employing particular types of user-authentication procedures;
and providing alerts upon detecting specified events.
Harris discloses employing particular types of user-authentication procedures
such as, for example, requiring the possession of a user device. (EX1004 at 14:3-
32.) Further, Harris discloses providing alerts upon detecting specified events, such
as displaying an error to the user if the secret (i.e., password) inputted did not match
the generated secret. (See, e.g., id. at 16:4-8, Fig. 4B (shown annotated below)).
Finally, Harris discloses that in some embodiments, the authorization service is
halted if the secret inputted by the user does not match the generated secret (while in
other embodiments it simply restarts the authentication process). (Id.).
14. Independent Claim 12 is obvious in view of Harris and Owen
a) A method for authenticating, by an authentication service, a

user of the authentication service to an authentication-service
client that communicates with the user of the authentication
service through a first communications medium, the method
comprising
Like the 213 Patent, Harris is directed to a System and Method for
Authenticating Users Using Two or More Factors. (EX1004). Just as described in
the specification of the 213 Patent, Harris discloses a method for authenticating
42
IPR2017-02047
U.S. Patent 8,082,213
users where a user communicates with an authentication-service client through a first
communications medium, such as the Internet. For example, Harris describes a
method where the user sends requests to the client over a network (such as the
Internet). (Id. at 15:30-32, 18:22-26, 19:19-22).
b) receiving user-identifying information from the

authentication-service client;
Harris discusses Figure 4B, stating the user may make the request for a
service 410 and provides the user identifier and password of the user [to the client].
The user identifier identifies the user, and this information is sent from the client to
the authentication system to perform the additional authentication procedures. (Id.
at 15:30-33, FIG. 4B (see below)). Step 410 of Figure 4B, highlighted below, shows
the authentication service receiving user-identifying information from the
authentication-service client. (Id. at Fig. 4B, 15:30-44).
c) using the user-identifying information received from the

authentication-service client to carry out an authentication
procedure to authenticate the user of the authentication
service by sending information to the user of the
authentication service through a communications medium
different from the first communications medium; and
Harris discloses using the user identifier and password, as mentioned above,
to carry out an authentication procedure (i.e., sending authentication information to
the user) using a communications medium (e.g., a telephone network) different than
43
IPR2017-02047
U.S. Patent 8,082,213
the first communications medium (e.g., the Internet). (E.g., id. at 8:39-42). Harris
teaches that when a user enters his username to sign onto a web site, the request is
forwarded to the authorization service managers which can immediately call the
users phone number and provide a unique code to the user, which the user then
enters into the site along with his password. (Id.; see also supra IX.A.1
(discussing the authorization service modules in the site of Fig. 7)). Figure 4B,
shown below with the relevant steps highlighted, discloses [a]t step 414, an
authentication method [is] identified based on the type of service requested, the user
identifier, or both. (Id. at 15:37-44) (emphasis added).
Alternatively to telephone as the different-from-the-first communications
medium, Harris discloses other additional communications media may be used to
authenticate the user in response to the initial user identifier. (See, e.g., id. at 7:17-
23, 9:40-44, 10:22-25, 18:22-26, 19:8-22; see also Fig. 7).
d) returning a[n] authentication result to the authentication-

service client.
As discussed above in relation to claim element 3[b] (supra, IX.A.5.b.),
Harris discloses returning an authentication result to the authentication-service
client.
44
IPR2017-02047
U.S. Patent 8,082,213
a) The method of claim 12 wherein, as part of the

authentication procedure, the authentication service transmits
information to the user of the authentication service which the
user of the authentication service then subsequently transmits
to the authentication-service client.
The discussion above in relation to claim elements 12[c]-[d] and 3[b]
describes Harris disclosure of the transmission of authentication information to the
user. (Supra IX.A.5b, IX.A.14.c-d). For example, Harris discloses the
authentication service providing the user with an authentication code [i.e.,
information] over a phone network, that the user then subsequently transmits to the
client to authenticate the user. (EX1004 at 7:17-23, 8:39-42, 16:43-52).

The limitations of claim 14 are substantially similar to those of claim 3, and
are thus likewise met for the reasons discussed above in relation to claim 3. (Supra
IX.A.5a-b).

IX.A.6).
45
IPR2017-02047
U.S. Patent 8,082,213

IX.A.7).

IX.A.8).
B. Ground II: Claims 1-10 are obvious in view of Vandergeest and

Delany
1. Summary of U.S. Patent 7,765,580 to Vandergeest et al.

