Improved Method for Overcoming Hacking by Turning On and Off Authentication Held Patent Eligible

Intellectual Property Law

In CosmoKey Solutions GMBH & Co. KG v. Duo Security LLC,1 the Federal Circuit held that an improved method for overcoming computer hacking by turning on and off the authentication process was patent eligible. The court held that the claims recited an improved method for preventing hacking by activating a normally disabled authentication function only for a specific transaction, communicating the activation within a specific time period, and then deactivating the authentication function.

Judge Jimmie V. Reyna concurred, arguing that the majority failed to determine whether the invention was abstract under the first step of the patent eligibility test, but agreeing with the majority that the claims were not abstract because they were directed to a specific improvement to authentication that increased security and prevented unauthorized access by a third party.

U.S. Patent No. 9,246,903 (’903 patent) related to an authentication method that was low in difficulty and high in safety. The specification stated that the authentication method ensures that no third party can fake the identification data of a user in control of his or her mobile device and make unauthorized transactions. The specification further stated that the invention improved the prior art mobile phone authentication methods by activating the authentication function within a short time window after sending the user identification.

The specification explained that instead of forcing the user to enter several authentication factors using different communication channels, the method verifies the user’s identity by sending the user identification through a first communication channel and checking using a second communication channel that an authentication operation was activated in the user’s mobile device.

Claim 1 of the ’903 patent recited the following:

1. A method of authenticating a user to a transaction at a terminal, comprising the steps of:

transmitting a user identification from the terminal to a transaction partner via a first communication channel,

providing an authentication step in which an authentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user,

as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel,

ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction,

ensuring that said response from the second communication channel includes information that the authentication function is active, and

thereafter ensuring that the authentication function is automatically deactivated.

CosmoKey sued Duo Security LLC for infringement of the ’903 patent. Duo argued that all claims of the ’903 patent were ineligible under 35 U.S.C. § 101 because the claims were directed to the abstract idea of authentication and did not include a patent-eligible inventive concept. The district court granted Duo’s motion, and CosmoKey appealed.

On appeal, the Federal Circuit reversed. Section 101 delineates patent-eligible inventions as “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.”2 The Supreme Court established a two-step test for examining patent eligibility under Section 101 in Alice Corp. v. CLS Bank Int’l as follows: Step one is to “determine whether the claims at issue are directed to a patent-ineligible concept[,]” such as an abstract idea.3 If so, step two considers “the elements of each claim both individually and as an ordered combination to determine whether the additional elements transform the nature of the claim into a patent-eligible application.”4 Step two is “a search for an ‘inventive concept’—i.e., an element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself.”5

The Federal Circuit acknowledged that it had previously determined the eligibility of authentication and verification inventions under Section 101 and held those claims abstract.6 In contrast, the court has held claims reciting specific verification methods different from earlier methods that improved computer technology eligible under Section 101. Increased security can be a nonabstract computer functionality improvement and patent eligible if performed by a specific procedure that differs from earlier procedures to solve a specific computer problem, the court said.7 The court clarified claims were patent eligible when the invention provided a technological benefit by making the system less prone to hacking by modifying the verification procedure.8

The court explained that in the current case, the district court held that the claims were directed to the abstract idea of merely verifying an identity to permit access to transactions. The court was not persuaded “that this broad characterization of the focus of the claimed advance is correct.”9 According to the court:

Rather, the claims and written description suggest that the focus of the claimed advance is activation of the authentication function, communication of the activation within a predetermined time, and automatic deactivation of the authentication function, such that the invention provides enhanced security and low complexity with minimal user input. The critical question then is whether this correct characterization of what the claims are directed to is either an abstract idea or a specific improvement in computer verification and authentication techniques.10

The court held, however, that even using the district court’s limited portrayal of the ’903 patent claims, the claims satisfied step two of Alice.

Considering Alice step two, the court noted that the elements of each claim, both individually and as an ordered combination, should be reviewed to determine whether they transform the nature of the claim into a patent-eligible invention.

The court noted that the district court had determined that the ’903 patent failed Alice step two because it merely described generic computer functionality to implement the abstract concept of authentication. The court, however, disagreed:

The ’903 patent claims and specification recite a specific improvement to authentication that increases security, prevents unauthorized access by a third party, is easily implemented, and can advantageously be carried out with mobile devices of low complexity. . . . Contrary to the district court’s conclusion, the ’903 patent discloses a technical solution to a security problem in networks and computers. While authentication of a user’s identity using two communication channels and a mobile phone was known at the time of the invention, nothing in the specification or anywhere else in the record supports the district court’s suggestion that the last four claim steps . . . are conventional.11

The court commented that the patent specification described how the specific combination of steps recited in claim 1 provided a technical improvement over conventional authentication methods. In particular, the patent specification stressed the inventive characteristics of these verification steps and explained that the complexity of the authentication procedure was significantly reduced because the invention authenticated users “with fewer resources, less user interaction, and simpler devices.”12 The court reasoned:

Here, the claim limitations are more specific and recite an improved method for overcoming hacking by ensuring that the authentication function is normally inactive, activating only for a transaction, communicating the activation within a certain time window, and thereafter ensuring that the authentication function is automatically deactivated. The specification explains that these features in combination with the other elements of the claim constitute an improvement that increases computer and network security, prevents a third party from fraudulently identifying itself as the user, and is easy to implement and can be carried out even with mobile devices of low complexity. . . . Here, as the specification itself makes clear, the claims recite an inventive concept by requiring a specific set of ordered steps that go beyond the abstract idea identified by the district court and improve upon the prior art by providing a simple method that yields higher security.13

Accordingly, the Federal Circuit reversed the district court and held the ’903 patent claims were eligible under Section 101.

