Cosmokey Solutions Gmbh & Co. v. Duo Security LLC

15 F.4th 1091

• Court: Court of Appeals for the Federal Circuit
• Decided: October 4, 2021
• Docket: 20-2043
• Status: Published

Opinion

Case: 20-2043 Document: 52 Page: 1 Filed: 10/04/2021

United States Court of Appeals for the Federal Circuit ______________________

COSMOKEY SOLUTIONS GMBH & CO. KG, Plaintiff-Appellant

v.

DUO SECURITY LLC, FKA DUO SECURITY, INC., Defendant-Appellee ______________________

2020-2043 ______________________

Appeal from the United States District Court for the District of Delaware in No. 1:18-cv-01477-CFC, Judge Colm F. Connolly. ______________________

Decided: October 4, 2021 ______________________

SCOTT THOMAS WEINGAERTNER, White & Case LLP, New York, NY, argued for plaintiff-appellant. Also repre- sented by STEFAN MENTZER, GRACE WANG, MATTHEW ROB- ERT WISNIEFF.

MARK A. LEMLEY, Durie Tangri LLP, San Francisco, CA, argued for defendant-appellee. Also represented by BETHANY BENGFORT. ______________________

Before O’MALLEY, REYNA, and STOLL, Circuit Judges. Case: 20-2043 Document: 52 Page: 2 Filed: 10/04/2021

2 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

Opinion for the court filed by Circuit Judge STOLL. Concurring opinion filed by Circuit Judge REYNA. STOLL, Circuit Judge. CosmoKey Solutions GmbH & Co. KG appeals the United States District Court for the District of Delaware’s entry of judgment on the pleadings holding that the as- serted claims of CosmoKey’s U.S. Patent No. 9,246,903 are ineligible under 35 U.S.C. § 101. The district court held that the asserted claims are directed to abstract ideas and fail to provide an inventive concept. We conclude that the claims of the ’903 patent are patent-eligible under Alice step two because they recite a specific improvement to a particular computer-implemented authentication tech- nique. Accordingly, we reverse the decision of the district court. BACKGROUND I The ’903 patent is titled “Authentication Method” and purports to disclose an authentication method that is both low in complexity and high in security. The abstract de- scribes a method of authenticating the identity of a user performing a transaction at a terminal (e.g., a computer), including activating an authentication function on the user’s mobile device. ’903 patent Abstract, col. 2 ll. 35–40. The patent specification recognizes that when a user communicates with a remote transaction partner (e.g., a bank, a store, or a secured database) via a communication channel like the Internet, “it is important to assure that an individual that identifies itself as an authorized user is ac- tually the person it alleges to be.” Id. at col. 1 ll. 15–19. The specification also describes several conventional au- thentication methods involving a user’s mobile phone. Id. at col. 1 ll. 30–46. The specification discloses that by using a user’s mobile device for authentication, the prior art Case: 20-2043 Document: 52 Page: 3 Filed: 10/04/2021

COSMOKEY SOLSUTIONS GMBH & CO. v. DUO SECURITY LLC 3

confirms “that the person carrying the mobile device, e.g., a mobile telephone, is actually present at the location of the terminal from which the transaction has been requested.” Id. at col. 1 ll. 47–50. “Thus, as long as the user is in control of his mobile device, the authentication method assures that no third party can fake the identification data of this user and perform any transactions in his place.” Id. at col. 1 ll. 50–53. The specification purports to improve on these conven- tional mobile phone authentication methods in that, ac- cording to the invention, the “authentication function is normally inactive and is activated by the user only prelim- inarily for the transaction, said response from the second communication channel includes the information that the authentication is active, and the authentication function is automatically deactivated.” Id. at col. 1 ll. 58–63. The specification explains the advantages of this method as fol- lows: “In this method, the complexity of the authentication function can be reduced significantly” because all that is required “from the authentication function is to permit the authentication device to detect whether or not this function is active[,]” and “the only activity that is required from the user for authentication purposes is to activate the authen- tication function [within] a suitable timing.” Id. at col. 1 l. 64–col. 2 l. 3. The specification explains that there is a “predetermined time relation” in that “the authentication function is activated within a certain (preferably short) time window after the transmission of the user identifica- tion.” Id. at col. 2 ll. 8–14. The specification also touts the enhanced security provided by this method: Since the authentication function is normally inac- tive, the authentication will almost certainly fail when a third party fraudulently identifies itself as the user in order to initiate a transaction. Then, the authentication would be successful only in the very unlikely event that the true user happens to activate the authentication function of his mobile Case: 20-2043 Document: 52 Page: 4 Filed: 10/04/2021

