Improved Method For Overcoming Hacking By Turning On And Off Authentication Held Patent Eligible

• Published date: 04 May 2022
• Subject Matter: Intellectual Property, Patent
• Law Firm: Manatt, Phelps & Phillips LLP
• Author: Mr Irah H. Donner

In CosmoKey Solutions GMBH & Co. KG v. Duo Security LLC,¹ the Federal Circuit held that an improved method for overcoming computer hacking by turning on and off the authentication process was patent eligible. The court held that the claims recited an improved method for preventing hacking by activating a normally disabled authentication function only for a specific transaction, communicating the activation within a specific time period, and then deactivating the authentication function.

Judge Jimmie V. Reyna concurred, arguing that the majority failed to determine whether the invention was abstract under the first step of the patent eligibility test, but agreeing with the majority that the claims were not abstract because they were directed to a specific improvement to authentication that increased security and prevented unauthorized access by a third party.

U.S. Patent No. 9,246,903 ('903 patent) related to an authentication method that was low in difficulty and high in safety. The specification stated that the authentication method ensures that no third party can fake the identification data of a user in control of his or her mobile device and make unauthorized transactions. The specification further stated that the invention improved the prior art mobile phone authentication methods by activating the authentication function within a short time window after sending the user identification.

The specification explained that instead of forcing the user to enter several authentication factors using different communication channels, the method verifies the user's identity by sending the user identification through a first communication channel and checking using a second communication channel that an authentication operation was activated in the user's mobile device.

Claim 1 of the '903 patent recited the following:

1. A method of authenticating a user to a transaction at a terminal, comprising the steps of:

transmitting a user identification from the terminal to a transaction partner via a first communication channel,

providing an authentication step in which an authentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user,

as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel,

ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction,

ensuring that said response from the second communication channel includes information that the authentication function is active, and

thereafter ensuring that the authentication function is automatically deactivated.

CosmoKey sued Duo Security LLC for infringement of the '903...