CosmoKey Gets a Duo-Over – Federal Circuit Panel Reverses Finding of Ineligibility

In CosmoKey Solutions GMBH & Co. KG v. Duo Security LLC, No. 2020-2043 (Fed. Cir. Oct. 4, 2021), the Federal Circuit reversed a finding of ineligibility for claims directed to a computer authentication method.

CosmoKey’s patent is directed to an authentication method that requires a user to activate a timed authentication function on a mobile device to log into a computer. Duo Security moved for judgment on the pleadings. The district court found the claims ineligible under § 101, specifically finding that the claims were directed to the abstract idea of “authentication” at step one of Alice, and that the remaining elements were generic computer functionality at step two.

The Federal Circuit reversed. The majority first stated it was “not convinced” the claims were broadly “directed to” authentication, instead noting the focus of the claims and the specification on the activation of a timed authentication function. Nonetheless, according to the majority, answering this question at step one was “unnecessary” because the claims were eligible at step two for reciting a specific improvement to authentication that “increases security, prevents unauthorized access by a third party, is easily implemented, and can advantageously be carried out with mobile devices of low complexity.”

Judge Reyna concurred in the judgment, but did so by resolving the inquiry at step one, finding the claims directed to a “specific improvement to authentication.” He viewed the majority’s decision to skip step one and resolve the inquiry at step two as “turn[ing] the Alice inquiry on its head.” He noted that, without the step one analysis, it is difficult to determine whether “additional elements transform the nature of the claim into a patent-eligible application” of an abstract idea.

© 2021 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP

For more patent litigation, visit the NLR Intellectual Property Law section.

US Government Recommends Office 365 Security Advice including the use of MFA (Multi-Factor Authentication)!

Bleepingcomputer.com reported that the “Cybersecurity and Infrastructure Security Agency (CISA) issued a set of best practices designed to help organizations to mitigate risks and vulnerabilities associated with migrating their email services to Microsoft Office 365.”  The May 13, 2019 report entitled “U.S. Govt Issues Microsoft Office 365 Security Best Practices” included these following examples of Microsoft Office 365 configuration vulnerabilities in its AR19-133A analysis report from CISA:

Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts.

Mailbox auditing disabled: O365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. Microsoft did not enable auditing by default in O365 prior to January 2019. Customers who procured their O365 environment before 2019 had to explicitly enable mailbox auditing.

Password sync enabled: Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to O365. If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs.

Authentication unsupported by legacy protocols: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of protocols associated with Exchange Online authentication that do not support modern authentication methods with MFA features. Taking this step will greatly reduce the attack surface for organizations.

Given the widespread use of Office365 this is critical advice!

 

© 2019 Foley & Lardner LLP
This post was written by Peter Vogel of Foley & Lardner LLP.