4 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

device just in the right moment. Even in this un- likely case the fraud could be detected . . . . Thus, notwithstanding the low complexity, the method according to the invention offers a high level of se- curity. Id. at col. 2 ll. 15–32. The specification thus explains that the claimed inven- tion “provide[s] an authentication method that is easy to handle and can be carried out with mobile devices of low complexity.” Id. at col. 1 ll. 54–56. The specification elab- orates that “[i]t is a particular advantage of the invention that the mobile device does not have to have any specific hardware for capturing or outputting information.” Id. at col. 2 ll. 44–46. According to the specification, the mobile device need only be capable of being activated for a certain period of time and connecting to a mobile network where it has an address that is linked to the identification data of the user. Id. at col. 2 ll. 46–50. Then, the authentication device must be “capable of checking whether the authenti- cation function of the mobile device with the associated ad- dress is active.” Id. at col. 2 ll. 50–54. Thus, instead of requiring the user to input multiple authentication factors using multiple communication channels, the user’s identity is verified by transmitting the user identification via a first communication channel and checking via a second communication channel that an au- thentication function is activated in the user’s mobile de- vice. Id. at col. 1 ll. 3–9. Checking for an activated authentication function replaces the manual entry of infor- mation for an authentication factor by the user. For exam- ple, the user may activate the authentication function by activating their mobile device, id. at col. 2 ll. 56–60, or by activating an application on a mobile device, see id. at col. 6 ll. 59–62. Claim 1 is the sole independent claim of the ’903 patent and recites: Case: 20-2043 Document: 52 Page: 5 Filed: 10/04/2021

COSMOKEY SOLSUTIONS GMBH & CO. v. DUO SECURITY LLC 5

1. A method of authenticating a user to a transac- tion at a terminal, comprising the steps of: transmitting a user identification from the termi- nal to a transaction partner via a first communica- tion channel, providing an authentication step in which an au- thentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user, as a criterion for deciding whether the authentica- tion to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a re- sponse from the second communication channel, ensuring that the authentication function is nor- mally inactive and is activated by the user only pre- liminarily for the transaction, ensuring that said response from the second com- munication channel includes information that the authentication function is active, and thereafter ensuring that the authentication func- tion is automatically deactivated. Id. at col. 10 ll. 39–60. II In September 2018, CosmoKey sued Duo Security, Inc. 1 for infringement of the ’903 patent. In October 2019, Duo moved for judgment on the pleadings pursuant to Rule 12(c) of the Federal Rules of Civil Procedure, arguing that

1 Duo Security LLC was known as Duo Security, Inc. at the time of filing. Case: 20-2043 Document: 52 Page: 6 Filed: 10/04/2021

6 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

all claims of the ’903 patent are ineligible under 35 U.S.C. § 101 as the claims are directed to the abstract idea of authentication and do not recite any patent-eligible inventive concept. The district court granted Duo’s motion on June 24, 2020. Money & Data Protection Lizenz GmpH & Co. KG, v. Duo Security, Inc., 468 F. Supp. 3d 674 (D. Del. 2020) (Judgment Op.). 2 At step one of the Alice two-step framework for deter- mining patent eligibility, the district court agreed with Duo that the claims of the ’903 patent “are directed to the ab- stract idea of authentication—that is, the verification of identity to permit access to transactions.” Id. at 677; see Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 217 (2014). The district court reasoned that the “[’]903 patent is not materially different from the patent at issue in Prism Tech[nologies] LLC v. T-Mobile USA, Inc., 696 F. App’x 1014 (Fed. Cir. 2017),” where we determined that the pa- tent claims were invalid because they were “directed to the abstract idea of ‘providing restricted access to resources.’” Judgment Op., 468 F. Supp. 3d at 677 (citation omitted). The district court determined that, “[g]iven the similarities between the abstract processes in the [’]903 patent and the patent in Prism, I find that the claims at issue here are directed to the abstract idea of verifying identity to permit access to transactions.” Id. at 678. At Alice step two, the district court concluded that “the [’]903 patent merely teaches generic computer functional- ity to perform the abstract concept of authentication; and it therefore fails Alice’s step two inquiry.” Id. at 678. In so holding, the district court determined that the patent itself admits that “the detection of an authentication function’s activity and the activation by users of an authentication

