UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE …...The ‘698 Patent relates to a system that...

UNITED STATES PATENT AND TRADEMARK OFFICE

BEFORE THE PATENT TRIAL AND APPEAL BOARD

DUO SECURITY INC., CENTRIFY CORP.,

AND TRUSTWAVE HOLDINGS, INC.

Petitioner

v.

STRIKEFORCE TECHNOLOGIES, INC.

Patent Owner

U.S. Patent No. 8,484,698

Title: MULTICHANNEL DEVICE UTILIZING A CENTRALIZED OUT-OF-

BAND AUTHENTICATION SYSTEM (COBAS)

Inter Partes Review Case No. IPR2017-01064

PETITION FOR INTER PARTES REVIEW OF CLAIMS 1-17, 19-24, 53 and

54 OF U.S. PATENT NO. 8,484,698 UNDER 35 U.S.C. §§ 311-319 AND 35

C.F.R. § 42.100 ET SEQ.

i

TABLE OF CONTENTS

Mandatory Notices under 37 C.F.R. § 42.8(b) ..................................... 6 I.

A. Real Party-In-Interest under 37 C.F.R. § 42.8(b)(1) .................. 6

B. Related Matters under 37 C.F.R. § 42.8(b)(2) ........................... 6

C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3) ........ 7

D. Service Information under 37 C.F.R. § 42.8(b)(4) .................... 8

Grounds for Standing under 37 C.F.R. § 42.104(a) ............................. 9 II.

Identification of Challenge under 37 C.F.R. § 42.104(b) .................... 9 III.

Relevant Information Concerning the Contested Patent .................... 10 IV.

A. Effective Filing Date of the ‘698 Patent .................................. 10

B. Brief Description of the ‘698 Patent ........................................ 10

C. The ‘698 Patent Claims ............................................................ 13

D. Prosecution History of the ‘698 Patent .................................... 14

Proposed Claim Constructions ........................................................... 16 V.

Prior Litigation Involving Patent Owner ............................................ 20 VI.

Discussion of Prior Art ....................................................................... 21 VII.

A. Background of the State of the Relevant Art in 2000 .............. 21

B. Qualification of Prior Art References Under 35 U.S.C. § 102(b)

.................................................................................................. 23

C. Feigen ....................................................................................... 23

D. Flanagan ................................................................................... 26

E. Falk ........................................................................................... 30

ii

Person of Ordinary Skill in the Art .................................................... 33 VIII.

There is a Reasonable Likelihood that the Challenged Claims are IX.

Unpatentable ................................................................................................. 34

A. Ground 1: Claims 1-17, 19-24, 53 and 54 are Obvious over

Feigen in view of Flanagan and Falk ...................................... 34

1. Overview ........................................................................... 34

2. Motivation to Combine Feigen with Flanagan and Falk... 40

3. The Ground 1 Combination Teaches Every Element of

Claims 1-17, 19-24, 53 and 54 .......................................... 45

Conclusion .......................................................................................... 64 X.

iii

PETITIONER’S EXHIBIT LIST1

EXHIBIT

NUMBER

DESCRIPTION

1001 U.S. Patent No. 8,484,698

1003 U.S. Patent No. 5,699,513 (“Feigen”)

1005 U.S. Patent No. 5,668,876 (“Falk”)

1007 Application file history of U.S. Patent No. 8,484,698

1008 Application file history of U.S. Patent No. 7,870,599

1009 Reexamination file history of U.S. Patent No. 7,870,599

1011

Application file history of U.S. Patent Application No.

09/655,297

1012

Report and Recommendation in StrikeForce Technologies,

Inc. v. PhoneFactor, Inc, et al., Civ. A. No. 13-490-RGA-

MPT (DI 168)

1 Certain exhibit numbers are not used in this petition in order to maintain

consistency between exhibit numbering of this petition and another petition,

IPR2017-01041.

iv

1013

Memorandum in StrikeForce Technologies, Inc. v.

PhoneFactor, Inc, et al., Civ. A. No. 13-490-RGA-MPT

(DI 219)

1014

Memorandum Order in StrikeForce Technologies, Inc. v.

PhoneFactor, Inc, et al., Civ. A. No. 13-490-RGA-MPT

(DI 223)

1015 Curriculum Vitae of Dr. Patrick D. McDaniel

1016

RFC2869, June 2000.

(https://www.ietf.org/rfc/rfc2869.txt, Captured March 10,

2017)

1017

RFC2808, April 2000.

(https://tools.ietf.org/pdf/rfc2808.pdf, Captured March 10,

2017)

1018

Lecture on “Web-Based System Security,” Prof. Jerry

Gao, 1999.

(http://www.engr.sjsu.edu/gaojerry/course/cmpe296u/slide

s/security.pdf, Captured March 10, 2017)

1019

SANS Institute, “Global Information Assurance

Certification Paper,” March 29, 2000.

(https://www.giac.org/paper/gsec/16/risks-biometric-

v

based-authentication-schemes/100271, Captured March

10, 2017)

1020

Robb, Guy, “Internet Security: The Business Challenge,”

Telecommunications Online, October

1996. (http://www.telecoms-

mag.com/marketing/articles/oct96/guyrobb.html, Captured

March 10, 2017)

1101 Declaration of Dr. Patrick McDaniel

1102 European Patent Application EP 0444351A2 (“Flanagan”)

1103 Detailed claim charts

IPR2017-01064 – Inter Partes Review of U.S. Patent No. 8,484,698

Petition for Inter Partes Review

6

Mandatory Notices under 37 C.F.R. § 42.8(b) I.

A. Real Party-In-Interest under 37 C.F.R. § 42.8(b)(1)

Duo Security Incorporated (“Duo”), Trustwave Holdings, Inc.

(“Trustwave”), and Centrify Corporation (“Centrify”) (collectively, “Petitioner”)

are the real parties-in-interest for this Petition.

B. Related Matters under 37 C.F.R. § 42.8(b)(2)

StrikeForce Technologies, Inc., the listed assignee of U.S. Patent No.

8,484,698 (“the ‘698 Patent”) is engaged in the following ongoing litigations

where infringement of the ‘698 Patent is alleged:

StrikeForce Techs., Inc. v. Duo Security Inc., No. 2:16-cv-03571-JMV-MF

(D.N.J.);

StrikeForce Techs., Inc. v. Trustwave Holdings, Inc., No. 2:16-cv-03573-

JMV-MF (D.N.J.); and

StrikeForce Techs., Inc. v. Centrify Corp., No. 2:16-cv-03574-JMV-MF

(D.N.J.).

Petitioner is contemporaneously filing another petition requesting inter

partes review of the ‘698 patent, IPR2017-01041. The petition in IPR2017-01041

addresses a different subset of claims of the ‘698 patent. In particular, the present

petition addresses claims 4, 8-14, 16-17 and 19, which are not challenged in

IPR2017-01041. Claims 8-14 recite a “biometric signal,” which is not recited in



7

any of the claims challenged in IPR2017-01041. The present petition cites

different art to address the different claim recitals. Because the art cited in the

present petition is cited for a different teaching (a “biometric signal”) than the art

cited in IPR2017-01041, the petitions are neither horizontally nor vertically

redundant. Liberty Mutual Ins. Co. v. Progressive Casualty Ins. Co., CBM2012-

00003, Paper No. 7 at 3 (Oct. 25, 2012). Further, the combined petitions present

only 3 distinct grounds of unpatentability, of which no more than 2 grounds apply

to any individual claim. As such, the combined petitions do not place an undue

burden on the Patent Owner and the Board. Id. at 2.

C. Lead and Back-Up Counsel under 37 C.F.R. § 42.8(b)(3)

Petitioner provides the following designation of counsel:



8

Lead Counsel Back-up Counsel

John D. Garretson (Reg. No. 39,681)

[email protected]

Postal and Hand-Deliver Address:

Shook, Hardy & Bacon L.L.P.

2555 Grand Blvd.

Kansas City, MO 64108

Telephone: (816) 559-2539

Fax: (816) 421-5547

Counsel for Duo Security, Inc.

Amy M. Foust (Reg. No. 57,782)

[email protected]


Shook, Hardy & Bacon L.L.P.

Citigroup Center

201 S. Biscayne Blvd., Suite 3200

Miami, Florida 33131

Telephone: (305) 960-6925

Fax: (305) 358-7470

Counsel for Duo Security, Inc.

Back-up Counsel Back-up Counsel

Brian A. Jones (Reg. No. 68,770)

[email protected]


McDermott Will & Emery

227 W. Monroe Street

Chicago, IL 60606

Telephone: (312) 984-7694

Fax: (312) 984-7700

Counsel for Trustwave Holdings, Inc.

Darren M. Franklin (Reg. No. 51,701)

[email protected]


Sheppard, Mullin, Richter & Hampton

LLP

333 South Hope Street

Forty-Third Floor

Los Angeles, CA 90071

Telephone: (213) 617-5498

Fax: (213) 620-1398

Counsel for Centrify Corporation

D. Service Information under 37 C.F.R. § 42.8(b)(4)

Petitioner may be served by mail or hand delivery to Lead Counsel’s

address, above. Petitioner consents to service via e-mail at [email protected];

[email protected]; [email protected]; and [email protected].



9

Grounds for Standing under 37 C.F.R. § 42.104(a) II.