Judge Reyna concurred with the holding that the ’903 patent claims were eligible under Section 101. However, he concluded that Alice step one should have been applied to determine that the claims were patent-eligible subject matter.

I do not agree, however, with the majority’s analysis or its application of law. In sum, the majority skips step one of the Alice inquiry and bases its decision on what it claims is step two. I believe this approach is extraordinary and contrary to Supreme Court precedent. It turns the Alice inquiry on its head.14

Judge Reyna explained that “once a claim is deemed not directed to an abstract idea, the Alice inquiry ends. We do not proceed to step two.”15 He reasoned:

Employing step one, I conclude that the claims at issue are directed to patent-eligible subject matter. I agree with my colleagues that “[t]he ’903 Patent claims and specification recite a specific improvement to authentication that increases security, prevents unauthorized access by a third party, is easily implemented, and can advantageously be carried out with mobile devices of low complexity.” . . . But this is a step-one rationale.16

Takeaways

The court reaffirmed that computer software applications are patent eligible, assuming there is some technical improvement or benefit. The court clearly used the specification as part of the analysis of whether the invention provided a technical improvement. That is, in this case, the invention increased security, prevented unauthorized access by a third party, was easily implemented and could advantageously be used in mobile devices of low complexity. The court also noted that the claim limitations were specific and recited the improved method for overcoming hacking.

Therefore, applicants should carefully draft the specification to clearly describe the technical improvement. On the other hand, patent applicants should ensure that the patent specification minimizes or omits descriptions associated with abstract ideas. Thus, this decision is another cautionary tale for patent applicants that computer software application inventions, in particular, may benefit from providing the technical details of the invention that implements the computer functionality, as well as the technical improvements and benefits. Litigants can exploit these unique characteristics of patent law for computer software applications as well, to either buttress the patent eligibility/validity of the claimed invention or attack it.


Irah Donner is a partner in Manatt’s Intellectual Property practice and is the author of Patent Prosecution: Law, Practice, and Procedure, Eleventh Edition, and Constructing and Deconstructing Patents, Second Edition, both published by Bloomberg Law.


1 CosmoKey Slns. GMBH & Co. KG v. Duo Sec. LLC, 15 F.4th 1091, 2021 USPQ2d 1003, 2021 WL 4515279 (Fed. Cir. 2021).

2 Id., 15 F.4th at 1096 (quoting 35 U.S.C. § 101).

3 Id., 15 F.4th at 1096 (quoting Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 218, 134 S. Ct. 2347, 2355, 110 USPQ2d 1976, 1981 (2014)).

4 Id., 15 F.4th at 1096 (quoting Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 218, 134 S. Ct. 2347, 110 USPQ2d 1976, 1981 (2014)) (internal quotation marks omitted).

5 Id., 15 F.4th at 1096 (quoting Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 217–18, 134 S. Ct. 2347, 110 USPQ2d 1976, 1981 (2014)) (internal punctuation omitted).

6 Id., 15 F.4th at 1096.

7 Id., 15 F.4th at 1097 (citing Ancora Techs. Inc. v. HTC Am., Inc., 908 F.3d 1343, 1348, 128 USPQ2d 1565, 1569 (Fed. Cir. 2018)) (internal quotation marks omitted).

8 Id., 15 F.4th at 1097 (citing Ancora Techs. Inc. v. HTC Am., Inc., 908 F.3d 1343, 1350, 128 USPQ2d 1565, 1570 (Fed. Cir. 2018)).

9 Id., 15 F.4th at 1097.

10 Id., 15 F.4th at 1097 (citing Ancora Techs. Inc. v. HTC Am., Inc., 908 F.3d 1343, 1347, 128 USPQ2d 1565, 1568 (Fed. Cir. 2018)).

11 Id., 15 F.4th at 1098.

12 Id., 15 F.4th at 1099.

13 Id., 15 F.4th at 1099 (citations omitted).

14 Id., 15 F.4th at 1100.

15 Id., 15 F.4th at 1100 (citing Core Wireless Licensing S.A.R.L. v. LG Elecs., Inc., 880 F.3d 1356, 1361, 125 USPQ2d 1436, 1440 (Fed. Cir. 2018), and McRO, Inc. v. Bandai Namco Games Am., Inc., 837 F.3d 1299, 1312, 120 USPQ2d 1091, 1100 (Fed. Cir. 2016)).

16 Id., 15 F.4th at 1101 (quoting Majority Op., 15 F.4th at 1098 (emphasis added)) (citation omitted).

manatt-black

ATTORNEY ADVERTISING

pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved