Background
CosmoKey Solutions holds U.S. Patent No. 9,246,903, which covers a method for authenticating users during online transactions using two separate communication channels. The claimed method sends a user’s identity through a first channel (e.g., a website connection) and then uses a second channel (e.g., a mobile device app) to verify whether an authentication function is “active” in response to the transaction request. This two-channel approach is designed to prevent certain forms of online fraud and man-in-the-middle attacks that could compromise single-channel authentication systems.
CosmoKey sued Duo Security (a company known for its two-factor authentication products) for infringement. The district court granted Duo’s motion for judgment on the pleadings, ruling the ‘903 patent was directed to an abstract idea — the generic concept of verifying identity — and lacked an inventive concept sufficient to pass the second step of the Alice framework. CosmoKey appealed.
The Court’s Holding
The Federal Circuit reversed, holding that the asserted claims are patent eligible under 35 U.S.C. § 101. The majority focused its analysis at Alice step two (the inventive concept inquiry), finding that the claims recite a specific, concrete improvement to computer-implemented authentication rather than an abstract idea applied generically to a computer.
The court found that the patent does not merely claim the abstract concept of two-factor authentication. Rather, it describes a particular technical solution: activating an authentication function only temporarily and only in response to a specific transaction trigger, using a second channel that is independent of the primary transaction channel. This architecture prevents attacks where a bad actor intercepts the primary channel, because the authentication signal travels through an entirely separate pathway. The court held that these specific, claimed steps constitute a “technical solution to a security problem” that transforms the abstract concept into patent-eligible subject matter under step two.
Judge Reyna concurred in the result but wrote separately to note his disagreement with the majority’s methodology. In Reyna’s view, the majority improperly skipped or conflated Alice step one (whether the claims are directed to an abstract idea) and went directly to step two. Reyna maintained that courts must analyze both steps sequentially, even if the ultimate conclusion is the same.
Key Takeaways
- A patent claiming a specific technical method of improving authentication — including the use of separate communication channels and conditional activation mechanisms — can survive § 101 challenge as a concrete technical improvement rather than an abstract idea.
- When evaluating cybersecurity patents under Alice, courts should look at whether the claims describe a specific implementation or architecture that solves a concrete problem, not just whether the general concept of security is abstract.
- The case adds to a line of Federal Circuit decisions (including Enfish, DDR Holdings, Finjan, and others) upholding software patents where the claims focus on a specific technical solution rather than a result or functional outcome.
- Judge Reyna’s concurrence signals ongoing judicial tension about how to properly apply the two-step Alice framework, particularly whether and when courts can jump to step two.
Why It Matters
Two-factor and multi-factor authentication has become a cornerstone of modern cybersecurity, and the patents covering these technologies carry significant commercial value. CosmoKey v. Duo Security demonstrates that authentication patents can survive § 101 challenges when they claim a specific technical architecture rather than a broad outcome. For innovators in the security technology space, the decision reinforces that careful patent drafting — focusing claims on the concrete technical mechanism rather than the functional goal — is essential to surviving eligibility review. For practitioners challenging such patents, it clarifies that a generic label like “verifying identity” is not enough to characterize claims as abstract if they specify how that verification works in a technically innovative way.