Petitioner certifies that it is not barred or estopped from requesting inter

partes review of claims 1-17, 19-24, 53 and 54 of U.S. Patent No. 8,484,698 (“the

‘698 Patent”). Neither Petitioner, nor any party in privity with Petitioner: (i) has

filed a civil action challenging the validity of claims 1-17, 19-24, 53 and 54 of the

‘698 Patent; or (ii) has been served a complaint alleging infringement of the ‘698

Patent more than a year prior to the present date. Also, claims 1-17, 19-24, 53 and

54 of the ‘698 Patent have not been the subject of a prior inter partes review or a

finally concluded district court litigation involving Petitioner.

Identification of Challenge under 37 C.F.R. § 42.104(b) III.

Petitioner petitions for inter partes review under 35 U.S.C. §§ 311-319 and

37 C.F.R. § 42.100 et. seq. of claims 1-17, 19-24, 53 and 54 (“Challenged

Claims”) of the ‘698 Patent (Ex. 1001). There exists a reasonable likelihood that

Petitioner will prevail with respect to at least one of the Challenged Claims.

Petitioner requests inter partes review of the Challenged Claims on the

ground set forth in the table below and requests that each of the Challenged Claims

be found unpatentable and cancelled from the ‘698 Patent. A complete explanation

of how these claims are unpatentable is provided in Section IX below. The

accompanying Declaration of Dr. Patrick D. McDaniel (Ex. 1101) supports the

ground of rejection in detail.



10

Ground 35 USC Index of References Claims

1 § 103(a) Feigen (Ex. 1003) in view of

Flanagan (Ex. 1102), and

further in view of Falk (Ex.

1005)

1-17, 19-24, 53 and 54

Relevant Information Concerning the Contested Patent IV.

A. Effective Filing Date of the ‘698 Patent

The ‘698 Patent issued from U.S. Application No. 12/958,126, filed on

December 1, 2010. The ‘698 Patent claims priority as a continuation from U.S.

Patent Application No. 10/970,559, filed on October 21, 2004 and issued as U.S.

Patent No 7,870,599 (“‘599 Patent”). The ‘599 Patent claims priority as a

continuation-in-part to U.S. Patent Application No. 09/655,297 (“‘297

Application”), filed on September 5, 2000 and subsequently abandoned. The

effective filing date of the Challenged Claims as submitted for purposes of this

Petition is not earlier than September 5, 2000. The “critical date” under 35 U.S.C.

§ 102(b) for the Challenged Claims is September 5, 1999, which is one year prior

to the earliest claimed U.S. filing date of September 5, 2000.

B. Brief Description of the ‘698 Patent

The ‘698 Patent relates to a system that determines whether to grant or deny

a user access to a computer over a network, based on authenticating the person



11

attempting to gain access. Ex. 1001 at Abstract. Authentication is a process where

a system determines the identity of an entity attempting to gain access to

something. Ex. 1101 at ¶¶ 48-49. This type of technology, along with the prior art

identified in this Petition, can apply when an employee works outside of the office

and attempts to access a computer at their workplace over the Internet.

As of the September 5, 2000 priority date of the Challenged Claims, many

security solutions for authentication already existed. Ex. 1101 at ¶¶ 50-59. For

example, two-factor authentication, such as requiring a person to correctly input a

password and provide a response through a personal device, like a pager or phone,

emerged as a method to increase the complexity of security and thwart hackers.

Ex. 1101 at ¶ 53.

Similarly, the Challenged Claims cover a technique that controls access to a

“host computer” by intercepting a person’s demand to access the host computer

and using a separate security computer to carry out two authentication measures.

These are (1) verifying the person’s login identification; and (2) receiving a

response from the person via a separate device, such as a phone. Ex. 1001 at 4:36-

42, 6:62-7:4, FIG. 1A, 7:12-17 (describing a control module as part of the security

computer) and 9:45-54 (describing the function of the control module).

Below is an annotated version of Fig. 1A from the ‘698 Patent created by

the Petitioner that illustrates functionality disclosed in the patent.



12

User (24) wants to access host computer (34). From computer (22), user

(24) directs an access demand along with a login identification to host computer

(34). Ex. 1001 at 4:34-39, 6:37-42, 9:24-35. In step 1, interception device (36)

intercepts the access demand requesting access to host computer (34) and the login

identification in an access (or first) channel. Ex. 1001 at 6:37-42, 9:24-35. In step

2, interception device (36) diverts the login identification and access demand to

security computer (40). Ex. 1001 at 6:37-42.



13

Security computer (40) performs authentication in a separate authentication

channel that does not share facilities with the access channel. Ex. 1001 at 1:20-24,

3:14-19, 6:19-23. In step 3, security computer (40) verifies the login identification

by comparing the login identification provided by the user (in step 1) against a

stored password. Ex. 1001 at 7:37-42,7:12-22 (describing a control module as part

of the security computer) and 9:42-54 (describing the function of the control

module); Ex. 1002 at ¶ 65. In step 4, security computer (40) outputs a prompt to

the user’s device in the authentication (or second) channel, and requests data from

the user. For example, security computer (40) may output the prompt by calling

the user via telephone (26) and requesting the user enter a password using the

telephone keypad. Ex. 1001 at 10:20-53. Alternatively, the requested data may be

a biometric signal, such as speech from the user. Ex. 1001 at 11:10-42, Claim 10.

In step 5, security computer (40) receives the data from the user that was

requested in step 4 and performs a comparison against stored information. Ex.

1001 at 10:46-62, 11:26-42. In step 6, based on the comparison in step 5, security

computer (40) determines whether to instruct host computer (34) to grant or deny

access to user (24). Ex. 1001 at 10:62-11:3, 11:43-50, 12:18-24.

C. The ‘698 Patent Claims

The ‘698 Patent includes 54 claims. The Challenged Claims include three

independent claims. Independent claims 1 and 53 are each directed to a software



14

method for employing a multichannel security system to control access to a

computer. Independent claim 54 is directed to an apparatus for implementing a

multichannel security system to control access to a computer.

D. Prosecution History of the ‘698 Patent

During prosecution of the ‘698 Patent, including its parents – the ‘599 Patent

and ‘297 Application – Applicant relied on two themes to gain allowance over the

prior art:

• The multichannel security system in the ‘698 Patent includes two separate

channels – an authentication channel and an access channel as shown in Fig.

1A.

• The host computer that a user is trying to access cannot receive information

from the user attempting to access the host computer until after

authentication is complete.

In response to an Office Action in the ‘599 Patent, Applicant clarified the

nature of the interaction between the authentication channel, access channel, and

interception device. The system includes a “completely separate authentication

channel that relies on an intercept device to pass login and identification

information to the separate channel.” Ex. 1008 at 379. During a subsequent

Reexamination (Control No. 90/011,429) of the ‘599 Patent, Applicant further

defined the relationship between the access and authentication channels. Applicant



15

explained that an “out-of-band” security system included an authentication channel

that is separate from an access channel—the separation of the channels being so

great that “authentication is carried over separate facilities than those used for

actual information transfer.” Ex. 1009 at 60; Ex. 1002 at ¶ 72.

Applicant’s reliance on the isolation of the host computer is demonstrated in

an Office Action response. Applicant argued that a prior art reference did not

disclose claimed elements because the system “assumes that the user already has

permission to accesses a web site (i.e. web server, which is a type of ‘host

computer’)”. Ex. 1008 at 293. In response to another Office Action, Applicant

elaborated that there would be no need to supply an access instruction to the host

computer if the user already has access to the host computer, illustrating that the

host computer is inaccessible prior to authentication in the claimed invention. Ex.

1008 at 157.

In response to a first Office Action in the ‘698 Patent, Applicant added 7

new claims and restated arguments to distinguish over prior art systems that give

users access to the host computer prior to completing authentication. Ex. 1007 at

112, 114. In response to a double patenting rejection in a second Office Action,

Applicant filed a terminal disclaimer with respect to the ‘599 Patent to gain

allowance. Ex. 1007 at 66.



16

Proposed Claim Constructions V.

A claim subject to inter partes review is given its “broadest reasonable

construction in light of the specification of the patent in which it appears.” 37

C.F.R. § 42.100(b). Petitioner submits that the following terms and associated

constructions are the proper construction for use in this proceeding, in light of the

portions of the specification and prosecution history stated above.

“Clear reliance on the preamble during prosecution to distinguish the

claimed invention from the prior art transforms the preamble into a claim

limitation because such reliance indicates use of the preamble to define, in part, the

claimed invention.” Catalina Mktg. Int’l v. Coolsavings.com, Inc., 289 F.3d 801,

808 (Fed. Cir. 2002); Rotatable Techs. LLC v. Motorola Mobility LLC, 567 Fed.

App’x 941, 943 (Fed. Cir. 2014). As explained in Section IV.D, throughout the

prosecution history, Applicant relied on the premise that a multichannel security

system involves two separate channels in order to distinguish the purported

invention over prior art. All of the independent Challenged Claims include the

claim term “multichannel security system.” See Ex. 1001 at Claims 1, 53, 54.