2 CosmoKey was known as Money and Data Protec- tion Lizenz GmbH & Co. KG at the time it filed its original complaint. Case: 20-2043 Document: 52 Page: 7 Filed: 10/04/2021

COSMOKEY SOLSUTIONS GMBH & CO. v. DUO SECURITY LLC 7

function within a pre-determined time relation were well- understood and routine, conventional activities previously known in the authentication technology field.” Id. at 679 (citing ’903 patent col. 1 ll. 15–53). CosmoKey appeals the district court’s judgment. We have jurisdiction under 28 U.S.C. § 1295(a)(1). DISCUSSION We apply regional circuit law when reviewing a district court’s judgment on the pleadings. Koninklijke KPN N.V. v. Gemalto M2M GmbH, 942 F.3d 1143, 1149 (Fed. Cir. 2019). Applying Third Circuit law, we review the district court’s grant of Duo’s motion for judgment on the pleadings de novo, accepting as true all facts pleaded by CosmoKey and drawing all reasonable inferences in favor of CosmoKey. Allstate Prop. & Cas. Ins. Co. v. Squires, 667 F.3d 388, 390 (3d Cir. 2012). Patent eligibility under § 101 is a question of law that may contain underlying questions of fact. Interval Licens- ing LLC v. AOL, Inc., 896 F.3d 1335, 1342 (Fed. Cir. 2018) (citing Berkheimer v. HP Inc., 881 F.3d 1360, 1365 (Fed. Cir. 2018)). We review a district court’s ultimate con- clusion on patent eligibility de novo. Id. We have held that “[p]atent eligibility can be determined on the pleadings un- der Rule 12(c) when there are no factual allegations that, when taken as true, prevent resolving the eligibility ques- tion as a matter of law.” Data Engine Techs. LLC v. Google LLC, 906 F.3d 999, 1007 (Fed. Cir. 2018). Section 101 defines patent-eligible subject matter as “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.” 35 U.S.C. § 101. The Supreme Court established a two-step test for examining patent eligibility under § 101 in Alice. First, we “determine whether the claims at issue are directed to a patent-ineligible concept[,]” such as an ab- stract idea. Alice, 573 U.S. at 218. If so, we proceed to step Case: 20-2043 Document: 52 Page: 8 Filed: 10/04/2021

8 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

two and “consider the elements of each claim both individ- ually and ‘as an ordered combination’ to determine whether the additional elements ‘transform the nature of the claim’ into a patent-eligible application.” Id. (quoting Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 78–79 (2012)). Step two is “a search for an ‘inventive concept’—i.e., an element or combination of ele- ments that is ‘sufficient to ensure that the patent in prac- tice amounts to significantly more than a patent upon the [ineligible concept] itself.’” Alice, 573 U.S. at 217–18 (al- teration in original) (quoting Mayo, 566 U.S. at 72–73). I As the district court noted, this court has previously considered the eligibility of various claims generally di- rected to authentication and verification under § 101 and found those claims abstract. For example, in Prism, the case cited by the district court, we held that the claims at issue were directed to the abstract idea of “providing re- stricted access to resources” because the claims did not cover a “concrete, specific solution.” 696 F. App’x at 1017. Rather, the claims recited generic steps typical of any con- ventional process for restricting access, including such pro- cesses that predated computers. In particular, the claims recited “receiving” a user identity, “authenticating” the user identity, “authorizing” the user, and “permitting ac- cess” to the user. Id. at 1016. At step two, we determined that the asserted claims recited conventional generic com- puter components employed in a customary manner such that they were insufficient to transform the abstract idea into a patent-eligible invention. Id. at 1017–18. More recently, in Universal Secure Registry LLC v. Ap- ple, Inc., 10 F.4th 1342 (Fed. Cir. 2021), we held that the patent claims were directed to the abstract idea of combin- ing multiple conventional authentication techniques for verifying the identity of a user to facilitate a financial transaction. The patent specifications disclosed that Case: 20-2043 Document: 52 Page: 9 Filed: 10/04/2021