(Vandergeest)
Vandergeest describes a method and apparatus for providing user
authentication using a back channel (defined as a secondary communications
channel different than the primary communications channel (e.g., the Internet),
such as an SMS or telephone channel (EX1005 at 7:1-5)) and multi-factor
authentication. An overview of the Vandergeest system is illustrated in Figure 3,
shown below.
46
IPR2017-02047
U.S. Patent 8,082,213
Referring to Figure 3, Vandergeest describes a first unit (i.e., a first user
device) (300) providing primary authentication information, such as user
identification data and/or password data, to a second unit (i.e., a web
server/authentication-service client) (302) via a primary channel (310), such as the
Internet, in an effort to be authorized to gain access to resources on the second unit.
(EX1005 at 3:15-29, 4:10-55). The second unit (302), which is operatively
coupled to an authentication unit (AU) (304) via a suitable link (unnumbered
communications medium in Fig. 3, connecting 302 to 304), transmits the primary
authentication information to the AU. (Id.). In some embodiments, the AU is
directly connected to this second unit; in other embodiments, the AU is an
intermediary device/step. (Id. at 4:29-44). The AU (304) generates an
authentication code and sends the code to a third unit (i.e., another user device)
(306) via the second unit (302), choosing the third unit based on the primary
authentication information and retrieved stored authentication-policy (which has
been previously registered to be associated with the third unit). (Id. at 3:18-29).
The code from the third unit (306) is transmitted to, or manually entered by the
user to, the first device (300), which sends the code back to the AU (304) (via the
second unit (302)) to authenticate the first unit/user. (Id.). The AU, having thus
47
IPR2017-02047
U.S. Patent 8,082,213
authenticated the user, can tell the second unit that the user has been authenticated
and should be granted access to the requested resources. (Id. at 3:15-29, 4:10-55).
2. Summary of U.S. Patent Publication 2002/0156879 by Delany et al.

(Delany)
Delany describes policies for modifying group membership and a User
Manager (within an Identity Server) that manages the identity profiles [and
access privileges] for individual users. (EX1007 at 107-108).
Delany focuses on an Identity Server that works in tandem with an Access
Server to authorize entities (e.g., users) to access network resources. (Id. at 106-
107). Figure 1, below, shows the Access Server 34 and the User Manager 42
(within the Identity Server 40) in the context of the system. (See, e.g., id. at 96-
98).
48
IPR2017-02047
U.S. Patent 8,082,213
Specifically, the User Manager handles the functions related to user
identities and access privileges, including creation and deletion of user identity
profiles, modification of user identity profile data, determination of access
privileges, and credentials management of both passwords and digital certificates.
[Thus the user can] create, delete, and modify functions of user identity
management. (Id. at 108).
Importantly, the responsibility for creating, deleting, or modifying the
functions of user identity management through the User Manager can be delegated
to the individual users. (Id. at 109). Table 1 from Delany, shown annotated
below, describes the types of different tasks that can be performed with workflows
through the User Manager. (EX1007 at 181 (highlighted):
49
IPR2017-02047
U.S. Patent 8,082,213
The attribute a user may change, which will later be used to authenticate
the user as part of the authentication process, is created based on templates
(forms) by users with sufficient privileges. (Id. at 184).
3. Independent Claim 1 is obvious in view of Vandergeest and Delany
a) A user-authentication service implemented as routines that

execute one or more computer systems interconnected by two
or more communications media with both an authentication-
service client, and a user, the user-authentication service
comprising
Vandergeest discloses a method and apparatus for user authentication using a
back channel. (EX1005). Vandergeest discloses:
(i) an authentication unit (AU) that corresponds to the authentication
service provider (ASP) of the 213 Patentboth the AU and ASP function to
authenticate users to websites or service providers and store authentication policies
for users (id. at 3:30-43);
(ii) a second unit that corresponds to the authentication-service client of
the 213 Patentboth represent websites or services that provide resources to
authenticated users (id. at 4:17-20, 7:28-34); and
(iii) a first unit and third unit that correspond to the user device and
different user device of the 213 Patent, respectivelythe first and third units of
Vandergeest represent different user-controlled devices (id. at 3:30-37). (Compare
EX1005 at 3:15-29, 4:10-55, Fig. 3 with EX1001 at 2:1-18, 3:47-67, Fig. 3).
50
IPR2017-02047
U.S. Patent 8,082,213
As evidenced by Figure 3, shown below, the units disclosed by Vandergeest
are interconnected through a plurality of communication channels (i.e.,
communications media), where the primary channel 310 is wired or wireless
communications medium (such as the Internet) (EX1005 at 4:10-27), the suitable
link (arrow connecting 302 to 304) is in an internal communications medium (such
as a LAN) (id. at 4:29-34), and the back channel 312 is a different
communications medium (such as a telephone or SMS line) (id. at 7:1-5). (See also
id. at Fig. 3, 6:58-7:5). Thus, Vandergeest discloses the authentication service,
authentication-service client, and user of the 213 Patent, which are one or more
computer systems interconnected by two or more communications media.
51
IPR2017-02047
U.S. Patent 8,082,213
b) the one or more computer systems;

As noted directly above in IX.B.3.a, Vandergeest discloses the
authentication service, authentication-service client, and user of the 213 Patent,
which are one or more computer systems. (EX1005 at 4:10-44.)
c) stored user-authentication policies specified by the user;