Given Applicant’s reliance on this term in order to overcome the prior art, claims

1, 53, and 54 are limited by the recital of a “multichannel security system” in the

claims’ preambles. Ex. 1012 at 53 (equating “multichannel security system” with

“an out-of-band computer security system”), 23-25 (construing “multichannel



17

security system” and “an out-of-band computer security system”) and 26 (finding

that the recital of an “out-of-band computer security system” and a “multichannel

security system” in the preamble is limiting); Ex. 1013 at 6 (adopting the findings

in Ex. 1012).

intercepting (as a general concept) — preventing the host computer from

receiving.

interception device / a device (claims 1 and 54, and all Challenged Claims

depending therefrom) — a device that prevents the host computer from

receiving [what the interception device received instead].

first channel / access channel (claims 1, 22, 53, and 54, and all Challenged

Claims depending therefrom) — an information channel that is separate

from and does not share any facilities with the authentication channel.

second channel / authentication channel (claims 1, 53, and 54, and all

Challenged Claims depending therefrom) — a channel for performing

authentication that is separate from and does not share any facilities with

the access channel.

security computer (claims 1, 53, and 54, and all Challenged Claims

depending therefrom) — a computer in the authentication channel that can

grant authenticated users access to but is isolated from the host computer.



18

host computer (claims 1, 53, and 54, and all Challenged Claims depending

therefrom) — a computer to which the accessor is attempting to gain access,

but which no information from an accessor is allowed to enter unless access

is granted by the security computer.

multichannel security system (claims 1, 53, and 54, and all Challenged

Claims depending therefrom) — a system that operates without reference to

a host computer or any database in a network that includes the host

computer.

verifying the login identification (claims 1 and 53, and all Challenged

Claims depending therefrom) — confirming at the security computer that

the information used by an accessor to login to the host computer is valid

demand to access / demand for access / access demand (“The Demand

Terms”) (claims 1, 53, and 54, and all Challenged Claims depending

therefrom) — a request to access the host computer that was sent from an

accessor.

login identification demand to access (claims 1 and 53, and all Challenged

Claims depending therefrom) — login identification and demand for access



19

biometric analyzer (claim 10, and all Challenged Claims depending

therefrom) — This term is governed by 35 U.S.C. §112(6). Function:

analyzing a monitored parameter of the accessor. Structure: monitoring the

particular parameter of the individual person; including (sic) the parameter

to a mathematical representation or algorithm therefore (sic); retrieving a

previously stored sample (biometric data), (sic) thereof from a database and

comparing the stored sample with the input of the accessor. See Ex. 1001 at

6:55-59.

a component for receiving the transmitted data and comparing said

transmitted data to predetermined data (claim 54) — This term is governed

by 35 U.S.C. §112(6). Function: receiving the transmitted data and

comparing said transmitted data to predetermined data. Structure: Ex. 1001

at FIG. 9C, steps 186-196, 10:46-65 and/or ‘698 patent, FIGs. 9C-9D, steps

200-208, 11:24-55.

A software method for employing a multichannel security system to

control access to a computer, comprising the steps of (claim 1 and all

challenged claims depending therefrom) – This preamble is limiting and

requires the construction of “multichannel security system” as set forth

above.



20

A software method for employing a multichannel security system to

control access to a computer, comprising the steps of (claim 53) – This

preamble is limiting and requires the construction of “multichannel security

system,” as set forth above.

Apparatus for implementing a multichannel security system to

control access to a computer, comprising (claim 54) – This preamble is

limiting and requires the construction of “multichannel security system,” as

set forth above.

In the Related Cases listed in Section I.B above, Petitioner seeks to have the

Court adopt the above constructions.

Prior Litigation Involving Patent Owner VI.

The above constructions are consistent with the construction of claim terms

adopted by the court in StrikeForce’s prior litigation with PhoneFactor, titled

StrikeForce Technologies, Inc. v. PhoneFactor, Inc., et. al., Civ. A. No. 13-490-

RGA-MPT (“Prior Litigation”), which settled prior to the filing of the Related

Matters listed above.

In the Prior Litigation, StrikeForce alleged that PhoneFactor infringed

claims of the ‘698 Patent. The Magistrate Judge issued a Report and

Recommendation (Ex. 1012) with constructions for the above claim terms. The



21

District Court Judge subsequently issued a Memorandum Order (Ex. 1013)

overruling objections that StrikeForce raised to the Report and Recommendation.

StrikeForce sought to broaden the scope of the claims beyond the above

constructions. StrikeForce argued that the claims only “require preventing the user

from gaining access to protected data on (not contacting) the host computer until a

separate out-of-band security computer authenticates the user through an

authentication channel.” Ex. 1012 at 11-12.

The court disagreed, pointing to the fact that the “patentee, acting as his own

lexicographer told the PTO ‘[a]n ‘out-of-band’ operation is defined herein as one

conducted without reference to the host computer or any database in the host

network.’” Ex. 1012 at 14. The court also observed that “[t]he asserted claims are

directed to accessing the host computer itself, not ‘protected data’ on the host

computer as plaintiff suggests.” Ex. 1012 at 14.

Discussion of Prior Art VII.

A. Background of the State of the Relevant Art in 2000

The technical area of the ‘698 Patent is secure systems—specifically the

authentication of users accessing services over a network. Authentication is a

process that a system uses to determine the identity of a person attempting to gain

access to something sensitive. Ex. 1101 at ¶¶ 48-49.

Prior to September 5, 2000, as today, there were many ways to perform user

authentication. Generally, you can categorize these approaches into (a) things that



22

the user knows, (b) things that the user has, and (c) things that the user is. Systems

using “things that a user knows” prompt the user for information that only that user

knows, e.g., passwords, PIN numbers, social security numbers, etc. The ability of

that user to produce that secret is deemed sufficient evidence that they are who

they say they are. Ex. 1101 at ¶ 50.

Systems that use “things the user has” require the user to produce a physical

object such as a key-card instead of the secret. It is assumed that because only that

user has the physical object, they are authentic. Systems that use “things that a

user is” are generally referred to as biometric systems. These systems measure a

unique physical characteristic of the user, such as fingerprints, irises, or voice. All

authentication systems have limitations that can impact the security of systems

they protect; passwords can be guessed, keycards can be lost or stolen, and even

the best biometric measurements are subject to subtle changes. Ex. 1101 at ¶¶ 51-

52.

To combat limitations of traditional authentication systems, in the 1990’s the

security community turned to second factor authentication, also known as

multifactor authentication. The idea is simple: you use two forms of authentication

so that if one is compromised or fails, you are protected by the other. This is

particularly helpful when you use multiple categories of authentication such as a

password and a key card, or a password and fingerprint. These systems are more



23

secure, because the hacker adversary has to compromise two entirely different

authentication mechanisms; for example, the need to guess the password and steal

the keycard. Ex. 1101 at ¶ 53.

B. Qualification of Prior Art References Under 35 U.S.C. § 102(b)

Each of the references discussed below qualifies as prior art under pre-AIA

35 U.S.C. § 102(b). Each is a patent or publication that was issued and/or

published before the ‘698 Patent’s critical date of September 5, 1999. The pre-

AIA statutory provision applies, because the earliest effective filing date for the

‘698 Patent predates March 16, 2013, the effective date for post-AIA 35 U.S.C. §

102.

• Feigen (Ex. 1003): U.S. Patent Number 5,699,513 was filed on March 31,

1995 and issued on December 16, 1997.

• Falk (Ex. 1005): U.S. Patent Number 5,668,876 was filed on June 24, 1994

and issued on September 16, 1997.

• Flanagan (Ex. 1102): European Patent Application EP 0444351A2 was

filed on December 4, 1990 and published on September 4, 1991.

C. Feigen

Feigen is titled “Method for Secure Network Access via Message Intercept.”

It discloses securing access to an inside network (e.g., a corporate network) by

intercepting and holding connection requests received from a client in an outside



24

network (e.g., the Internet). Ex. 1003 at Abstract, 2:42-48, and 2:57-61. Source

host (22) in outside network (12) sends a connection request targeted to destination

host (28) in inside network (14). Before the connection request reaches inside

network (14), filter (16) (e.g., a router) intercepts the connection request and routes

it to security host (26), which provides security for inside network (14). Ex. 1003

at Abstract and 3:3-6; Ex. 1101 at ¶¶ 75, 76.

This prevents the connection request from being transmitted into inside

network (14) until security host (26) confirms the user’s authenticity. Ex. 1003 at

Abstract and 2:66-3:3. Once the user is confirmed, the connection request is sent

to destination host server (28) in inside network (14). Ex. 1003 at Abstract; Ex.

1101 at ¶ 77.

The below chart shows how Feigen corresponds to the ‘698 Patent. Ex.

1101 at ¶ 78.



25

‘698 Patent Feigen

FIG. 1

FIG. 1

user (24) wants to access host computer

(34)

user (not shown) of source host (22)

wants to access destination host

(server) (28)2

user computer (22) directs a login

demand and identification from user

(24) to host (34)

source host (22) directs a connection

request from the user to destination

host (server) (28)3

2 Ex. 1003 at Abstract, 2:63-3:15, 3:47-52, 3:60-65, 4:3-11, 4:66-5:14, 5:30-

31, Claim 1, Claim 13, and FIG. 1.

3 Id. and also Ex. 1003 at FIG. 2, FIG. 5 (item 100), and 6:50-55.



26

‘698 Patent Feigen

access channel from user computer (22)

through access network (30) carries the

login demand and identification to

internal router (interception device)

(36)

a channel from source host (22)

through outside network (12) carries

the connection request to filter (16)4

internal router (interception device)

(36) intercepts the login demand and

identification from user computer (22)

and diverts it to security computer (40)

filter (16) intercepts the connection

request from source host (22) and

diverts it to security host (26)5

security computer (40) verifies the

login identification of user (24)

security host (26) verifies a password

from the user of source host (24)6

security computer (40) instructs host

computer (34) to grant access or deny

access to user (22)

security host (26) releases the

intercepted connection request to

destination host (server) (28)7

D. Flanagan

4 Id. and also Ex. 1003 at 2:44-48, 2:50, 1:20-32, FIG. 3, 4:12-18, and Claim

5.