COSMOKEY SOLSUTIONS GMBH & CO. v. DUO SECURITY LLC 9

biometric authentication, multi-factor authentication, and using multiple devices to authenticate were all conven- tional authentication techniques. The claims, then, were simply directed to combining these long-standing, well- known authentication techniques to achieve the expected result of increased security no greater than the sum of the security provided by each technique alone. Under Alice step two, we held that these claims did not recite an in- ventive concept because the combination of long-standing conventional methods of authentication yielded expected results of an additive increase in security, and nothing in the record suggested an additional technological improve- ment. In contrast, we have held claims directed to specific verification methods that depart from earlier approaches and improve computer technology eligible under § 101. In Ancora Technologies Inc. v. HTC America, Inc., we held that claims directed to storing a verification structure in computer memory were directed to a specific non-abstract computer-functionality improvement addressing the “vul- nerability of license-authorization software to hacking.” 908 F.3d 1343, 1348–49 (Fed. Cir. 2018). We explained that “[i]mproving security . . . can be a non-abstract com- puter-functionality improvement if done by a specific tech- nique that departs from earlier approaches to solve a specific computer problem.” Id. at 1349 (citing Finjan, Inc. v. Blue Coat Sys., Inc., 879 F.3d 1299, 1304–05 (Fed. Cir. 2008)). We further explained the claims “yield[ed] a tangi- ble technological benefit” in making the system less sus- ceptible to hacking by altering how the verification is performed. Id. at 1350. II Under Alice step one, we consider “what the patent as- serts to be the ‘focus of the claimed advance over the prior art.’” Solutran, Inc. v. Elavon, Inc., 931 F.3d 1161, 1168 (Fed. Cir. 2019) (quoting Affinity Labs of Tex., LLC Case: 20-2043 Document: 52 Page: 10 Filed: 10/04/2021

10 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

v. DIRECTV, LLC, 838 F.3d 1253, 1257 (Fed. Cir. 2016)). The district court held that the claims “are directed to the abstract idea of authentication—that is, the verification of identity to permit access to transactions.” Judgment Op., 468 F. Supp. 3d at 677. We are not convinced that this broad characterization of the focus of the claimed advance is correct. Rather, the claims and written description sug- gest that the focus of the claimed advance is activation of the authentication function, communication of the activa- tion within a predetermined time, and automatic deactiva- tion of the authentication function, such that the invention provides enhanced security and low complexity with mini- mal user input. The critical question then is whether this correct characterization of what the claims are directed to is either an abstract idea or a specific improvement in com- puter verification and authentication techniques. Ancora, 908 F.3d at 1347. We need not answer this question, however, because even if we accept the district court’s narrow characteriza- tion of the ’903 patent claims, the claims satisfy Alice step two. See Amdocs (Israel) Ltd. v. Openet Telecom, Inc., 841 F.3d 1288, 1303 (Fed. Cir. 2016) (explaining that “even if [the claim] were directed to an abstract idea under step one, the claim is eligible under step two”). 3 Turning then to Alice step two, we “consider the ele- ments of each claim both individually and ‘as an ordered combination’ to determine whether the additional elements ‘transform the nature of the claim’ into a patent-eligible ap- plication.” Alice, 573 U.S. at 217 (quoting Mayo, 566 U.S. at 77–78). In computer-implemented inventions, the

3 Judge Reyna’s concurrence challenges our ap- proach of accepting the district court’s analysis under Alice step one and resolving the case under Alice step two. Judge Reyna Concurrence at 1. We note that this very approach was followed in Amdocs, 841 F.3d at 1303. Case: 20-2043 Document: 52 Page: 11 Filed: 10/04/2021