Vandergeest discloses an authentication database 18 that contains
destination unit data 22 on a per user basis. (E.g., EX1005 at 4:31-40, 7:40-46).
The destination unit data is a parameter of the authentication policy because it is
used to carry of the authentication, as described above. (See supra IX.B.1). The
database information is populated based on a registration process carried out
between a user device and the second unit and uses the destination unit data as a
constraint for the policies stored in the database. (Id.) (emphasis added). The user
specifies a policy template, for example the requirement of possession of a
destination unit, during the registration process. (EX1005 at 4:31-40, 7:40-46). The
destination unit data in combination with a policy template (e.g., send password to
stored destination unit) is an authorization policy. (Id. at 9:42-51, 3:37-43, 4:35-38).
As noted above in VIII.B, the claim term specified by a user should be construed
to at least include the user selecting from policy templates that describe available
types of policies; thus the disclosure from Vandergeest meets this limitation.
Further, the term user-authentication policies should be construed as a stored set,
52
IPR2017-02047
U.S. Patent 8,082,213
associated with a user, of one or more constraint(s) and/or parameter(s) associated
with user-authentication processes. (Supra VIII.A). Figure 3 of Vandergeest,
shown highlighted below, illustrates the authentication database in the system and
the stored set of one or more constraints associated with a user (i.e., policies). (Id. at
Fig. 3).
Still further, in lawsuits filed by Smart Authentication, it has claimed
whether a phone call or text message authentication has been enabled and the
corresponding telephone numbers is a policy that would meet this limitation. (See,
e.g., Ex. 1008 at 26). Thus, even under the patent owners reading, the destination
unit information, coupled with the requirement of a phone call or text (i.e., a policy
53
IPR2017-02047
U.S. Patent 8,082,213
template), discloses the stored user-authentication policies specified by the user.
(EX1003 at 103-104).
d) stored user information;

Vandergeest discloses a system that stores user information within an
authentication database. For example, Vandergeest discloses the the authentication
database 18 stores, on a per-user basis, a user ID 24, associated password or hashed
password 26 (if used) and destination unit data 22. (EX1005 at 4:31-40; see also id.
at 7:36-50). Figure 3 of Vandergeest, highlighted above, illustrates the
authentication database in the system and the stored user information.
54
IPR2017-02047
U.S. Patent 8,082,213
e) account interface routines that implement an account

interface by which the user specifies, modifies, adds, and
deletes user-authentication policies; and
Vandergeest describes a registration process during which the user supplies
information that populates the authentication database, which may include
destination unit data, a user ID field, a password verification field, and/or a
device address field as policy constraints. (EX1005 at 4:38-61.) Thus Vandergeest
discloses adding or specifying user-authentication policies as these constraints,
combined with the authentication routine templates, are the stored authentication-
policies.
Vandergeest does not specifically disclose the registration process includes
routines by which the user can delete or modify existing policies; including such a
routine would have been obvious based on prior art solutions where account
management utilities allowed users to specify/modify/add/delete policies. (EX1003
at 108). To the extent an explicit disclosure is preferable, such an account
interface routine/management utility is described in Delany (EX1007), as discussed
below.
Delany teaches the Identity System provides for the creation, removal,
editing and other managing of identity information stored in various types of data
stores. The identity information pertains to users [and f]or each entry in the data
store, a set of attributes are stored. (EX1007 at 11). Using a User Manager,
55
IPR2017-02047
U.S. Patent 8,082,213
i.e., an account interface, a user can create, delete, and modify functions of user
identity management, where the authorization decisions about whether to return
requested resources to an end user are determined based on rules that are evaluated
based on the end users identity profile. (Id. at 107-116) (emphasis added). This
allows for [c]ompanies [to] assign the responsibility for maintaining user identity
data to the people closest to it. For example, individual users can be allowed to: (1)
add themselves(2) modify personal or professional information about
themselves(3) change a piece of information in their identity profiles that can
determine their access rights. (Id. at 109). Because this User Manager is an
interface through which a user can modify their account details, it corresponds to the
account interface of the claim.
Mr. Gray confirms a POSITA would have been motivated to combine the
teachings of Vandergeest and Delany to incorporate the user-controlled account
interface routines of Delany into the account management of Vandergeest to achieve
predictable benefits. (EX1003 at 119). Indeed, Delany provides the motivation to
combine, noting that its user-controlled account interface routines provide the
predictable benefits of alleviat[ing] the burden on administrators where the
number of users is enormous and the task of adding and removing users can be
extremely burdensome. (EX1007 at 13). Further, allowing users to delete
policies would result in the predictable benefits of saving memory and ensuring
56
IPR2017-02047
U.S. Patent 8,082,213
there are no policies associated with old user devices that are no longer used/under
the control of the user, thus increasing the security of the authentication procedure.
(EX1003 at 119). Therefore, as noted above, it would have been obvious to
combine the user-controlled account interface routines of Delany into the account
management of Vandergeest.
f1) authentication-interface routines that implement an

authentication interface by which, following initiation of a
transaction by the user with the authentication-service client,
the authentication-service client submits an authentication
request, through the first communications medium or
through a second communications medium, to authenticate
the user,
Vandergeest teaches a user 308 may use the first unit 300 [e.g., a laptop] to
contact the second unit 302 [i.e., the authentication-service client] via primary
wireless channel 310 wherein the second unit 302 has access-controlled resources
requiring authentication. (EX1005 at 8:43-46). The primary channel of
Vandergeest corresponds to the first communications medium of the 213 Patent
as both are used to initially connect the user to the client; the suitable link of
Vandergeest corresponds to the second communications medium of the 213
Patent, as both are communications links connecting the authentication unit to the
authentication client (i.e., second device in Vandergeest). (Compare EX1005 at
3:15-29, 4:10-55, Fig. 3 with EX1001 at 2:1-18, 3:47-67, Fig. 3).
57
IPR2017-02047
U.S. Patent 8,082,213
Following this initiation of a transaction between the user and client,
Vandergeest discloses that the client submits an authentication request to the
authentication service through a second communications medium, stating [t]he
second unit 302 contacts the authenticator 304 [i.e., the authentication service] via a
suitable communication link or bus, and passes the sent primary authentication
information, namely the sent user ID, so that the authentication unit can determine if
the user is listed in the authentication database 18. (Id. at 8:52-56) (emphases
added). Subsequently, [i]f the received user ID is listed in the database, the
authentication unit retrieves the authentication record associated with the user. For
example, this may include, for example, a user ID, SMS address, and other
authentication information. (Id. at 8:63-67). Thus, the authentication routines
disclosed by Vandergeest include sending authentication information to the
authentication unit through a second communications medium (i.e., a suitable
communication link or bus) to authenticate the user.
f2) the authentication-interface routines employing a variable-

