Your browser cannot display this PDF inline.
Download the full opinion (PDF)Background
DynaPass IP Holdings LLC owns U.S. Patent No. 6,993,658, which covers a method for authenticating users on a secure computer network using a token delivered to the user’s mobile phone. The claimed system works like this: when a user wants to log in, they request a token via their cell phone; the system generates a new password by combining that token with a passcode already known to the user; the combined password is set for the account and then transmitted to the phone; the user submits that combined password to gain access. The patent’s key innovation was tying authentication to a personal communication device on a separate network from the one being secured.
DynaPass sued Bank of America (BofA) in the Eastern District of Texas, alleging that the two-factor authentication feature in BofA’s Mobile Banking Application infringed claims 1–7 of the ‘658 patent. The pivotal question was the meaning of one phrase in Claim 1: “receiving the password from the user.” The district court construed that phrase to require the user to submit the passcode and token already combined into a single password — not to submit the two components separately. Under that construction, both parties stipulated to non-infringement (BofA’s app receives the passcode and token separately), and the district court dismissed the case with prejudice.
The Court’s Holding
The Federal Circuit unanimously affirmed. Chief Judge Moore’s opinion holds that the plain claim language compels the district court’s construction. Claim 1 traces a clear sequence: (1) generate a new password from the token and passcode; (2) set the account password to that new password; then (3) receive the password from the user. By the time step (3) happens, the password already exists as a combined string. Receiving the passcode and token separately at that point would not constitute “receiving the password” because the separate components are not the claimed password.
DynaPass argued that the patent’s written description discloses an alternative embodiment in which the passcode and token are submitted separately, so “receiving the password” should be broad enough to cover separate submission. The Federal Circuit rejected this: the mere existence of an alternative embodiment in the specification does not expand claim scope when the claim language itself is unambiguous. The court noted that the specification consistently juxtaposes “the password” against its constituent “passcode and token components,” confirming that the two are not interchangeable. Under the Federal Circuit’s GPNE Corp. v. Apple Inc. rule, when a patent “repeatedly and consistently characterizes a claim term in a particular way, it is proper to construe the claim term according to that characterization.”
Key Takeaways
- Claim language controls over spec embodiments. A patent that discloses multiple embodiments does not automatically get claim scope broad enough to cover all of them — the patentee’s chosen claim language is the ceiling.
- Sequential claim structure matters. When a claim sets up a multi-step sequence (generate → set → receive), each step is informed by what came before. Courts will read the steps together, not in isolation.
- Consistent spec usage = narrower construction. Repeatedly distinguishing a combined “password” from its separate “passcode and token” components throughout the specification locked DynaPass into the narrower construction.
- Authentication patent claims need careful drafting. Modern 2FA systems typically send a one-time code (token) separately from a static password. Claims drafted around older “combined password” architectures may not reach those systems.
Why It Matters
Two-factor authentication is now standard for online banking, social media, and enterprise systems — making authentication patents a recurring area of NPE (non-practicing entity) litigation. This decision illustrates a recurring vulnerability in such patents: the claims may have been drafted around one particular way of combining credentials (user submits a pre-formed combined string), while modern implementations use separate transmission channels for each factor. Accused infringers and practitioners defending against authentication NPEs should closely examine whether the claims require a single combined credential to be received, rather than separate components — because many real-world 2FA systems send the OTP code to the phone and receive the static password separately.
For patent drafters, the case is a reminder that disclosing an alternative embodiment in the specification is not enough — the claims themselves must affirmatively recite that embodiment to capture it. When drafting authentication claims, consider whether the claim language is broad enough to cover systems where each authentication factor is transmitted and received independently.