Obviousness

Obviousness Analysis under 35 U.S.C. § 103 for US Patent 6,993,658

Under 35 U.S.C. § 103, a patent claim is unpatentable if "the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains." The analysis typically involves considering: (1) the scope and content of the prior art; (2) the differences between the prior art and the claims at issue; (3) the level of ordinary skill in the pertinent art; and (4) secondary considerations of nonobviousness (e.g., commercial success, long-felt need, failure of others).

The "Prior Art" and "PTAB challenges" sections indicate that all claims (1-7) of US Patent 6,993,658 were found unpatentable under 35 U.S.C. § 103 as obvious during Inter Partes Review (IPR) proceeding IPR2023-00425. This outcome, if upheld on appeal, is highly persuasive evidence of obviousness.

Identified Combinations of Prior Art and Motivation to Combine

The PTAB's institution decision for IPR2023-00425 found a reasonable likelihood that claims 1-7 of US6993658B1 are unpatentable as obvious over various combinations of prior art, specifically mentioning:

• US Patent 6,052,789 (Abadi)
• US Patent Application Publication 2002/0069363 (Monk)
• Other unnamed references.

While the full text of Abadi and Monk is not available here, the patent itself, in its "Background of the Invention," clearly sets forth the problem that a person having ordinary skill in the art (PHOSITA) would have been motivated to solve: the inconvenience of carrying a dedicated security token like the SecurID card. The patent states: "The SecurID product, however, requires users to carry an additional item on their person in order to access a secure system. It would be advantageous if the benefits of the SecurID system could be achieved using a device that many users already carry—a personal communication device such as a mobile phone or a pager."

This statement provides the explicit motivation for a PHOSITA, at the time of the invention (priority date March 6, 2000), to combine known two-factor authentication schemes with ubiquitous personal communication devices.

Obviousness Combination: Abadi in view of Monk (and general knowledge of SecurID and personal communication devices)

A PHOSITA would be motivated to combine the teachings of Abadi (presumed to teach core aspects of a secure authentication system, possibly involving tokens or multi-factor authentication) and Monk (presumed to teach aspects of authentication or secure communication, potentially involving external devices or network interactions) for the following reasons:

1. Known Problem: The problem of users having to carry separate, dedicated authentication devices (like the SecurID card) was well-recognized in the art, as explicitly stated in US6993658B1 itself.
2. Existing Solutions: Systems like SecurID offered robust two-factor authentication, utilizing "something you know" (passcode) and "something you have" (the card generating a token).
3. Advancements in Communication Technology: Around the priority date of US6993658 (March 6, 2000), personal communication devices like mobile phones and pagers were becoming increasingly common and sophisticated, capable of receiving text messages (e.g., SMS). A PHOSITA would readily recognize these devices as a convenient "something you have" that users already carry.
4. Foreseeable Substitution/Combination: Given the desire to eliminate a dedicated hardware token, it would have been obvious for a PHOSITA to adapt an existing two-factor authentication method (as might be taught by Abadi or Monk individually, or in combination with general knowledge of SecurID-like systems) to leverage the ubiquitous personal communication devices for token delivery. Replacing a dedicated token generator with a personal communication device that receives a token from a server would be a logical step to improve user convenience without sacrificing the core security benefits of two-factor authentication.

Applying the Combination to Independent Claims:

Given the PTAB's finding of obviousness for claims 1-7, it is highly probable that the combination of Abadi and Monk (and potentially other unnamed references or general knowledge) would teach or suggest all elements of independent claims 1 and 5:

• Claim 1 (Method of Authentication):

  • Associating user with personal communication device (PCD) over a second network: It would be obvious to associate a user's account with their mobile phone number or pager number for communication purposes, as these were common practices for alerts and messaging.
  • Receiving a request for a token via PCD over the second network: Mobile phones and pagers were capable of sending requests (e.g., by making a call, sending an SMS) and receiving data (e.g., caller ID, SMS).
  • Generating a new password based on token and passcode: Standard practice in two-factor authentication, exemplified by SecurID, combined a memorized passcode with a dynamically generated token. The method of combining them (e.g., concatenation) would also be obvious.
  • Setting the new password & activating/deactivating access: These are standard administrative functions in secure computer networks, easily integrated with a token-based system. The idea of time-limited access or tokens was also known in the art (e.g., SecurID tokens changing every 60 seconds).
  • Transmitting the token to the PCD: Utilizing a cell phone network (the second network) to send an SMS message or a pager message to a user's device to deliver a token would have been an obvious application of existing communication technologies.
  • Receiving the password from the user via the first secure computer network: This is a fundamental step in any authentication process for a secure computer network.

• Claim 5 (User Authentication System):

  • The system elements (computer processor, user database, control module, communication module, authentication module) are standard components for implementing authentication schemes and network communications.
  • The functionality described in Claim 5 directly maps to the method steps of Claim 1. A PHOSITA, seeking to implement the method of Claim 1, would design a system with these components, integrating existing communication modules (e.g., an SMS modem or an ISDN card as described in the patent itself) to communicate with the personal communication device via a cellular network. The communication module being "configured to transmit the token to the personal communication device through the cell phone network" is the direct implementation of the solution to the "additional item" problem.

Conclusion on Obviousness:

Based on the available information and the explicit problem statement within US6993658B1, a PHOSITA would have been motivated to combine known two-factor authentication principles (e.g., as embodied by the SecurID product or references like Abadi and Monk) with widely available personal communication technologies (mobile phones, pagers, SMS) to improve user convenience by eliminating the need for a separate hardware token. The PTAB's Final Written Decisions finding claims 1-7 unpatentable under 35 U.S.C. § 103 strongly support this obviousness assessment.