COSMOKEY SOLSUTIONS GMBH & CO. v. DUO SECURITY LLC 11

computer must perform more than “well-understood, rou- tine, conventional activities previously known to the indus- try.” Id. at 223 (quoting Mayo, 566 U.S. at 73 (internal quotation marks and brackets omitted)). In addition, “[a]n inventive concept that transforms the abstract idea into a patent-eligible invention must be significantly more than the abstract idea itself, and cannot simply be an instruction to implement or apply the abstract idea on a computer.” BASCOM Glob. Internet Servs., Inc. v. AT&T Mobility LLC, 827 F.3d 1341, 1349 (Fed. Cir. 2016) (citing Alice, 573 U.S. at 222–23). The district court held that the ’903 patent failed at step two because it “merely teaches generic computer func- tionality to perform the abstract concept of authentica- tion[.]” Judgment Op., 468 F. Supp. 3d at 678. The court recognized that the specification indicates that the “differ- ence between [the] prior art methods and the claimed in- vention is that the [’]903 patent’s method ‘can be carried out with mobile devices of low complexity’ so that ‘all that has to be required from the authentication device function is to detect whether or not this function is active’” and that “the only activity that is required from the user for authen- tication purposes is to activate the authentication function at a suitable timing for the transaction.” Id. at 678–79 (quoting ’903 patent col. 1 l. 55–col. 2 l. 3). But the court cited column 1, lines 15–53 of the specification as purport- edly admitting that detection of activation of an authenti- cation function’s activity and the activation by users of an authentication function within a pre-determined time rela- tion were “well-understood and routine, conventional activ- ities previously known in the authentication technology field.” Judgment Op., 468 F. Supp. 3d at 679. We disagree with the district court’s analysis and con- clusion. The ’903 patent claims and specification recite a specific improvement to authentication that increases se- curity, prevents unauthorized access by a third party, is easily implemented, and can advantageously be carried out Case: 20-2043 Document: 52 Page: 12 Filed: 10/04/2021

12 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

with mobile devices of low complexity. See ’903 patent col. 2 ll. 15–32. Contrary to the district court’s conclusion, the ’903 patent discloses a technical solution to a security problem in networks and computers. While authentication of a user’s identity using two communication channels and a mobile phone was known at the time of the invention, nothing in the specification or anywhere else in the record supports the district court’s suggestion that the last four claim steps—including (1) “as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel”; (2) “ensuring that the authentication function is normally inactive and is acti- vated by the user only preliminarily for the transaction”; followed by (3) “ensuring that said response from the sec- ond communication channel includes information that the authentication function is active”; and (4) “thereafter en- suring that the authentication function is automatically deactivated,” id. at col. 10 ll. 45–55—are conventional. The district court’s reliance on column 1, lines 15–53 as allegedly admitting that these steps were routine or con- ventional is misplaced. While column 1, lines 30–46 de- scribes three prior art references, none teach the recited claim steps. To the contrary, the specification describes the prior art references as disclosing: (1) sending a prompt to a user to confirm the transaction followed by the user’s mo- bile device sending a confirmation signal; (2) using a user’s mobile device for activating and deactivating a credit card; and (3) sending a token to the user’s terminal from which a transaction has been requested followed by the user’s mo- bile device capturing the image and sending it back to the authentication device via a second communication channel. Id. at col. 1 ll. 30–46. Read in context, the rest of the pas- sage cited by the district court makes clear that the claimed steps were developed by the inventors, are not admitted Case: 20-2043 Document: 52 Page: 13 Filed: 10/04/2021