5 Id.

6 Ex. 1003 at FIG. 1, FIG. 5 (items 100 and 102), Abstract, 1:56-59, 4:12-24,

5:27-33, 5:45-49, 6:50-63, Claim 1, Claim 7, and Claim 13.

7 Ex. 1003 at Abstract, 1:56-59, 4:24-30, 4:51-5:11, 7:1-9, 7:36-52, Claim 10,

Claim 13, Claim 16, FIG. 3, and FIG. 5 (items 114, 116, 104 and 106.)



27

Flanagan is titled “Voice password-controlled computer security system.” It

discloses a multifactor authentication system. After a standard password procedure

is successfully completed, it institutes a voice call to a telephone that is associated

with the user and verifies the user’s voice information with pre-stored voice

information associated with the user. Ex. 1102 at Abstract. If the user is

authenticated, access to a requested resource is allowed. Ex. 1102 at Abstract and

4:56-5:11; Ex. 1101 at ¶¶ 80, 81.

The chart below shows how Flanagan corresponds to the ‘698 Patent. Ex.

1101 at ¶ 82.



28

‘698 Patent Flanagan

FIG. 1

FIG. 1

after verifying the login identification

from user (24), security computer (40)

outputs a prompt to telephone (26) over

an authentication channel, including

voice network (42), requesting

transmission of data comprising a

biometric signal from user (24)

after verifying the username and

password of the user (not shown) of

terminal (11), programmed processor

(12) outputs a prompt to telephone (13)

over a voice connection, requesting

transmission of data comprising a

biometric signal (e.g., to speak a

randomly selected series of digits) from

the user (not shown)8

to generate the prompt, security to generate the prompt, programmed

8 Ex. 1102 at Abstract, 2:38-43, 2:47-52, 4:47-5:2, 3:49-55, 4:12-20, 5:44-

6:9, 6:15-36, 6:57-7:12, 8:3-6, FIG. 2, FIG. 3, and FIG. 4.



29


computer (40) synthesizes an audible

message from a stored message and

plays it over telephone (26)

processor (12) controls voice apparatus

(14) to synthesize an audible message

from a stored message and play it over

telephone (13)9

security computer (40) receives the

biometric signal transmitted from user

(24) through telephone (26) over an

authentication channel, including voice

network (42)

programmed processor (12) receives

the biometric signal transmitted from

the user (not shown) through telephone

(13) over the voice connection10

security system (40) compares the

biometric signal transmitted over the

authentication channel to

predetermined data

programmed processor (12) compares

the biometric signal transmitted over

the voice connection to predetermined

data (e.g., pre-stored voice

information)11

security system (40) includes a

biometric analyzer (not shown) that

receives the biometric signal from user

(24)

programmed processor (12) includes a

biometric analyzer (not shown) that

receives the biometric signal

transmitted from the user (not shown)

9 Ex. 1102 at Abstract, 2:47-52, 4:12-20, 5:54-6:9, 6:5-9, 6:15-36, 6:57-7:12,

FIG. 1, FIG. 2, and FIG. 4.

10 Ex. 1102 at Abstract, 2:47-57, 4:12-20, 5:54-6:40, 6:57-7:12, FIG. 1, FIG.

2, and FIG. 4.

11 Ex. 1102 at Abstract, 2:52-57, 4:20-29, 6:9-14, 6:24-38, and FIG. 4.



30


through telephone (13) over the voice

connection12

E. Falk

Falk is titled “User Authentication Method and Apparatus.” Falk discloses a

multifactor security system for authorizing a user to use a service. Ex. 1101 at ¶¶

84-85.

The user initiates a request for access via terminal (22) by transmitting a

request over service access network (24) to a service node (26). Ex. 1005 at 5:22-

29, Abstract and 3:44-64. Service node (24) requests that separate authentication

center (30) generate and send a challenge code to the user’s personal unit (20).

The personal unit sends a response code back to authentication center (30), where

the response code is determined from the received challenge code, an appropriate

input security number (e.g. a user PIN), and a secret key. Ex. 1005 at 3:7-9, 4:15-

24, and 4:32-37. The authentication center (30) determines whether the response

code is acceptable and informs service node (26) of the result, indicating whether

12 Ex. 1102 at Abstract, 2:52-57, 4:20-29, 6:9-14, and 6:24-38.



31

to provide the user with the requested access. Ex. 1005 at 5:52-57 and 6:55-56; Ex.

1101 at ¶ 85.

The below chart shows how Falk corresponds to the ‘698 Patent. Ex. 1101

at ¶ 86.



32

‘698 Patent Falk

FIG. 1

FIG. 1

security computer (40) outputs a

prompt to telephone (26) over an

authentication channel, including voice

network (42), requesting transmission

of data from user (24)

authentication center (30) outputs a

prompt to personal unit (20) (e.g., a

telephone) over authentication

challenge network (28) requesting

transmission of data (e.g., a response

code) from the user (not shown) of

personal unit (20)13

security computer (40) receives data

transmitted from user (24) through

telephone (26) over an authentication

channel, including voice network (42)

authentication center (30) receives data

(e.g., a response code) from the user

(not shown) through personal unit (20)

over authentication challenge network

13 Ex. 1005 at 5:22-34, 6:59-7:2, 7:25-35, and FIG. 3 (item S18).



33

‘698 Patent Falk

(28) (e.g., a cellular radio telephone

network)14

security system (40) compares the data

transmitted over the authentication

channel to predetermined data

authentication center (30) compares the

data transmitted over authentication

challenge network (28) (e.g., the

response code) to predetermined data

(e.g., an expected response)15

security computer (40) instructs host

computer (34) to grant access or deny

access to user (22)

authentication center (30) instructs

service node (26) of the comparison

result to grant access or deny access to

the user (not shown)16

Person of Ordinary Skill in the Art VIII.

A person of ordinary skill in the art (or “a skilled artisan”) in the field of the

‘698 Patent at the time of the claimed priority date of September 5, 2000 would

have been someone with at least a B.S. degree from an accredited institution in

14 Ex. 1005 at FIG. 3 (items S22 and S24), 6:44-58, and 7:14-17.

15 Ex. 1005 at 5:59-62, 6:40-48, 3:21-30, 9:31-35, 10:59-65, 11:16-17, 7:14-

17, and FIG. 3 (item S24).

16 Ex. 1005 at 7:14-17, 6:44-58, and FIG. 3 (item S24 and YES/NO paths).



34

computer science, computer engineering, electrical engineering, or an equivalent

degree. This person would also have one or two years of relevant work

experience, such as the design and implementation of security features for

computer systems accessed over a network. A person of ordinary skill in the art

would have had a basic understanding of computers, computer software,

authentication, authorization, networks, and the Internet, including knowledge of

the scientific literature concerning different types of network architectures, traffic

routing, and authentication and authorization protocols and systems. Ex. 1101 at ¶

17.

There is a Reasonable Likelihood that the Challenged Claims are IX.

Unpatentable

A. Ground 1: Claims 1-17, 19-24, 53 and 54 are Obvious over Feigen

in view of Flanagan and Falk

1. Overview

As explained below, and supported in detail in the accompanying

Declaration of Dr. McDaniel, claims 1-17, 19-24, 53 and 54 are obvious over the

combination of references in Ground 1. An illustration combining Feigen with

Flanagan appears below—this is a composite figure that has been generated by

Petitioner for illustrative purposes. Ex. 1101 at ¶ 90.



35

The two factor authentication functionality from Falk (not shown in the

composite) is further combined to teach sending an instruction to the host

computer to grant or deny access. The below chart shows the correspondence

between Ground 1 and the ‘698 Patent. Ex. 1101 at ¶¶ 92-93.

‘698 Patent Ground 1 Combination

FIG. 1

Ground 1

Composite Generated by Petitioner

‘698 Patent Feigen Flanagan/Falk

user (24) wants to

access host computer

(34)

user (not shown) of source

host (22) wants to access

destination host (server)



36


(28)17

user computer (22)

directs a login demand

and identification from

user (24) to host (34)

source host (22) directs a

connection request from

the user to destination host

(server) (28)18

access channel from

user computer (22)

through access network

(30) carries the login

demand and

identification to internal

router (interception

device) (36)

a channel from source host

(22) through outside

network (12) carries the

connection request to filter

(16)19

internal router

(interception device)

(36) intercepts the login

demand and

identification from user

filter (16) intercepts the

connection request from

source host (22) and

diverts it to security host

17 Ex. 1003 at Abstract, 2:63-3:15, 3:47-52, 3:60-65, 4:3-11, 4:66-5:14, 5:30-

31, Claim 1, Claim 13, and FIG. 1.

18 Id. and also Ex. 1003 at FIG. 2, FIG. 5 (item 100), and 6:50-55.

19 Id. and also Ex. 1003 at 2:44-48, 2:50, 1:20-32, FIG. 3, 4:12-18, and Claim

5.



