Auth Token LLC v. City National Bank, an RBC Company

CourtDistrict Court, S.D. New York
DecidedJanuary 14, 2026
Docket1:25-cv-03870
StatusUnknown

This text of Auth Token LLC v. City National Bank, an RBC Company (Auth Token LLC v. City National Bank, an RBC Company) is published on Counsel Stack Legal Research, covering District Court, S.D. New York primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
Auth Token LLC v. City National Bank, an RBC Company, (S.D.N.Y. 2026).

Opinion

UNITED STATES DISTRICT COURT lip SOUTHERN DISTRICT OF NEW YORK ee a OC #: AUTH TOKEN LLC, TEI NRE | Plaintiff,

-against- 25-cv-3870 (CM) CITY NATIONAL BANK, an RBC Company, Defendant. 2 ca oa TE OPINION AND ORDER McMahon, J.: Plaintiff Auth Token LLC (“Auth Token”) is the assignee of all right, title, and interest in United States Patent No. 8,375,212 (the “*212 Patent”), entitled Method for personalizing an authentication token, which issued on February 12, 2013. Auth Token britigs this action against Defendant City National Bank (“CNB”), alleging direct infrinzennent under 35 U.S.C. § □□□ □□□ and seeking damages under 35 U.S.C. § 284. The ‘212 Patent is directed to methods for securely personglizing an authentication token — such as a smart card — after manufacture, using cryptographic techniques to provision secret data while preventing subsequent re-personalization. For the reasons set forth below, CNB’s motion to dismiss is GRANTED.

I. Background The °212 Patent relates to electronic authentication systems. As described in the specification, autientication systems are used to verify the identity of a user seeking access to a protected service, such as an online account or secure network. Dkt. No, 20-1, at 1:18-22.

The specification explains that, in the art at the time of the invention, many authentication systems relied on single-factor authentication, most commonly a password known to the user. Jd. at 1:23—25. According to the patent, such systems were vulnerable to a wide range of attacks, including interception and observation. /d. The specification further states that, although multi- factor authentication systems existed in the art, many online services continued to rely on passwords because they appeared cheaper to implement, notwithstanding the downstream costs associated with security breaches. /d. at 1:26-29. An authentication token, as described in the ‘212 Patent, is a physical or logical device used as part of a multi-factor authentication system. /d. at 2:6-12. The specification describes authentication tokens as devices capable of storing secret data and performing cryptographic operations. /d. In use, an authentication token interacts with a separate interface device — such as a calculator-like reader or other electronic interface — to generate authentication credentials, including one-time passwords. /d. at 7:63—65; 9:10-12.

A. Prior Art Token Personalization The ‘212 Patent describes prior art approaches to authentication-token personalization and identifies their shortcomings. According to the specification, authentication tokens — particularly smart cards — were commonly programmed with application software and secret data duriag manufacture. /d. at 3:19-24. The patent explains that this required authentication applications to be hardwired into the card’s read-only memory, limiting flexibility and preventing secure personalization after manufacture. Jd. The specification further states that these prior art approaches created several problems. First, because personalization occurred at the manufacturing stage, sensitive cryptographic keys had to be embedded before the card was delivered to the issuing organization or end user, which

the patent characterizes as creating supply-chain security risks. Jd. at 3:28-32. Second, where multiple applications resided on the same card, each application had to trust the others not to read or overwrite its data, which the patent describes as introducing additional security vulnerabilities. Id. The patent also explains that existing systems lacked secure mechanisms for delivering personalized authentication credentials to end users after manufacture, forcing organizations to either embed secrets early or to rely on insecure delivery methods. Jd. at 8:5-19. According to the specification, these limitations contributed to the slow adoption of smart card-based authentication technologies. /d. at 3:51—52.