COSMOKEY SOLSUTIONS GMBH & CO. v. DUO SECURITY LLC 13

prior art, and yield certain advantages over the described prior art. The district court erred in its interpretation of this passage. This is particularly so given the procedural posture of Duo’s motion for judgment under Rule 12(c), which requires the district court to draw all reasonable in- ferences in favor of CosmoKey. Allstate, 667 F.3d at 390. Indeed, the patent specification describes how the par- ticular arrangement of steps in claim 1 provides a technical improvement over conventional authentication methods. Specifically, the specification emphasizes the inventive na- ture of these steps, explaining that “the complexity of the authentication function can be reduced significantly” be- cause “the only activity that is required from the user for authentication purposes is to activate the authentication function at a suitable timing for the transaction.” Id. at col. 1 l. 64–col. 2 l. 3. Continuing, the specification ex- plains that compared to the prior art and conventional mul- tifactor authentication systems, the ’903 patent performs user authentication with fewer resources, less user inter- action, and simpler devices. Id. at col. 1 ll. 54–56 (“It is an object of the invention to provide an authentication method that is easy to handle and can be carried out with mobile devices of low complexity.”). Duo argues that using a second communication chan- nel in a timing mechanism and an authentication function that is normally inactive, activated only preliminarily, and automatically deactivated is itself an abstract idea and thus cannot contribute to an inventive concept. Appellee’s Br. 21. Duo asserts that these limitations “are far from concrete.” Id. In addition, Duo cites ChargePoint, Inc. v. SemaConnect, Inc., 920 F.3d 759, 764 (Fed. Cir. 2019), where our court held claims directed to network-controlled charging stations for electric vehicles abstract, including a dependent claim reciting a component “that can activate or deactivate charging at the connection.” We disagree. Case: 20-2043 Document: 52 Page: 14 Filed: 10/04/2021

14 COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC

While prior cases can be helpful in analyzing eligibility, whether particular claim limitations are abstract or, as an ordered combination, involve an inventive concept that transforms the claim into patent eligible subject matter, must be decided on a case-by-case basis in light of the par- ticular claim limitations, patent specification, and inven- tion at issue. Here, the claim limitations are more specific and recite an improved method for overcoming hacking by ensuring that the authentication function is normally inac- tive, activating only for a transaction, communicating the activation within a certain time window, and thereafter en- suring that the authentication function is automatically deactivated. The specification explains that these features in combination with the other elements of the claim consti- tute an improvement that increases computer and network security, prevents a third party from fraudulently identify- ing itself as the user, and is easy to implement and can be carried out even with mobile devices of low complexity. ’903 patent col. 2 ll. 15–32. We recognized in Ancora that improving computer or network security can constitute “a non-abstract computer-functionality improvement if done by a specific technique that departs from earlier ap- proaches to solve a specific computer problem.” 908 F.3d at 1349. Here, as the specification itself makes clear, the claims recite an inventive concept by requiring a specific set of ordered steps that go beyond the abstract idea iden- tified by the district court and improve upon the prior art by providing a simple method that yields higher security. CONCLUSION For the reasons set forth above, we reverse the district court’s judgment that the asserted claims of the ’903 patent are ineligible under § 101. REVERSED Case: 20-2043 Document: 52 Page: 15 Filed: 10/04/2021

United States Court of Appeals for the Federal Circuit ______________________

DUO SECURITY LLC, FKA DUO SECURITY, INC., Defendant-Appellee ______________________

Appeal from the United States District Court for the District of Delaware in No. 1:18-cv-01477-CFC, Judge Colm F. Connolly. ______________________

REYNA, Circuit Judge, concurring. I concur with the majority decision to reverse the dis- trict court’s judgment that the ’903 Patent is patent ineli- gible under 35 U.S.C. § 101. I conclude that, under Alice step one, the subject claims are directed to patent-eligible subject matter. I do not agree, however, with the majority’s analysis or its application of law. In sum, the majority skips step one of the Alice inquiry and bases its decision on what it claims is step two. I believe this approach is extraordinary and contrary to Supreme Court precedent. It turns the Alice inquiry on its head. Case: 20-2043 Document: 52 Page: 16 Filed: 10/04/2021