factor authentication, when specified to do so by stored user-
authentication policies, to authenticate the user on behalf of
the authentication-service client during which the user
communicates with the user-authentication service through a
third communications medium different from the first and
second communications media and a user device different
from that employed by the user to initiate the transaction with
the authentication-service client.
Vandergeest discloses:
58
IPR2017-02047
U.S. Patent 8,082,213
(i) employing a variable-factor authentication (when specified by the stored
authentication policies),
(ii) the user communicating with the authentication service through a third
communications medium, and
(iii) a user device different from that employed by the user to initiate the
transaction.
As explained above, the first unit of Vandergeest corresponds to the first
user device of the 213 Patent; the second unit of Vandergeest corresponds to the
authentication-service client of the 213 Patent; the AU of Vandergeest
corresponds to the authentication service provider (ASP) of the 213 Patent; the
primary channel of Vandergeest corresponds to the first communications
medium of the 213 Patent and is generally the Internet; the suitable link of
Vandergeest corresponds to the second communications medium of the 213
Patent and refers to an internal communications medium (such as a LAN); the third
device of Vandergeest corresponds to the user device different from that employed
by the user to initiate the transaction of the 213 Patent; and the back channel of
Vandergeest, a telephone or SMS communications medium, corresponds to the
third communications medium different from the first and second communications
media of the 213 Patent. (Compare EX1005 at 3:15-29, 4:10-55, Fig. 3 with
EX1001 at 2:1-18, 3:47-67, Fig. 3). (See supra IX.B.1).
59
IPR2017-02047
U.S. Patent 8,082,213
First, Vandergeest describes multi-factor authentication, disclosing that [i]f
the received user ID is listed in the database, the authentication unit retrieves the
authentication record associated with the user. For example, this may include, for
example, a user ID, SMS address, and other authentication information. (EX1005
at 8:63-67) (emphasis added). This other authentication information corresponds
to the other factors that can be used to authenticate a user, as will be discussed
below.
Next, Vandergeest discloses the authentication service communicating
through a third communications medium (different from the first and second) to a
user device different from that employed by the user to initiate the transaction. For
example, Vandergeest discloses that if the stored user-authentication policy requires
that the user has a third unit (i.e., a user device, different than the first), the
authentication unit generat[es] the authentication code to send to the third device.
(Id. at 9:9-11; see also id. at Fig. 3). Next, to authenticate itself, the user obtains
the authentication code from the third unit and enters it into the first unit. (Id. at
9:22-24). As noted above, the term variable-factor authentication should be
construed as both secret information (e.g., a password) and evidence of control of a
tangible object (e.g., a cell phone). (Supra VIII.C). The third unit of
Vandergeest corresponds to this tangible object and the authentication code
and/or user password of Vandergeest corresponds to the secret information.
60
IPR2017-02047
U.S. Patent 8,082,213
Finally, Vandergeest makes clear that an alternate channel [i.e., a third
communications medium such an SMS or telephone line] is used during the session
to provide authentication information in addition to user ID and/or a password to
provide multi-factor authentication. (Id. at 13:61-67; see also id. at 3:24-29, 6:50-
56, 7:1-5, 7:53-56 (describing the back channel as a different communications
medium than the primary channel)) (emphasis added). Mr. Gray confirms that by
requiring a third unit (i.e., second user-device) that communicates over a back
channel, Vandergeest discloses a variable-factor (e.g., requiring the third unit and
code) authentication during which the user communicates with the user-
authentication service through a third communications medium. (EX1003 at 110-
114).
4. Dependent Claim 2 is obvious in view of Vandergeest and Delany

authentication service stores user-authentication policies and
user information for multiple users, provides an account
interface to the multiple users, and provides an authentication
interface to multiple authentication-service clients.
Vandergeest discloses storing policies and providing account interfaces for
multiple users and providing authentication interfaces for multiple clients.
Vandergeest teaches the registration process, during which the user supplies the
information that populates the authentication database , is performed on a per user
basis. (EX1005 at 4:38-61; see also id. at Fig. 1 (showing database information per
61
IPR2017-02047
U.S. Patent 8,082,213
user)). A POSITA would have recognized that if the registration process is
performed on a per user basis, that the authentication interface also performs on a
per user basis for each client. (EX1003 at 99).
Further, Vandergeest discloses that the authentication unit can be a separate
entity than the second unit (i.e., the authentication-service client) in some
embodiments. (EX1005 at 6:58-62). In this case, the second unit may be any other
unit that has access to [the] authentication unit. (Id. at 3:51-57). Thus a POSITA
would have recognized that there may be multiple second units (i.e., clients) that
have access to the authentication interface to communicate with the authentication
unit to authenticate clients because the second unit represents any other unit that
has access to the authentication service. (EX1003 at 200). At the very least, it
would have been obvious to a POSITA to have multiple second unit[s] that have
access to the authentication service because having one authentication service for
multiple clients would provide the predictable benefit of being more efficient (as
opposed to a separate authentication service for each client). (Id.)
Further, Delany discloses a user account system, including both an account
interface (to register and store user data) and authentication interface (to thereafter
authenticate the registered user), that works on a per user basis (i.e., for multiple
users). (EX1007 at 107).
62
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 1 wherein the user-