B. The ‘212 Patent Against this backdrop, the ‘212 Patent discloses methods intended to enable secure post- manufacture personalization of an authentication token through encrypted communications with a personalization device. The specification describes issuing a smart card to a user and subsequently personalizing it using cryptographic protocols designed to ensure the integrity and authenticity of the personalization process. Jd. at 4:13-16. As described in the specification, the approach uses a cryptographic key exchange to establish a secure channel between the personalization device and the authentication token. □□□ at 6:37-40. The patent explains that a transport key is established through a key-exchange protocol and is supplemented by a personalization key to protect against “man-in-the-middle” attacks. Jd. Once the personalization process is complete, the specification states that the authentication token is rendered incapable of re-entering personalization mode. Jd. at 6:15—17. Claim 1, the sole claim of the ‘212 Patent, recites a seven-step method for personalizing an authentication token. Dkt. No. 20-1, 11:4-12:8. The claim requires, among other things, that a

personalization device and authentication token exchange encrypted data, establish an encrypted session using a transport key, transmit an initial seed value and an initial secret key to the token, and store that data on the token such that the token can no longer be re-personalized. /d. The specification explains that the stored seed value and secret key may thereafter be used to facilitate secure interactions between the authentication token and an interface device, including generating one-time passwords or other authentication credentials. /d. at 7:63—65; 9:10—12.

C. Auth Token’s Alleged Theory of Infringement Auth Token’s infringement allegations are set forth in the amended complaint, as supplemented by an attached “claim comparison” chart. Dkt. No. 20 {[ 22-24; Dkt. No. 20-2. Auth Token alleges that CNB issues debit cards equipped with “EMV chips” and that the personalization of those cards practices the method claimed in the ‘212 Patent. Dkt. No. 20-2, at 2-3. According to the claim chart, an EMV chip card constitutes an “authentication token,” and the EMV card personalization process corresponds to the steps recited in Claim 1. /d. The chart asserts that, during EMV personalization, an integrated circuit card enters a personalization mode, exchariges encrypted data with a personalization device, and stores cryptegraphic information on the card. /d. at 6-19. Auth Token contends that these EMV processes correspond to Claim 1’s requirements of encrypting a serial number using a personalization key, validating that key at the authentication token, establishing an encrypted session using a transport key, and securely transmitting and storing secret data on the token. /d. at 12-25. Auth Token alleges, albeit on information and belief, that CNB performs these steps and then infringe:s its patent by issuing EMV cards and by having its employees test and use such cards. Dkt. No. 20 4 22--23; Dkt. No. 20-2, at 6, 9, 12, 19.

CNB disputes these allegations. According to Plaintiff, rather than mapping Claim 1 to what CNB itself does when personalizing debit cards, Plaintiff maps the seven claimed personalization steps onto a generalized industry process — a suggestion, really — that is described in a third-party specification prepared by EMVCo, LLC, an industry consortium. As relevant here, Plaintiff does not plausibly allege that this suggestion reflects CNB’s actual practices, that CNB authored or adopted it, or that CNB was required to follow it when issuing EMV cards. CNB further argues that the ‘212 Patent is directed to patent-ineligible subject matter and is therefore invalid under 35 U.S.C.

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Boykin v. KeyCorp
521 F.3d 202 (Second Circuit, 2008)
Arista Records, LLC v. Doe 3
604 F.3d 110 (Second Circuit, 2010)
Bell Atlantic Corp. v. Twombly
550 U.S. 544 (Supreme Court, 2007)
Ashcroft v. Iqbal
556 U.S. 662 (Supreme Court, 2009)
Ntp, Inc. v. Research in Motion, Ltd.
418 F.3d 1282 (Federal Circuit, 2005)
Faggionato v. Lerner
500 F. Supp. 2d 237 (S.D. New York, 2007)
Radio Corporation of America v. Andrea
90 F.2d 612 (Second Circuit, 1937)
Ericsson, Inc. v. D-Link Systems, Inc.
773 F.3d 1201 (Federal Circuit, 2014)
Akzo Nobel Coatings, Inc. v. Dow Chemical Company
811 F.3d 1334 (Federal Circuit, 2016)
Nalco Company v. Chem-Mod, LLC
883 F.3d 1337 (Federal Circuit, 2018)
Bot M8 LLC v. Sony Corporation of America
4 F.4th 1342 (Federal Circuit, 2021)
TechnoMarine SA v. Giftports, Inc.
758 F.3d 493 (Second Circuit, 2014)
Akamai Technologies, Inc. v. Limelight Networks, Inc.
797 F.3d 1020 (Federal Circuit, 2015)
Soitec, S.A. v. Silicon Genesis Corp.
81 F. App'x 734 (Federal Circuit, 2003)

Cite This Page — Counsel Stack

Bluebook (online)
Auth Token LLC v. City National Bank, an RBC Company, Counsel Stack Legal Research, https://law.counselstack.com/opinion/auth-token-llc-v-city-national-bank-an-rbc-company-nysd-2026.