37


computer (22) and

diverts it to security

computer (40)

(26)20

security computer (40)

verifies the login

identification of user

(24)

security host (26) verifies a

password from the user of

source host (24)21

after verifying the login

identification from user

(24), security computer

(40) outputs a prompt to

telephone (26) over an

authentication channel,

including voice network

(42), requesting

transmission of data

comprising a biometric

signal from user (24)

Flanagan: after

verifying the username

and password of the user

(not shown) of terminal

(11), programmed

processor (12) outputs a

prompt to telephone (13)

over a voice connection,

requesting transmission

of data comprising a

biometric signal (e.g., to

speak a randomly

selected series of digits)

20 Id.

21 Ex. 1003 at FIG. 1, FIG. 5 (items 100 and 102), Abstract, 1:56-59, 4:12-24,

5:27-33, 5:45-49, 6:50-63, Claim 1, Claim 7, and Claim 13.



38


from the user (not

shown)22

to generate the prompt,


synthesizes an audible

message from a stored

message and plays it

over telephone (26)

Flanagan: to generate

the prompt, programmed

processor (12) controls

voice apparatus (14) to

synthesize an audible

message from a stored

message and play it over

telephone (13)23


receives the biometric

signal transmitted from

user (24) through

telephone (26) over an

authentication channel,

including voice network

(42)

Flanagan: programmed

processor (12) receives

the biometric signal

transmitted from the user

(not shown) through

telephone (13) over the

voice connection24

22 Ex. 1102 at Abstract, 2:47-52, 4:12-20, 5:54-6:9, 6:15-36, 6:57-7:12, FIG.

1, FIG. 2, and FIG. 4.

23 Ex. 1102 at Abstract, 2:47-52, 4:12-20, 5:54-6:9, 6:5-9, 6:15-36, 6:57-7:12,

FIG. 1, FIG. 2, and FIG. 4.

24 Ex. 1102 at Abstract, 2:47-57, 4:12-20, 5:54-6:40, 6:57-7:12, FIG. 1, FIG.

2, and FIG. 4.



39


security system (40)

compares the biometric

signal transmitted over

the authentication

channel to

predetermined data


processor (12) compares

the biometric signal

transmitted over the

voice connection to

predetermined data (e.g.,

pre-stored voice

information)25

security system (40)

includes a biometric

analyzer (not shown)

that receives the

biometric signal from

user (24)


processor (12) includes a

biometric analyzer (not

shown) that receives the

biometric signal

transmitted from the user

(not shown) through

telephone (13) over the

voice connection26


instructs host computer

(34) to grant access or

deny access to user (22)

Falk: authentication

center (30) instructs

service node (26) to

grant access or deny

access to the user (not

shown)27

25 Ex. 1102 at Abstract, 2:52-57, 4:20-29, 6:9-14, 6:24-38, and FIG. 4.

26 Ex. 1102 at Abstract, 2:52-57, 4:20-29, 6:9-14, and 6:24-38.

27 Ex. 1005 at 7:14-17, 6:44-58, and FIG. 3 (item S24 and YES/NO paths).



40

2. Motivation to Combine Feigen with Flanagan and Falk

One of ordinary skill in the art at the time of the alleged invention would

have been motivated to combine the teachings of Feigen, Flanagan, and Falk. The

skilled artisan would have been interested in Feigen's suggestion that the strength

of an authentication process "may vary in accordance with the needs of network

14," and would have logically consulted the well-known practices of multifactor

authentication in Flanagan and Falk, which heighten the strength of authentication

security. See Ex. 1003 at 6:59-62; Ex. 1101 at ¶ 89.

The ‘698 Patent describes a problem that was well-known in the field at the

time of the alleged invention in September 2000—namely, the design of a

multichannel security system for granting access to a host computer. Ex. 1001 at

Abstract; Ex. 1101 at ¶ 94. Feigen discloses the use of secure host (26) to control

access to destination host (28). Feigen teaches additional support for security

systems and specifically suggests that the reader seek out stronger authentication

techniques to use within its invention: “Together tasks 100 and 102 form an

authentication process the strength of which may vary in accordance with the

needs of network 14.” Ex. 1003 at 6:59-62; Ex. 1101 at ¶¶ 94, 96.

Security host (26) in Feigen performs a single factor authentication process

using a one-time password, but states “However, different systems may use

different authentication processes.” Ex. 1003 at 6:50-67 (emphasis added); Ex.



41

1101 at ¶ 99. A skilled artisan would understand that Feigen teaches higher

security environments warrant the use of additional or alternative authentication

technologies in security host (26). Ex. 1101 at ¶ 97.

A skilled artisan would also understand that higher security can be achieved

by combining multiple authentication mechanisms in the same system to achieve a

higher level of security—this principle is known in the art as “defense in depth,”

which is a guiding principle of secure system design. Ex. 1101 at ¶ 97.

Multifactor authentication systems, including a combination of two or more of the

following, were well known in the art before September 5, 2000: (i) something the

user knows, (ii) something the user has, and (iii) something the user is. Ex. 1101 at

¶ 98.

One of ordinary skill in the art interested in implementing the heightened

security taught by Feigen would have consulted references related to the well-

known practice of multifactor authentication, which strengthens authentication.

Flanagan teaches the use of “something the user knows,” “something the user has,”

and “something the user is” to perform multi-factor authentication. Falk teaches

the use of both “something the user knows” and “something the user has” to

perform multifactor authentication. One of ordinary skill in the art would combine

the multi-factor authentication techniques of Flanagan and Falk with Feigen to

address the desire for heightened security taught by Feigen. Ex. 1101 at ¶ 100.



42

Flanagan describes that the use of passwords is “often easily defeated mainly

due to human failings” and that “the security of password-controlled systems is

often breached because interlopers find passwords or are able to quickly guess

passwords with a few intelligent choices.” Ex. 1102 at 1:23–2:6. Flanagan

acknowledges a problem where security systems “allow access by a user without

ascertaining his or her true identity” and that a higher level of security may be

achieved by the voice password-controlled security system described in Flanagan.

Ex. 1102 at 2:7-20; Ex. 1101 at ¶ 101.

These statements from Flanagan highlight the likelihood that one of ordinary

skill in the art would have been motivated to combine Feigen and Flanagan to

achieve Feigen’s suggestion of stronger security by security host (26). Their

combination would only require known techniques of implementing Flanagan’s

“something the user has” and “something the user is” approaches as additional

steps to Feigen’s “something the user knows” password authentication. Ex. 1101

at ¶ 102.

Moreover, Flanagan describes how to combine a “something the user has”

step with a password (something the user knows) authentication mechanism.

Flanagan states: “If the login and password information input by the user, match

pre-stored login and password information maintained in memory by processor 12,

the processor then independently attempts to establish a voice connection to user



43

telephone 13—which ideally is in close physical proximity to user terminal 11.”

Ex. 1102 at 3:49-55; Ex. 1101 at ¶ 103.

“After establishment of the voice connection, processor 12 generates a 4-

digit random number (e.g., 5772) and controls voice apparatus 14 to request the

user to repeat the 4-digit number into the user telephone 13 …” Ex. 1102 at 4:12-

20. “Using a voice recognition technique, the computer matches received voice

information with pre-stored voice information for the user and generates a

confidence recognition factor indicating how closely the received voice matches

the stored voice of the user.” Ex. 1102 at 2:52-57. “If the factor exceeds a preset

threshold, the user is afforded access to the computer.” Ex. 1102 at 2:57-3:1; Ex.

1101 ¶ 103.

This kind of combining of authentication mechanisms was widely practiced

as multifactor systems. Hence, someone skilled in the art would have been

motivated to address the need for enhanced security identified in Feigen by

applying the teachings of Flanagan to arrive at the combination illustrated above.

Ex. 1101 at ¶ 105.

A skilled artisan would be motivated to combine Feigen and Flanagan with

Falk at least because Falk is focused on the same security processes that provide

authentication and authorization of users. For example, Feigen states that the

system provides “[a]uthorization […] which decides which privileges are given to



44

a presumably authentic user.” Ex. 1003 at 1:58-59. Like Flanagan, Falk teaches

two-factor authentication using “something the user knows” and “something the

user has.” Ex. 1101 at ¶ 107.

A user “initiates a service access through terminal 22 by transmitting the

request over a service access network 24 to a service node 26.” Ex. 1005 at 5:22-

24. “[S]ervice node 26 … causes a challenge code to be generated in an

authentication center 30. The challenge code is sent over an authentication

challenge network 28 to the personal unit 20 [something the user has]. When the

personal unit 20 receives an authentication challenge code, it prompts the user to

input a PIN or other identifying information [something the user knows], and

generates a response code by an algorithm having the challenge code, an internal

security code, and the PIN as variable[s].” Ex. 1005 at 5:24-33. “[T]he response

can be transmitted over the authentication network 28 to the authentication center

30 which then may … compare the response to an expected response and forward

the result to the service node 26. If the response code is acceptable, the service

node 26 permits the user to access the services offered.” Ex. 1005 at 5:53-59; Ex.

1101 at ¶ 107.

Feigen, Flanagan, and Falk each describe a system where the security system

grants or denies the user’s access. Their combination would have been obvious to

a skilled artisan seeking to implement the heightened level of authentication in



45

security host (26), as suggested by Feigen. Accordingly, it would have been

obvious to employ the instruction mechanisms used in these references to grant or

deny access to a user. This includes implementing security host (26) to issue an

instruction to destination host (28) to grant or deny access to source host (22). A

skilled artisan could do this in the same way that authentication center (30) in Falk

transmits to service node (26) the result of a comparison of a response code from

personal unit (20) with an expected response. Ex. 1005 at 5:48-57; Ex. 1101 at ¶

108.