authentication service undertakes the authentication
procedure by: using the electronically-encoded information
about the user to retrieve all stored user-authentication
policies for the user;
Vandergeest discloses a method [for] determining, based on a received user
ID [i.e., electronically-encoded information about the user], which destination unit,
other than the first unit 300, will receive an authentication code [i.e., retrieving the
stored user-authentication policy for the user] via the wireless back channel 312.
(EX1005 at 8:56-60). As noted above, the stored authentication policy includes
which destination unit should receive the authentication code and the method of
communication utilized to send the code. (Id. at 8:60-64). Retrieving user-
authentication policies based on received electronically-encoded user-information is
also illustrated in step 404 of Figure 4, shown below with highlighting.
As can be seen in Figure 3, highlighted below, each user has one stored policy
in the authentication database (including users device address and other
authentication information); thus by retrieving the policy, the system has retrieved
all stored policies for that user. (Id. at Fig. 3).
63
IPR2017-02047
U.S. Patent 8,082,213
b) when the retrieved stored user-authentication policies permit

the authentication procedure to proceed, conducting the
authentication procedure in order to authenticate the user to
the authentication-service client; and returning an
authentication result to the authentication-service client.
Vandergeest discloses carrying out the authentication procedure, based on the
retrieved authentication policies, to authenticate a first unit (i.e., first user device) to
second unit (i.e., a client), whereby the authentication result is returned to the second
unit to give the user access to the requested resources. Referring to Figures 3 and 4,
shown highlighted below, Vandergeest discloses conducting the authentication
procedure (i.e., generating and sending the authorization code to the user-controlled
third device) (steps 406-412 of Fig. 4), authenticating the user (step 414 of Fig. 4),
and then returning the authentication code (i.e., authentication result) to the second
unit (i.e., client) (id. at 9:30-31 (because the user is granted access to the resources,
authentication results must have been returned to the second)). (See also id. at 6:58-
7:34, 7:57-8:5, 9:32-37; EX1003 at 115). At the least, it would have been obvious
to modify the system so the AU returns the authentication result to the second unit
so that the second unit (i.e., the claimed client) has reassurances that the user has
been authenticated and has independent records of the successful authentication in
case the system is compromised. (EX1003 at 115).
Additionally, in the embodiment where the authentication service is within the
same server as the second unit (authentication-service client) then the user, in step
64
IPR2017-02047
U.S. Patent 8,082,213
414 of Figure 4, directly returns the authentication code (i.e., authentication result)
to the second unit (authentication-service client). (EX1005 at 8:34-35). As noted
above, the term returning a[n] authentication result, should be construed to at least
cover returning a password, thus returning the authentication code to the client
satisfies this limitation. (Supra VIII.D).

authentication procedure for any single policy may comprise:
a uni-directional or bi-directional exchange of information
with the user through the third communications medium.
Vandergeest discloses authentication procedures for a single policy using
either a uni-directional or bi-directional exchange of information over the back
65
IPR2017-02047
U.S. Patent 8,082,213
channel (i.e., third communications medium). For example, Vandergeest describes
two embodiments: In the first embodiment (illustrated in Figure 1, shown annotated
below) the authentication unit sends secondary authorization information to the user
over a back channel (i.e., third communications medium) and then the user resends
the information back to the second device over the original communications
medium, thus comprising a uni-directional exchange of information over the back
channel. (EX1005 at Fig. 1, 4:10-55).
In the second embodiment, as illustrated in Figure 3 (shown below with the
first and third communication channels highlighted), the communications between
the second unit (client) 302 and third unit (user device) 306 over the third
communications medium 312 is bi-directional; the user receives the secondary
authorization information over the third communications medium 312 and returns
the information over the same communications medium. (Id. at Fig. 3, 6:58-7:5).
66
IPR2017-02047
U.S. Patent 8,082,213

information is a password that the user can subsequently
input to the authentication-service client to prove to the
authentication-service client that the user has been
authenticated by the user-authentication service.
Vandergeest discloses that the information sent to the third device (i.e., user
device different than the first unit/user device) that the user subsequently inputs to
prove to the second device (i.e., authentication-service client) it has been
authenticated, can be a simple authentication code. (See e.g., id. at 9:24-32 (The
first unit returns the authentication code obtained as received by the third unit back
to the second unit via the primary wireless channel as shown in block 412[i]f they
correlate, the user is authenticated and proceeds to use the appropriate resources via
the second unit 302.); see also Fig. 4) (emphasis added). This authentication
code is merely a password because it represents a short alpha-numeric secret used
to gain access to something, which is the definition of a password. (EX1003 at
113).