Our case law, as governed by Supreme Court prece- dent, is clear: whether a patent satisfies the subject-matter eligibility requirement of § 101 involves a two-step inquiry. Alice Corp. Pty. Ltd. v. CLS Bank Int’l, 573 U.S. 208, 217 (2014). I find nothing in Alice that provides for skipping the first step or for conflating the two steps into one. Nor does the majority cite any authority that specifically per- mits skipping step one. The Alice inquiry should be viewed as a loose filter that prevents the patenting of abstract ideas, lest free thinking itself become a form of chattel. There should be no exclu- sivity to abstractness under the law. Of course, preemption is a primary underlying concern, but so are the concepts of inventiveness and innovation. To this end, step one serves several important purposes, chief among them being that a patent must lay bare that which is claimed. To echo Judge Rich’s declaration: “[T]he name of the game is the claim.” Giles S. Rich, Extent of Protection and Interpreta- tion of Claims—American Perspectives, 21 Int’l Rev. of In- dus. Prop. & Copyright L. 497, 499 (1990)). In terms of Alice, step one is about the claim. At step one, we examine whether the claim is directed to patent-ineligible subject matter. Among other things, this examination permits us to distinguish between claims that recite mere concepts, functions or results (abstract ideas) from those that, through claimed limitations, chart the specific means for achieving such concepts, functions or results. Ancora Techs., Inc. v. HTC Am., Inc., 908 F.3d 1343, 1347 (Fed. Cir. 2018). As a result, our case law has developed specific circumstances that help guide the ques- tion of abstraction. See id. at 1347–48 (collecting cases). For example, generally, if a claim is directed to a specific technological solution to a technological problem, it is not directed to an abstract idea. See Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1336 (Fed. Cir. 2016). Case: 20-2043 Document: 52 Page: 17 Filed: 10/04/2021

COSMOKEY SOLUTIONS GMBH & CO. v. DUO SECURITY LLC 3

Our precedent is clear that once a claim is deemed not directed to an abstract idea, the Alice inquiry ends. We do not proceed to step two. Core Wireless Licensing S.A.R.L. v. LG Elecs., Inc., 880 F.3d 1356, 1361 (Fed. Cir. 2018) (“If the claims are directed to a patent-eligible concept, the claims satisfy § 101 and we need not proceed to the second step.”); see also McRO, Inc. v. Bandai Namco Games Am., Inc., 837 F.3d 1299, 1312 (Fed. Cir. 2016). In other words, step two does not operate independently of step one. Step two comes into play only when a claim has been found to be directed to patent-ineligible subject matter. The “di- rected to” examination is only in step one, and not step two. Step two is a lifeline. The step two inquiry recognizes that the claim has been struck down as ineligible. In sim- plistic terms, the question becomes whether there is any reason to save the claim on the basis of whether additional elements of the claim, considered individually and as an ordered combination, transform the nature of the claim into a patent-eligible application of the abstract idea. Con- tent Extraction & Transmission LLC v. Wells Fargo Bank, Nat’l Ass’n, 776 F.3d 1343, 1347 (Fed. Cir. 2014) (citing Al- ice, 573 U.S. at 217). Step two is rendered superfluous and unworkable with- out step one. Without the benefit of a step-one analysis, we are hobbled at step two in reasonably determining whether additional elements transform the nature of the claim into a patent-eligible application of the abstract idea. And by skipping step one, we create a risk that claims that are not directed to an abstract idea might be deemed to “fail” at step two. Employing step one, I conclude that the claims at issue are directed to patent-eligible subject matter. I agree with my colleagues that “[t]he ’903 Patent claims and specifica- tion recite a specific improvement to authentication that in- creases security, prevents unauthorized access by a third party, is easily implemented, and can advantageously be Case: 20-2043 Document: 52 Page: 18 Filed: 10/04/2021

carried out with mobile devices of low complexity.” Major- ity Op. 11-12 (emphasis added). But this is a step-one ra- tionale. See Enfish, 822 F.3d at 1336 (“[T]he first step in the Alice inquiry in this case asks whether the focus of the claims is on the specific asserted improvement in computer capabilities . . . or, instead, on a process that qualifies as an ‘abstract idea’ for which computers are invoked merely as a tool.”); McRO, 837 F.3d at 1314 (“It is the incorpora- tion of the claimed rules, not the use of the computer, that improved the existing technological process . . . .” (internal quotation marks omitted)). We should not lose sight, as my colleagues have in this case, that the “question of abstraction is whether the claim is ‘directed to’ the abstract idea itself.” Data Engine Techs. LLC v. Google LLC, 906 F.3d 999, 1011 (Fed. Cir. 2018).