3. The Ground 1 Combination Teaches Every Element of

Claims 1-17, 19-24, 53 and 54

a. Independent Claim 1

(1a) A software method for employing a multichannel

security system to control access to a computer,

comprising the steps of:

Feigen describes a security system that controls access to computers within a

network. It states, “The present invention may be implemented in a relatively

simple configuration of hardware and software at relatively low cost.” Ex. 1003 at

7:65-68. Security host (26) operates in concert with filter (16) to intercept

connection request messages sent from source hosts (22) in outside network (12) –

preventing the requests from being transmitted on inside network (14) to

destination host (28). Ex. 1003 at Abstract, 3:25-50, 3:60-65, FIG. 1, and FIG. 2;

Ex. 1101 at ¶¶ 115-116.



46

After receiving the intercepted connection request, security host (26)

authenticates source host (22). In one embodiment, this includes verifying a one-

time password. Ex. 1003 at 6:50-63, FIG. 1, and FIG. 5. Feigen describes that

security host (26) operates without reference to destination host (28) or any

database in the inside network (14). Ex. 1003 at Abstract, 5:5-9, and FIG. 1; Ex.

1101 at ¶ 117.

Flanagan describes multifactor authentication security for controlled access

systems. “If the login and password information input by the user, match pre-

stored login and password information maintained in memory by processor 12, the

processor then independently attempts to establish a voice connection to user

telephone 13—which ideally is in close physical proximity to user terminal 11.”

Ex. 1102 at 3:49-55. “After establishment of the voice connection, processor 12

generates a 4-digit random number (e.g., 5772) and controls voice apparatus 14 to

request the user to repeat the 4-digit number into the user telephone 13 …” Ex.

1102 at 4:12-20. “Using a voice recognition technique, the computer matches

received voice information with pre-stored voice information for the user and 55

generates a confidence recognition factor indicating how closely the received voice

matches the stored voice of the user.” Ex. 1102 at 2:52-57. “If the factor exceeds

a preset threshold, the user is afforded access to the computer.” Ex. 1102 at 2:57-

3:1; Ex. 1101 at ¶ 118.



47

When Flanagan is combined with Feigen, security host (26) in Feigen is

augmented to include Flanagan’s second form of authentication – voice

recognition via telephone (13) over a channel extending through telephone central

switch (15). This occurs on a telephone channel completely separate from the

channel between Feigen’s source host (22) and destination host (28) – teaching the

multichannel security system called for in claim 1 to control access to a computer

(destination host (28)). Ex. 1101 at ¶¶ 119-120.

(1b) receiving at an interception device in a first

channel a login identification demand to access a

host computer also in the first channel;

Feigen’s filter (16) is an interception device that intercepts a connection

request (access demand) sent from source host (22) in a first (access) channel to an

application service on destination host (28) – preventing the connection request

from being transmitted inside network (14) to destination host (28). Ex. 1003 at

2:63-3:15, 4:3-11, 4:66–5:14, FIG. 1, FIG. 2, and FIG. 3. Filter (16) routes the

user’s login identification to security host (26), which performs an authentication

process for source host (22) before any information can enter destination host (28),

which serves as the host computer in claim 1. Ex. 1003 at 6:50-55 and FIG. 5

(item 100); Ex. 1101 at ¶¶ 121-122.



48

Flanagan also describes using a typical user login procedure, such as a

normal password procedure, as well as separate voice verification. Ex. 1102 at

2:15-20, 2:35-38, 3:26-49, 4:39-47, Claim 3, and FIG. 3; Ex. 1101 at ¶ 123.

(1c) verifying the login identification;

Feigen teaches confirming login identification at a security computer,

namely security host (26). Ex. 1003 at 4:12-24, 6:56-59, FIG. 1, FIG. 5 (item 102),

and claims 1, 7, and 13. Security host (26) performs authentication to grant or

deny the user of source host (22) access to destination host (28). “[A]t a task 100

process 88 sends an appropriate prompting message to the source to elicit user

identification data. … [A] query task 102 authenticates the user. In other words,

task 102 determines whether the user identification obtained in task 100 indicates

that the user is an authentic user or a hacker. … In the preferred embodiment, a

one-time password process is recommended.” Ex. 1003 at 6:50-63; Ex. 1101 at ¶¶

124-125.

Security host (26) is a security computer located in a second authentication

channel and isolated from the host computer (destination host 28). Ex. 1003 at

FIG. 1. When combined with Flanagan, as described above, security host (26)

operates in a second channel (authentication channel) over telephone network (15).

In this second channel, it performs a second factor authentication of the user of



49

source host (22) through a voice verification process over telephone network (15).

Ex. 1101 at ¶ 126.

(1d) receiving at a security computer in a second

channel the demand for access and the login

identification;

As described above for claim element (1c) – verifying – Feigen combined

with Flanagan teaches a security computer (Feigen’s security host 26). Ex. 1003 at

Abstract, 2:63-64, and FIG. 1; Ex. 1005 at FIG. 1. Security host (26) receives the

connection request (demand for access) and login identification from filter (16).

Ex. 1003 at 2:63-3:15, 3:47-52, 3:60-65, 4:3-11, 4:66-5:14, 6:50-55, FIG. 3, and

FIG. 5 (item 100). Flanagan’ programmed processor that controls user access

receives the demand for access and login identification. Ex. 1102 at 2:38-47, 3:49-

4:4, 5:28-36, and FIG. 5 (item 61); Ex. 1101 at ¶ 127.

(1e) outputting from the security computer a prompt

requesting transmission of data;

Feigen’s security host (26) combined with Flanagan teaches a security

computer outputting a prompt requesting transmission of data. Flanagan teaches

that a prompt requesting transmission of data can be output from a security

apparatus, such as a security computer. For example, Flanagan describes

prompting the user via a message sent over a voice connection. Ex. 1102 at FIG.

2, FIG. 4 (item 42), Abstract, 2:47-52, 4:12-20, 5:54-6:9, 6:15-36, and 6:57-7:12;

Ex. 1101 at ¶ 128.



50

(1f) receiving the transmitted data at the security

computer;


computer receiving the transmitted data requested in claim element (1e) above.

Flanagan describes receiving the voice information from the voice line. Ex. 1102 at

Abstract, 2:52-57, 6:9-14, 6:36-40, FIG. 4 (items 42 and 43); Ex. 1101 at ¶ 129.

(1g) comparing the transmitted data to

predetermined data; and


computer that compares transmitted data received in claim element (1f) to

predetermined data. Flanagan describes that the voice information received over

the voice line (15) from telephone (13) is compared with voice information that is

pre-stored and associated with the purported user. Ex. 1102 at Abstract, 2:52-57,

6:9-49, and FIG. 4; Ex. 1101 at ¶ 130.

(1h) depending on the comparison of the transmitted

and the predetermined data, outputting an

instruction from the security computer to the host

computer to grant access to the host computer or

deny access thereto.

Feigen’s security host (26) augmented by Flanagan teaches a security

computer, Feigen’s destination host (28) is a host computer that cannot be accessed

until the user of source host (22) is successfully authenticated by security host (26).

Ex. 1003 at Abstract, 1:56-59, 4:24-30, 4:51-5:11, 7:36-52, FIG. 3, FIG 5 (item

116), and claims 13 and 16; Ex. 1101 at ¶ 131. The portion of Flanagan integrated



51

into Feigen’s security host (26) describes that, based on the comparison of the

voice within a preset threshold, the computer grants or denies access to the user.

Ex. 1102 at Abstract, 2:52-3:1, 6:45-56, FIG. 4; Ex. 1101 at ¶ 131.

Ground 1 includes the integration of Falk into Feigen’s security host (26).

Falk describes sending a message to a separate service node 26 (to which a user is

requesting access) to inform the service node whether or not the user was

authenticated. Ex. 1005 at 7:14-17. Falk teaches that the authenticated or not

authenticated message should result in a granting or denial of access, respectively.

Ex. 1005 at FIG. 3 and 6:44-58. Using this functionality from Falk, security host

(26) in Feigen can issue an instruction to destination host (28) to grant or deny

access based on the comparison of voice information received from telephone (13)

via telephone central switch (15). Ex. 1101 at ¶ 132.

b. Dependent Claim 2

Claim 2 depends from Claim 1 and adds “the security computer receives the

demand and login identification from the interception device.” Feigen’s filter 16

(the interception device) routes the connection request messages and the user’s

login identification to the security host 26. Ex. 1003 at FIG. 1 (items 16, 32, and

26), FIG. 3, FIG. 5 (item 100), 3:47-52, 3:60-65, 4:3-11, 4:66-5:14, and 6:50-55;

Ex. 1101 at ¶ 133.

c. Dependent Claim 3



52

Claim 3 depends from Claim 1 and adds “the demand is received from a

client computer, and the host computer is a web server.” Feigen teaches that the

connection request message (access demand) is received from a client computer

(source host 22) and that the host computer (destination host 28) is a web server

servicing Internet requests. Ex. 1003 at FIG. 1 (items 22 and 28), FIG. 3, Abstract,

2:44-48, 2:63-3:15, and 4:3-11; Ex. 1101 at ¶ 134.

d. Dependent Claim 4

Claim 4 depends from Claim 1 and adds “the step of verifying comprises

retrieving from a database having at least one address record a record

corresponding to the login identification.” Flanagan describes that the verifying

step includes retrieving a record (e.g., a user’s login and password) from where

they are stored (e.g., table 61 of FIG. 5). Ex. 1102 at FIG. 5 and 4:43-56.

