Microsoft Sued Over PhoneFactor Authentication

Microsoft has been slapped with a patent-infringement lawsuit by Edison, New Jersey-based StrikeForce Technologies.

StrikeForce claims to own a fundamental patent on using out-of-band communications for user authentication – for example, using a smartphone to securely confirm a user’s intent to log into a website.

Patent Lawsuit

On 28 March, the firm filed a lawsuit against Microsoft and its recently acquired PhoneFactor subsidiary, claiming the company and two financial clients – Fiserv Inc and First Midwest Bancorp Inc – infringed its patent.

Ram Pemmaraju, now the company’s chief technology officer, applied for a patent in 2004 for his “Multichannel Device Utilizing A Centralized Out-of-Band Authentication System (COBAS),” which was granted in January 2011 and assigned US Patent No. 7,870,599.

“We have filed today our first lawsuit designed to protect this critical StrikeForce asset, which is definitely increasing in importance with consistently troubling news about cyber-attacks and cyber thefts,” Mark Kay, the firm’s CEO said in a statement.

Out-of-band authentication is increasingly used to protect the online accounts of both workers and consumers, strengthening security by ensuring that a user not only knows the account password but also has access to a second factor: A previously registered phone or other communications device.

While some schemes – such as one-time passwords and security codes sent through text messaging – improve security, they can be circumvented by an attacker who controls the victim’s browser, because they change transactions on the fly while keeping the verification code the same.

Such man-in-the-browser attacks will not defeat out-of-band authentication, however.

Mangy Mutt

The company, whose common stock trades over the counter at less than a penny and whose market capitalisation falls short of $3 million (£2m), has not gotten a lot of respect from the security industry.

“We literally went out to a bunch of people and told them we had the patent and they treated us like a dirty old mangy mutt,” George Waller, StrikeForce’s director of marketing, told eWEEK in a March interview.

The lawsuit is not the first time that PhoneFactor has had to fight claims of infringement. Authentify, which has four patents covering various aspects of out-of-band authentication, filed suit against PhoneFactor and settled with the company in August 2012. Authentify remained unfazed by StrikeForce Technologies’ claims.

“Authentify’s own patents and the claims contained therein have survived challenges in the past,” John Zurawski, vice president of marketing for Authentify, said in an email to eWEEK. “We began deploying applications in 2001 and some of our patent applications were filed prior to then. As our solutions are based on what’s contained in our own patents, we don’t anticipate much of an impact.”

PhoneFactor directed all questions regarding the lawsuit to Microsoft, its parent company, which declined to comment. Two other firms that have two-factor security solutions also declined to comment. Speaking anonymously, one firm’s executive said they believed StrikeForce’s claims to be limited in scope. In an email to eWEEK StrikeForce rebutted that characterisation.

StrikeForce has retained Blank Rome LLP to represent them in the litigation.

Are you a security guru? Try our quiz!

Originally published on eWeek.