Context: Requests for Comments (or RFCs) are standards that describe the Internet’s technical foundations, such as addressing, routing, and transport technologies. They can be used to specify protocols on the Web to deliver services used by people worldwide, such as real-time collaboration, email, and the domain name system. Some major RFC standards include RFC 5322, which defines the format for email messages, RFC 792, which defines the Internet Control Message Protocol (i.e. error reporting, diagnostics), and RFC 6238, which defines the algorithm to generate a Time-based One-Time Password (TOTP). Last October, California-based cybersecurity firm Biogy sued U.S. food retailer Albertsons Companies in the Eastern District of Texas for infringing a patent related to RFC 6238. The parties later filed a joint stipulation of dismissal in April. Since then, Biogy has sent letters to Microsoft’s counsel and customers, accusing its products Microsoft Entra ID and Microsoft Authenticator of infringing that same patent. Several Microsoft customers have urged the company to defend and indemnify them against Biogy’s allegations.
What’s new: Microsoft has filed a complaint for declaratory judgment in the Northern District of California for the non-infringement of U.S. Patent No. 7,669,236 (“Determining whether to grant access to a passcode-protected system”). It has stated that, based on Biogy’s “litigation behavior” against Albertsons Companies, Microsoft has a “fair apprehension of being targeted by Biogy in a lawsuit”. It is also concerned that Biogy will sue at least one of its customers, based on their use of its Microsoft Entra ID product. Microsoft has urged the court to issue a declaratory judgment with “sufficient immediacy” as the allegations show there is a “definite and concrete, real and substantial, justiciable controversy” between the companies.
Direct impact and wider ramifications: As noted by Microsoft in the complaint, if Biogy sues one or more of its customers, Microsoft will have an obligation to defend or indemnify at least one of these customers. It will be interesting to see where this case goes, as RFC patent lawsuits are not a common phenomenon.
This is the complaint:
The products that Biogy alleges implement the RFC 6238 patent are:
- Microsoft Entra ID: a cloud-based identity and access management service. One optional part of Microsoft Entra ID generates and processes TOTPs as one of several possible factors that might be used in multi-factor authentication; and
- Microsoft Authenticator: an application used for account sign-in. One optional part of Microsoft Authenticator also generates TOTPs as one of several possible factors that might be used in multi-factor authentication.
Biogy alleges that Microsoft Authenticator, as a TOTP application, allegedly conforms to RFC 6238. Meanwhile, one of Microsoft Entra ID’s webpages discusses OATH tokens, and proves that Microsoft’s TOTPs allegedly conform to RFC 6238.
“Biogy’s infringement allegations against Microsoft’s customers are effectively accusations that Microsoft itself allegedly infringes the ’236 patent, both directly and indirectly,” Microsoft writes.
It has also effectively alleged that Microsoft has “induced” its customers to use those products in a manner that infringes the same patent, it adds. But Microsoft denies infringing the patent, stating that the Microsoft Entra ID and Microsoft Authenticator do not generate passcodes or passcode generators that satisfy all of the requirements of the claims, such as based on information associated with a user. And, they add, the products do not store any such new passcode generator in place of a prior/current passcode generator.
One reason Microsoft is concerned that Biogy will launch an infringement suit against it is that the sole discovery request served by Biogy in its litigation against the Albertsons Companies specifically identified Microsoft as a supplier of the type of one-time passcodes it accused of infringement. Biogy also sought data related to one-time passcodes provided by Microsoft in connection with Microsoft’s dealings with Albertsons Companies.
Counsel
Microsoft is being represented by Fish & Richardson’s Michael R. Headley, Ahmed J. Davis, and Jeffrey A. Shneidman.
In a separate case yesterday, the Federal Circuit affirmed the dismissal of a declaratory judgment complaint filed by Mitek against the U.S. Automobile Association. However, the failure of that particular complainant appears distinguishable from Microsoft stepping in to protect its customers who have received infringement notices. In that decision, the Federal Circuit stressed in footnote 4 that “in the wake of MedImmune [that name in italics], ‘proving a reasonable apprehension of suit is one of multiple ways that a declaratory judgment plaintiff can satisfy the more general allthe-circumstances test’ to establish jurisdiction.”