Flanagan also describes that the database includes at least one address record (e.g.,

a “preassigned voice number”) associated with the user ID (also shown in table 61

of FIG. 5). Ex. 1102 at FIG. 5, 5:28-36, 2:47-52, and 3:55-4:4; Ex. 1101 at ¶ 135.

e. Dependent Claim 5

Claim 5 depends from Claim 1 and adds “the transmitted data is received

from a peripheral device.” Flanagan describes that the transmitted data is received

from a telephone. Ex. 1102 at FIG. 1 (item 13) and 6:24-38; Ex. 1101 at ¶ 136.

f. Dependent Claim 6



53

Claim 6 depends from Claim 1 and adds “the peripheral device is one of a

wired telephone, a wireless telephone, and a PDA.” Flanagan describes that the

transmitted data is received from a wired telephone. Ex. 1102 at FIG. 1 (item 13)

and 6:24-38; Ex. 1101 at ¶ 137.

g. Dependent Claim 7

Claim 7 depends from Claim 1 and adds “the step of outputting the prompt

comprises outputting an audible message.” In Flanagan, a voice connection is

established with the purported user, and voice apparatus 14 orally requests the user

repeat information into the telephone. Ex. 1102 at 2:47-52, 4:12-20, 6:5-9, 6:15-

36, FIG. 2 (item 14 and voice connection path), and FIG. 1 (items 13-15 and voice

connection path). A person skilled in the art would have understood that

Flanagan’s voice apparatus requests would be audible. Ex. 1101 at ¶ 138.

h. Dependent Claim 8


comprises requesting a biometric signal.” Flanagan describes that the user is

queried to repeat a series of digits or a phrase so that a voice match may be

determined. Ex. 1102 at Abstract, 2:47-52, 4:12-20, 6:15-36, FIG. 2, and FIG. 1;

Ex. 1101 at ¶ 139. Biometrics, as used in the ‘698 patent, include voice samples.

Ex. 1001 at Abstract, 2:13-15.

i. Dependent Claim 9



54

Claim 9 depends from Claim 8 and adds “the audible message comprises an

audible instruction to speak a statement using a peripheral device, and wherein the

biometric signal is the spoken statement transmitted by the peripheral device.”

Flanagan teaches that the audible message includes an instruction for the user to

repeat a randomly selected series of digits or a phrase (e.g., “After the tone, please

speak the following numbers in sequence: five, seven, seven, two”), and the user’s

voice response transmitted by the telephone is the biometric signal. Ex. 1102 at

Abstract, 2:47-52, 4:12-20, 5:54-6:9, 6:15-38, and 6:57-7:12; Ex. 1101 at ¶ 140.

j. Dependent Claim 10

Claim 10 depends from Claim 8 and adds “receiving in a biometric analyzer

the biometric signal.” The term “biometric analyzer” is governed by 35 U.S.C.

§112(6). It has a function “analyzing a monitored parameter of the accessor” and a

structure “monitoring the particular parameter of the individual person; including

(sic) the parameter to a mathematical representation or algorithm therefore (sic);

retrieving a previously stored sample (biometric data), (sic) thereof from a

database and comparing the stored sample with the input of the accessor”.

Flanagan describes that the computer monitors the voice information from

the user received over the telephone, retrieves pre-stored voice information, and

compares the voice information from the user with pre-stored voice information,



55

and a match is determined within a pre-determined threshold value. Ex. 1102

Abstract, 2:52-57, 4:20-29, 6:9-14, 6:24-38; Ex. 1101 at ¶ 142.

“Digits spoken by a user are detected by digit recognizer 23, which includes

an analog to digital convertor for converting received spoken digits into a digital

format and for conveying the digital information, upon request to processor 12 via

bus 21.” Ex. 1102 at 6:9-14. “Processor 12 also retrieves binary information from

table 63 representing the phrase ‘After the tone, please speak the following number

in sequence’ and routes it over bus 21 to voice response unit 22, which converts

the binary information to speech. The binary information representing each of the

four digits of the randomly chosen number ‘9102’ is also retrieved from table 63

and conveyed in sequence over bus 21 to unit 22 where it is also converted to

speech. Thus user AFC4, (step 42, FIG. 4) is asked over the voice connection in

FIG. 1 to repeat the digits ‘9102’ into user telephone 13. User AFC4 then repeats

the digits ‘9102’ into telephone 13 for conveyance over the voice connection.” Ex.

1102 at 6:24-38. “Processor 12 then compares the speech embodied in the

received 4-digit number with the user's stored reference speech for the 4-digit

number. A confidence recognition factor indicating the closeness of the match of

the received speech patterns with the stored reference patterns is assigned to the

received speech. This factor is then compared with a pre-determined threshold



56

value established to identify valid ‘voice passwords.’” Ex. 1102 at 4:20-29; Ex.

1101 at ¶ 143.

k. Dependent Claim 11

Claim 11 depends from Claim 10 and adds “the biometric analyzer

comprises one of a voice recognition program, a fingerprint verification program,

or both.” Flanagan teaches that the biometric analyzer includes a voice recognition

program that determines a voice match between the voice information received

over the voice line and the pre-stored voice information. Ex. 1102 at Abstract, 2:7-

12, 2:52-57, and 6:57-7:12; Ex. 1101 at ¶ 144.

l. Dependent Claim 12

Claim 12 depends from Claim 8 and adds “retrieving a previously registered

sample corresponding to the login identification and comparing the same to the

biometric signal.” Flanagan describes retrieving a pre-stored voice sample

corresponding to the user’s login identification (e.g., from table 62 in FIG. 5) and

comparing the pre-stored voice sample to the user’s voice signal received over the

telephone. Ex. 1102 at Abstract, 2:52-57, 4:20-29, 6:38-56, 6:57-7:12, 8:16-21, and

FIG. 5 (item 62); Ex. 1101 at ¶ 145.

m. Dependent Claim 13

Claim 13 depends from Claim 12 and adds “the previously registered sample

is stored in a biometric parameter database.” Flanagan describes that the pre-

stored voice sample is stored in a database (e.g., item 62 of FIG. 5). Ex. 1102 at



57

4:20-29, 6:38-56, 6:57-7:12, 7:55-57, 8:16-21, and FIG. 5 (item 62); Ex. 1101 at ¶

146.

n. Dependent Claim 14

Claim 14 depends from Claim 12 and adds “the previously registered sample

comprises one of a speech sample and a fingerprint sample.” Flanagan teaches that

the pre-stored sample is a voice (speech) sample. Ex. 1102 at 2:7-12, 4:20-29,

6:38-56, 6:57-7:12, 7:55-57, 8:16-21, and FIG. 5 (item 62); Ex. 1101 at ¶ 147.

o. Dependent Claim 15


comprises transmitting a message.” Flanagan teaches outputting a prompt that is

transmitted from the voice apparatus 14 over a voice connection to the user’s

telephone. Ex. 1102 at FIG. 1 (items 13, 14, and voice connection), Abstract, 2:47-

52, 4:12-20, 5:54-6:9, and 6:15-38. This functionality in Flanagan would be

implemented in security host (26) of Feigen in Ground 1. Ex. 1101 at ¶ 148.

p. Dependent Claim 16

Claim 16 depends from Claim 1 and adds the limitation of “connecting or

disconnecting the security computer to and from a peripheral device.” Flanagan

teaches that a user is called in order to obtain voice information to compare to a

pre-stored voice sample. Ex. 1102 at Abstract, 2:38-52, 3:55-4:4, 5:28-36, 5:50-

53. This telephone call setup and tear down would include the steps of both

connecting and disconnecting to and from the telephone device. Further, Flangan



58

expressly discusses dropping the voice connection to telephone 13 once it is no

longer needed. Ex. 1102 at 3:1-2 and 4:34-35; Ex. 1101 at ¶ 149.

q. Dependent Claim 17

Claim 17 depends from Claim 1 and adds the limitation of ““wherein the

step of outputting the prompt comprises retrieving from an announcement database

a prerecorded audible message that requests entry of the transmitted data and

playing the message using a peripheral device.” Flanagan teaches “Processor 12

also retrieves binary information from table 63 representing the phrase ‘After the

tone, please speak the following number in sequence’ and routes it over bus 21 to

voice response unit 22, which converts the binary information to speech. The

binary information representing each of the four digits of the randomly chosen

number ‘9102’ is also retrieved from table 63 and conveyed in sequence over bus

21 to unit 22 where it is also converted to speech. Thus user AFC4, (step 42, FIG.

4) is asked over the voice connection in FIG. 1 to repeat the digits ‘9102’ into user

telephone 13. User AFC4 then repeats the digits ‘9102’ into telephone 13 for

conveyance over the voice connection.” Ex. 1102 at 6:24-38. “Processor 12 then

compares the speech embodied in the received 4-digit number with the user's

stored reference speech for the 4-digit number. A confidence recognition factor

indicating the closeness of the match of the received speech patterns with the

stored reference patterns is assigned to the received speech. This factor is then



59

compared with a pre-determined threshold value established to identify valid

‘voice passwords.’” Ex. 1102 at 4:20-29; Ex. 1101 at ¶ 150.

r. Dependent Claim 19

Claim 19 depends from Claim 1 and adds “synthesizing an audible message

from a stored message and playing the synthesized message over a telephone.”