authentication result includes the password.
Vandergeest discloses the limitations of Claim 6, where the authentication
result is, or includes, the generated code (i.e., password) that was sent to the user.
As discussed above, in one embodiment the user returns the code it received from
67
IPR2017-02047
U.S. Patent 8,082,213
the AU (i.e., authentication result) directly to the second device (i.e., client), proving
that it has possession of the third device and is authenticated. (See e.g., EX1005 at
9:24-32). This authentication result thus is, or includes, the code that was sent to the
user by the authentication service. (Id.). In another embodiment, the user returns
the code to the authentication service (via the second unit) and the authentication
unit 304 compares the resent authentication code with the authentication code that
was sent to the third unit 306. (Id. at 7:28-34). If the codes match, then the AU
tells the second unit that the user was authenticated and should be granted access.
(Id.) Although Vandergeest does not explicitly say that the authentication result
includes the password in this embodiment, it would have been obvious to include the
code within the authentication result because the code itself is what authenticates the
user, as noted above. (EX1003 at 115). Thus because the password is the
authentication result in the first embodiment, it would be obvious to use the
password as the authentication result in the second embodiment where Vandergeest
is silent as to the nature of the authentication result. (Id.)
68
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 1 wherein the stored

user information includes one or more of: the user's name; the
user's address; passwords specified by the user; the user's
contact information; the user's billing information; and the
user's employment information.
Vandergeest discloses that the authentication database 18 stores, for a
plurality of users, on a per-user basis, a user ID 24, associated password or hashed
password 26 (if used) [i.e., passwords specified by the user] and destination unit
data 22 [i.e., user address and/or contact information]. (Id. at 4:31-40) (emphasis
added). Vandergeest also discloses that the stored information may include, for
example, a user ID, SMS address [i.e. user address and/or contact information],
and other authentication information. (Id. at 8:63-67) (emphasis added). A
POSITA would have recognized that the users billing information, employment
information, or other similarly identifying information, falls within the broad
category of other authentication information as disclosed by Vandergeest
because it can all be used to identify a user. (EX1003 at 105). At the least, it
would have been obvious to a POSITA to use other user information, such as those
categories mentioned above, to identify the user. (Id.).
69
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 7 wherein the user's

contact information includes one or more of: the user's
computer's trusted communications addresses; trusted
telephone numbers of the user's landline and cell phones;
contact information for the user's trusted hand-held
computing devices; the user's email addresses; and internet
addresses for interne[t]-related accounts through which the
user can receive information.
Vandergeest describes storing contact information for users, including
destination unit data [i.e., contact information for users trusted hand-held
computing device], sufficient information in order to allow the third unit 306 to be
communicated to, SMS address [i.e., contact information for users cell
phone/hand-held computing device], or a pager address [i.e., contact information
for users trusted hand-held computing device]. (Id. at 4:31-40, 7:10-19, 8:63-67,
Fig. 3). A POSITA would have recognized that the users landline telephone
number, email address, or internet address, falls within the broad category of
sufficient information in order to allow the third unit 306 to be communicated to
as disclosed by Vandergeest. (EX1003 at 105). At the least, it would have been
obvious to a POSITA to store and use other user contact information, such as those
categories , to contact the user during the authentication procedure. (Id.).
70
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 1 wherein a user-

authentication policy specifies one or more of: constraints and
parameters associated with user-authentication processes
carried out by the user-authentication service on behalf of one
or more, specified authentication-service clients.
Vandergeest discloses the various constraints/parameters from this claim.
Vandergeest discloses that the user-authentication policy specifies which password
or third device (i.e., different user device) must be in possession of the user and must
be utilized as part of the user-authentication process for a specific authentication-
service client. (See, e.g., id. at 4:31-40, 8:63-67, Figs. 3-4). These requirements,
such as utilizing a specific password or specific third-device, are examples of
constraints and parameters associated with user-authentication processes because
they represent the substance of the authentication policies. (EX1003 at 103).
Further, in lawsuits filed by Smart Authentication, it has claimed that
whether a phone call or text message authentication has been enabled and the
corresponding telephone numbers is a constraint or parameter for authentication of
a user that would meet this limitation. (See, e.g., Ex. 1008 at 26). Because
Vandergeest discloses determining whether a phone call or text message
authentication has been enabled and the corresponding communication information,
it renders this limitation obvious.
71
IPR2017-02047
U.S. Patent 8,082,213
a) The user-authentication service of claim 9 wherein

constraints include one or more of: geographical constraints;
time-of-day constraints; date constraints; communications-
medium-related constraints; user-authentication service
actions; and event constraints.
Vandergeest discloses that a user can implement a communications-medium-
related constraint based on the particular type of third unit that they register during
the registration process. (EX1005 at 7:1-5, 9:1-8). For example, the user can
register a cell phone that communicates via an SMS channel or a pager that
communicates via a pager network. (Id.). Vandergeest also discloses an event
constraint, such as requiring that the authentication code input happens within a
certain period of time (i.e., the event must happen in a certain period of time). (Id. at
6:19-22). At the very least, including these categories of constraints would have
been obvious to a POSITA to maximize the options that a user can select for
authentication policies. (EX1003 at 106).
Further, in lawsuits filed by Smart Authentication, it has claimed that
constraints [that] include a communications-medium-related constraint, such as
whether SMS/text Message or Phone Call authentication has been enabled would
meet this limitation. (See, e.g., Ex. 1008 at 27). Because Vandergeest discloses
constraints based on SMS/text messages and phone calls, it renders this limitation
obvious.
72
IPR2017-02047
U.S. Patent 8,082,213
C. Ground III: Claims 12-17 are obvious in view of Vandergeest
1. Independent Claim 12 is obvious in view of Vandergeest
a) A method for authenticating, by an authentication service, a

