Microsoft, PhoneFactor Slapped With Lawsuit by Obscure Patent-Holder

Using a phone as a second lock on your online account? A New Jersey firm claims to own the patent on that and has filed suit against Microsoft and PhoneFactor.

Claiming to own a fundamental patent on using out-of-band communications for user authentication—for example, using a smartphone to securely confirm a user’s intent to log into a Website—little-known Edison, N.J.-based StrikeForce Technologies is looking to shake up the security industry.

On March 28, the firm filed a lawsuit against Microsoft and its recently acquired PhoneFactor subsidiary, claiming the company and two financial clients—Fiserv and First Midwest Bancorp—infringed its patent.

Ram Pemmaraju, now the company's chief technology officer, applied for a patent in 2004 for his "Multichannel Device Utilizing A Centralized Out-of-Band Authentication System (COBAS)," which was granted in January 2011 and assigned U.S. Patent No. 7,870,599.

"We have filed today our first lawsuit designed to protect this critical StrikeForce asset, which is definitely increasing in importance with consistently troubling news about cyber-attacks and cyber-thefts," Mark Kay, the firm's CEO, said in a statement.

Out-of-band authentication is increasingly used to protect the online accounts of both workers and consumers, strengthening security by ensuring that a user not only knows the account password but also has access to a second factor: A previously registered phone or other communications device.

While some schemes—such as one-time passwords and security codes sent through text messaging—improve security, they can be circumvented by an attacker who controls the victim's browser, because they change transactions on the fly while keeping the verification code the same.

Such man-in-the-browser attacks will not defeat out-of-band authentication, however.

The company, whose common stock trades over the counter at less than a penny and whose market capitalization falls short of $3 million, has not gotten a lot of respect from other authentication technology providers.

"We literally went out to a bunch of people and told them we had the patent and they treated us like a dirty old mangy mutt," George Waller, StrikeForce's director of marketing, told eWEEK in a March interview.

The lawsuit is not the first time that PhoneFactor has had to fight claims of infringement. Authentify, which has four patents covering various aspects of out-of-band authentication, filed suit against PhoneFactor and settled with the company in August 2012. Authentify remained unfazed by StrikeForce Technologies' claims.

"Authentify’s own patents and the claims contained therein have survived challenges in the past," John Zurawski, vice president of marketing for Authentify, said in an email to eWEEK. "We began deploying applications in 2001 and some of our patent applications were filed prior to then. As our solutions are based on what’s contained in our own patents, we don’t anticipate much of an impact.”

PhoneFactor directed all questions regarding the lawsuit to Microsoft, its parent company, which declined to comment. Two other firms that have two-factor security solutions also declined to comment. Speaking anonymously, one firm's executive said they believed StrikeForce's claims to be limited in scope. In an email to eWEEK StrikeForce rebutted that characterization.

StrikeForce has retained Blank Rome LLP to represent them in the litigation.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...