Flanagan describes that a digital to analog converter generates speech from stored

text in a digital format. Ex. 1102 at 5:54-6:9; Ex. 1101 at ¶ 151.

s. Dependent Claim 20

Claim 20 depends from Claim 1 and adds “the security computer comprises

an authentication program for authenticating access to the host computer.”

Feigen’s security host (26) includes an authentication program for authenticating a

user’s access to destination host (28). Ex. 1003 at Abstract, 1:56-59, 3:60-65,

4:12-24, 6:56-59, and FIG. 5 (items 100 and 102); Ex. 1101 at ¶ 152.

t. Dependent Claim 21

Claim 21 depends from Claim 1 and adds “the interception device is a

router.” Feigen’s filter (16), which intercepts connection request messages from

source host (22) to destination host (28) and routes them to the security host 26,

can be a router. Ex. 1003 at 2:63-3:15; Ex. 1101 at ¶ 153.

u. Dependent Claim 22

Claim 22 depends from Claim 1 and adds “the first channel comprises one of

a wide area network and a local area network.” Feigen’s outside network (12) over



60

which the user sends the connection request message toward the destination host

(28) can be the Internet (a wide area network). Ex. 1003 at Abstract and 2:44-48.

Flanagan describes that the user can establish a data connection with the computer

over a wide area network. Ex. 1102 at 3:26-35 and FIG. 1. Flanagan also

describes that the data connection can be established over a local area network.

Ex. 1102 at 3:26-35 and FIG. 1; Ex. 1101 at ¶ 154.

v. Dependent Claim 23

Claim 23 depends from Claim 1 and adds “the transmitted data is a dual tone

multi frequency (DTMF) personal identification number.” Falk describes that the

transmitted data (e.g., a PIN) is entered into the telephone keypad with a DTMF

transmitter to input the PIN into the microphone of the telephone. Ex. 1005 at

6:19-25, 7:36-39, 2:23-29, and 4:8-15. Ex. 1101 at ¶ 155.

w. Dependent Claim 24

Claim 24 depends from Claim 23 and adds “the dual tone multi frequency

(DTMF) personal identification number is a password.” A person of skill in the art

would understand that Falk’s PIN called out for Claim 23 could be a password that

was generated for or by the user and entered as “something the user knows.” Ex.

1005 at 6:19-22, 7:36-39, 2:23-29, and 4:8-15; Ex. 1101 at ¶ 156.

x. Independent Claim 53

(53a) A software method for employing a

multichannel security system to control access to a

computer, comprising the steps of:



61

See claim element (1a) in Ground 1. Ex. 1101 at ¶¶ 115-120, 157-164.

(53b) receiving in a first channel a login identification

demand to access a host computer also in the first

channel;

See claim element (1b) in Ground 1. Ex. 1101 at ¶¶ 121-123, 165-167.

(53c) verifying the login identification;

See claim element (1c) in Ground 1. Ex. 1101 at ¶¶ 124-126, 168-170.

(53d) receiving at a security computer in a second

channel the demand for access and the login

identification;

See claim element (1d) in Ground 1. Ex. 1101 at ¶¶ 127, 171.

(53e) outputting from the security computer a prompt

requesting a transmission of data;

See claim element (1e) in Ground 1. Ex. 1101 at ¶¶ 128, 172.

(53f) receiving the transmitted data at the security

computer;

See claim element (1f) in Ground 1. Ex. 1101 at ¶¶ 129, 173.

(53g) comparing the transmitted data to

predetermined data; and

See claim element (1g) in Ground 1. Ex. 1101 at ¶¶ 130, 174.

(53h) depending on the comparison of the transmitted

and the predetermined data, outputting an

instruction from the security computer to the host

computer to grant access to the host computer or

deny access thereto.

See claim element (1h) in Ground 1. Ex. 1101 at ¶¶ 131-132, 175-176.



62

y. Independent Claim 54

(54a) Apparatus for implementing a multichannel

security system to control access to a computer,

comprising:

See claim element (1a) in Ground 1. Ex. 1101 at ¶¶ 115-120, 177-184.

(54b) a device for receiving a login identification and

demand to access a host computer, wherein the

device and the host computer are in a first

channel; and

See claim element (1b) in Ground 1. Ex. 1101 at ¶¶ 121-123, 185-187.

(54c) a security computer in a second channel for

receiving the login identification and the access

demand and

See claim elements (1c) and (1d) in Ground 1. Ex. 1101 at ¶¶ 124-127, 188-

191.

(54d) outputting a prompt requesting a transmission

of data once said login identification is verified by

said security computer,

See claim elements (1c) and (1e) in Ground 1. See claim element (1d) in

Ground 1. Ex. 1101 at ¶¶ 124-126, 128, 192.

(54e) wherein said security computer comprises a

component for receiving the transmitted data and

comparing said transmitted data to

predetermined data,

“Component for receiving the transmitted data and comparing it to

predetermined data” is governed by 35 U.S.C. §112(6). It is construed as having a

function of “receiving the transmitted data and comparing said transmitted data to



63

predetermined data” (see, Section V, above) and a structure of “‘698 patent at FIG.

9C, steps 186-196, 10:46-65 and/or ‘698 patent, FIGs. 9C-9D, steps 200-208,

11:24-55.” Id.

Step 200 is “Prompt user and collect speech password.” Step 202 is “User

voices speech password.” Step 204 is “Speech module retrieves speech password

associated with login ID.” Step 206 is “Speech module verifies speech password.”

Step 208 is “Does the speech password match?”

As described above, Feigen combined with Flanagan teaches a security

computer. The portion of Flanagan integrated into Feigen’s security host (26) in

Ground 1 teaches receiving the transmitted data requested in claim element (54e)

above. Flanagan describes prompting the user via a message sent over a voice

connection and receiving the voice information from the voice line. Ex. 1102 at

FIG. 2, FIG. 4 (item 42 and 43), Abstract, 2:47-57, 4:12-20, 5:54-6:9, 6:9-36, 6:36-

40 and 6:57-12. Flanagan further describes that the voice information received

over the voice line (15) from telephone (13) is compared with voice information

that is pre-stored and associated with the purported user. Ex. 1102 at Abstract,

2:52-57, 6:9-14, and FIG. 4; Ex. 1101 at ¶¶ 193-195.

In more detail, Flanagan states: “If the login and password information input

by the user, match pre-stored login and password information maintained in

memory by processor 12, the processor then independently attempts to establish a



64

voice connection to user telephone 13—which ideally is in close physical

proximity to user terminal 11.” Ex. 1102 at 3:49-55. “After establishment of the

voice connection, processor 12 generates a 4-digit random number (e.g., 5772) and

controls voice apparatus 14 to request the user to repeat the 4-digit number into the

user telephone 13 …” Ex. 1102 at 4:12-20. “Using a voice recognition technique,

the computer matches received voice information with pre-stored voice

information for the user and 55 generates a confidence recognition factor

indicating how closely the received voice matches the stored voice of the user.”

Ex. 1102 at 2:52-57. “If the factor exceeds a preset threshold, the user is afforded

access to the computer.” Ex. 1102 at 2:57-3:1; Ex. 1101 at ¶ 196.

(54f) such that, depending on the comparison of the

transmitted and the predetermined data, said

security computer outputs an instruction to the

host computer to grant access to the host

computer or deny access thereto.

See claim element (1h) in Ground 1. Ex. 1101 at ¶¶ 131-132, 197-198.

Conclusion X.

Petitioner respectfully requests institution of inter partes review and

cancellation of the Challenged Claims based upon each of the grounds presented

herein.



65

The fee specified by 37 C.F.R. §42.15(a) is electronically submitted

herewith. The Director is authorized to charge any additional fees (or credit any

overpayments) to Deposit Account 19-2112.

Respectfully submitted,

Date: March 14, 2017 By: /John D. Garretson/

John D. Garretson

Reg. No. 39,681

Lead Counsel for Petitioner



Attachment A: Certification of Word Count

1

CERTIFICATION OF WORD COUNT

Pursuant to 37 C.F.R. § 42.24(d), the undersigned certifies that the foregoing

Petition includes 11,291 words, which is less than the 14,000 words allowed under

37 C.F.R. § 42.24(a)(1)(i). As provided by 37 C.F.R. § 42.24(a)(1)(i), this word

count does not include the table of contents, table of authorities, grounds for

standing, mandatory notices, certificate of service, this certificate of word count, or

appendix of exhibits or claim listing. In making this certification, the undersigned

has relied on the word count of the word-processing system used to prepare the

foregoing Petition, which is in accordance with 37 C.F.R. § 42.24(d).


John D. Garretson

Reg. No. 39,681




Attachment B: Proof of Service Petition

1

CERTIFICATE OF SERVICE

Pursuant to 37 C.F.R. §§ 42.6(e) and 42.105, the undersigned certifies that

on this March 14, 2017, a complete and entire copy of the foregoing Petition for

Inter Partes Review and all support exhibits were provided via FedEx Priority

Overnight, costs prepaid, to the Patent Owner by serving the correspondence

address of record as follows:

Attn: Michael Greenbaum

Blank Rome LLP

1825 Eye Street NW

Washington, DC 20006-5403

With a courtesy copy provided electronically to: Salvatore P. Tamburo,

Blank Rome LLP, at [email protected].


John D. Garretson

Reg. No. 39,681


UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE …...The ‘698 Patent relates to a system that...

Documents

Transcript of UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE …...The ‘698 Patent relates to a system that...