user of the authentication service to an authentication-service
client that communicates with the user of the authentication
service through a first communications medium, the method
comprising
Vandergeest discloses a method and apparatus for user authentication using
a back channel. (EX1005). Vandergeest describes an authentication-service client
that communicates with the user of the authentication service through a primary
channel, which is the Internet or another wireless channel (i.e., a first
communications medium). (Id. at 7:6-8, 8:43-46; EX1003 at 58.)
b) receiving user-identifying information from the

authentication-service client;
Vandergeest discloses the authentication service receives user-identifying
information from the client. For example, Figure 4 discloses that in step 404,
[t]he second unit 302 [i.e., client] contacts the authenticator 304 via a suitable
communication link or bus, and passes the sent primary authentication information,
namely the sent user ID, so that the authentication unit can determine if the user is
listed in the authentication database 18. (EX1005 at 8:43-56, Fig. 4 (shown
highlighted below)).
73
IPR2017-02047
U.S. Patent 8,082,213
c) using the user-identifying information received from the

authentication-service client to carry out an authentication
procedure to authenticate the user of the authentication
service by sending information to the user of the
authentication service through a communications medium
different from the first communications medium; and
Vandergeest discloses the authentication service uses the received user-
information to carry out an authentication procedure by sending a code to the user
through a back [or alternate] channel (i.e., a communications medium different
from the first communications medium). (EX1005 at 8:56-60). The user
information forwarded from the client to the AU in Vandergeest includes a user
ID and/or password. (Id.; see also id. at Fig. 4 (step 404)) Figure 4 of
Vandergeest discloses the authentication service, after receiving the user
information, sends a randomly generated, but locally stored authentication token
or code to the third device via the alternate channel. (EX1005 at 9:9-24, Fig. 4
(shown below with highlighting)).
74
IPR2017-02047
U.S. Patent 8,082,213
Figure 3 of Vandergeest also shows the primary channel 310 to first unit
300 and wireless back channel 312 to third unit 306. (EX1005 at 6:50-57,
6:66-7:4, Fig. 3 (shown below with primary channel in red, back channel in blue)).
d) returning a[n] authentication result to the authentication-

service client.
As discussed above in relation to claim element 3[b] (supra, IX.B.5.b.),
Vandergeest discloses returning an authentication result to the authentication-
service client.
2. Dependent Claim 13 is obvious in view of Vandergeest
a) The method of claim 12 wherein, as part of the

authentication procedure, the authentication service transmits
information to the user of the authentication service which the
user of the authentication service then subsequently transmits
to the authentication-service client.
Vandergeest describes an embodiment (illustrated in Figure 1, shown
annotated below) where the first unit (i.e., user) 10 connects to the second unit (i.e.,
authentication-service client) 12 over a primary channel 14, where the second unit
12 is operatively coupled through a suitable link (i.e., second communications
75
IPR2017-02047
U.S. Patent 8,082,213
medium) 20 to the authentication database (i.e., authentication service within the
second unit) 18.
In this embodiment the authentication unit sends secondary authorization
information to the user over a back channel (i.e., third communications medium,
as described in claim element 1[f2]) and then the user resends the information back
to the second device over the original communications medium. (EX1005 at Fig. 1,
4:10-55).
76
IPR2017-02047
U.S. Patent 8,082,213

IX.B.5a-b).

IX.B.6).
IX.B.7)

IX.B.7).
X. CONCLUSION
Unified respectfully requests that a trial be instituted and claims 117 of the
213 Patent be cancelled. The Director is authorized to charge for the fees set in 37
C.F.R. 42.15(a) for this Petition for Inter Partes Review, and further authorizes
77
IPR2017-02047
U.S. Patent 8,082,213
payment for any additional fees to be charged to McDermott Will & Emery
Deposit Account No. 500417, Reference No. 098850-0018.
Date: September 1, 2017 Respectfully Submitted,
/Alexander P. Ott/
Alexander P. Ott, Reg. No. 63,110
Roshan Mansinghani, Reg. No. 62,429
Jonathan Stroud, Reg. No. 72,518
Attorneys for Petitioner
78
IPR2017-02047
U.S. Patent 8,082,213
WORD-COUNT CERTIFICATE OF COMPLIANCE
Pursuant to 37 C.F.R. 42.24(d), I hereby certify that this Petition complies
with the type-volume limitation of 37 C.F.R. 42.24(a)(1)(i) because it contains
13,968 words as determined by the Microsoft Office Word 2010 word processing
system used to prepare the petition, excluding the parts of the petition exempted by
37 C.F.R. 42.24(a)(1).
/Alexander P. Ott/
Alexander P. Ott
McDermott Will & Emery
500 N. Capitol St., NW
Washington, DC 20001
1
IPR2017-02047
U.S. Patent 8,082,213
CERTIFICATE OF SERVICE
I hereby certify that on September 1, 2017, I caused a true and correct copy
of the following to be served via Federal Express on the addresses listed below.
Petition for Inter Partes Review of U.S. Patent 8,082,213 under 35

U.S.C. 312 and 37 C.F.R. 42.104; and
Exhibits for Petition for Inter Partes Review of U.S. Patent 8,082,213
(EX1001-1008)
Correspondence address of record for Address of record for Attorney

the subject patent, as listed in the 213 representing Smart Authentication IP,
Patent prosecution history: LLC in pending district court cases:
ASCENDA LAW GROUP, PC STAMATIOS STAMOULIS

333 W SAN CARLOS ST. STAMOULIS & WEINBLATT LLC
SUITE 200 TWO FOX POINT CENTRE
SAN JOSE CA 95110 6 DENNY ROAD, SUITE 307
WILMINGTON, DE 19809
/Alexander P. Ott/
Alexander P. Ott
McDermott Will & Emery
500 N. Capitol St., NW
Washington, DC 20001

Unified Patents Inc. v. Smart Authentication IP, LLC, IPR2017-02047 (PTAB Sept. 1, 2017)

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Unified Patents Inc. v. Smart Authentication IP, LLC, IPR2017-02047 (PTAB Sept. 1, 2017)

Загружено:

Авторское право:

Доступные форматы

IPR2017-02047

U.S. Patent 8,082,213

DOCKET NO.: 098850-0018

Jonathan Stroud, Reg. No. 72,518

UNITED STATES PATENT AND TRADEMARK OFFICE

BEFORE THE PATENT TRIAL AND APPEAL BOARD

UNIFIED PATENTS INC.

SMART AUTHENTICATION IP, LLC

METHOD AND SYSTEM FOR PERSONALIZED ONLINE SECURITY

PETITION FOR INTER PARTES REVIEW

II. MANDATORY NOTICES ................................................................................................. 1

A. Real Party-in-Interest 37 C.F.R. 42.8(b)(1) ...................................................... 1

B. Patent Owner and Related Matters 37 CFR 42.8(b)(2)..................................... 1

C. Counsel and Service Information............................................................................ 2

III. CERTIFICATION OF GROUNDS FOR STANDING...................................................... 3

IV. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED ....................................... 3

A. Prior Art Patents and Publications .......................................................................... 3

B. Statutory Grounds of Challenge.............................................................................. 4

V. U.S. Patent 8,082,213 ......................................................................................................... 5

B. Prosecution History ................................................................................................. 7

VI. Smart AuthenticationS LITIGATION POSITIONS ......................................................... 8

VII. Level of Ordinary Skill in the Art ....................................................................................... 9

VIII. CLAIM CONSTRUCTION .............................................................................................. 10

A. user-authentication policies ............................................................................... 10

B. specified by the user .......................................................................................... 11

C. variable-factor authentication ............................................................................ 11

D. returning a[n] authentication result ................................................................... 12

IX. THE CHALLENGED CLAIMS ARE UNPATENTABLE ............................................. 12

B. Ground II: Claims 1-10 are obvious in view of Vandergeest and

C. Ground III: Claims 12-17 are obvious in view of Vandergeest ........................... 81

Initial Exhibit List

1001 U.S. Pat. No. 8,082,213 to Lyons (the 213 Patent)

1002 Prosecution History of the 213 Patent

1003 Declaration of Stephen Gray (including Appendices A-C)

1004 U.S. Pat. No. 8,751,801 to Harris et al. (Harris)

1005 U.S. Pat. No. 7,765,580 to Vandergeest et al. (Vandergeest)

1006 WO Pub. No. 03/032126 to Owen at al. (Owen)

1007 U.S. Pub. No. 2002/0156879 to Delany et al. (Delany)

Complaint, Smart Authentication IP, LLC v. Etsy, Inc., No.

Inc. (Unified or Petitioner) respectfully requests institution of inter partes

The 213 Patent is attached to this Petition as EX1001.

II. MANDATORY NOTICES

A. Real Party-in-Interest 37 C.F.R. 42.8(b)(1)

the filing of this petition, or the conduct of any ensuing trial.

B. Patent Owner and Related Matters 37 CFR 42.8(b)(2)

Smart Authentication IP, LLC (Smart Authentication) purports to own the

Name Case No. District Filed

Name Case No. District Filed

C. Counsel and Service Information

back-up counsel. Pursuant to 37 C.F.R. 42.10(b), a Power of Attorney

accompanies this Petition.

Unified consents to e-mail service at roshan@unifiedpatents.com,

jonathan@unifiedpatents.com, aott@mwe.com, and IPdocketMWE@mwe.com.

Washington, DC 20001, Tel: (202) 756-8000, Fax: (202) 756-8087; Unified

75240, Tel: (214) 945-0200.

III. CERTIFICATION OF GROUNDS FOR STANDING

IV. OVERVIEW OF CHALLENGE AND RELIEF REQUESTED

This Petition is supported by the declaration of Stephen Gray (EX1003) and

U.S.C. 314(a); Rules 42.22(a)(1) and 42.104(b)(1)-(2)).

A. Prior Art Patents and Publications

which were previously considered by the USPTO:

the 213 Patent under 35 U.S.C. 102(e)(1).

2. U.S. Pat. No. 7,765,580 to Vandergeest et al. (Vandergeest)

(EX1005) was filed on May 14, 2001, published on November 14,