T 1777/15 (Dynamic multifactor authentication/ONESPAN) of 31.10.2018

Summary of Facts and Submissions

I. The present appeal arises from the decision of the opposition division posted on 13 July 2015 concerning the revocation of European patent No. 1 969 880.

II. The patent proprietor (appellant) filed an appeal and requested that the decision under appeal be set aside and that the oppositions be rejected (main request) or, in the alternative, that the patent be maintained in amended form on the basis of the claims of one of auxiliary requests 1 to 3 as filed with the statement of grounds of appeal, which correspond to auxiliary requests 1, 3 and 5, respectively, as decided on by the opposition division. Further, it requested that the case be remitted to the department of first instance for further prosecution on the basis of auxiliary request 4, or, in the alternative, that the patent be maintained in amended form on the basis of the claims of this auxiliary request 4, filed with the statement of grounds of appeal. Oral proceedings were conditionally requested.

Opponent I (Kobil Systems GmbH, now respondent I) requested that the appeal be dismissed. Oral proceedings were conditionally requested.

Opponent II (Gemalto SA, now respondent II) requested that the appeal be dismissed. Oral proceedings were conditionally requested.

Opponent III (David Molnia, now respondent III) requested that the appeal be dismissed.

III. The following documents are relevant for this decision:

D2: WO 2005/001618 A2;

D5: US 2004/0148510 A1;

D7: EP 1 102 157 A1; and

D16: WO 2005/116909 A1.

IV. In a communication pursuant to Article 15(1) RPBA accompanying a summons to oral proceedings, the board gave its preliminary opinion and indicated topics for discussion during the scheduled oral proceedings.

V. During the oral proceedings before the board, the parties confirmed their previous requests (see point II). Respondent II further requested that, in case of a remittal, the costs it would incur in connection with the further prosecution before the first instance and any subsequent appeal proceedings be paid by the appellant.

After deliberation, the chairman announced the board's decision.

VI. Claim 1 of the main request reads, using numeration as introduced by respondent I, as follows:

1. A method of authenticating a user (1), the method comprising the steps of:

2. sending an authentication request to a remote authentication device (3);

3. generating a first piece of authentication information;

4. generating, within the mobile device of the user, a second piece of authentication information which is at least partially based on the received first piece of authentication information;

5. sending the second piece of authentication information to the remote authentication device;

6. validating the second piece of authentication information; and,

7. if the second piece of authentication information is successfully validated, generating an authentication signal;

8. wherein the first piece of authentication information is received at the mobile device (2) from an access terminal (4);

characterised in that:

9. the first piece of authentication information is presented as an image on a display means of the access terminal (4) and captured therefrom using an optical acquiring means of the mobile device (2); and

10. the first piece of authentication information contains transactional information related to a transaction which the user (1) wishes to make.

Claim 1 of auxiliary request 1 includes, compared with claim 1 of the main request, the following additional feature:

"the authentication request comprises personal information of the user (1) and transactional information related to a transaction which the user (1) wishes to make",

with corresponding adaptations in the claim. Further, "an optical acquiring means" has been replaced by "a digital camera".

Claim 1 of auxiliary request 2 includes, compared with claim 1 of auxiliary request 1, the following additional feature:

"the second piece of authentication information comprises a signature over a message contained in the first piece of authentication information, wherein the message contained in the first piece of authentication information is displayed to the user, and the signature is generated if the transaction is accepted by the user".

Claim 1 of auxiliary request 3 includes, compared with claim 1 of auxiliary request 2, the following additional wording, wherein the last part defines two alternatives:

"wherein the step of generating the second piece of authentication information is done using the International Mobile Equipment Identity, IMEI, information relating to the Subscriber Identity Module, SIM, or any other information specific to the mobile device (2) of the user (1);

wherein the step of sending the second piece of authentication information to the remote authentication device is done by the mobile device; and

wherein the step of validating the second piece of authentication information comprises:

- receiving information relating to the location of the mobile device (2); and

- validating the second piece of authentication information only if the information relating to the location of the mobile device indicates that the mobile device is in a predetermined location;

or comprises:

- receiving information relating to the location of the mobile device (2);

- receiving information relating to the location of the access terminal (4);

- comparing the location of the mobile device with the location of the access terminal; and

- validating the second piece of authentication information only if the location of the mobile device matches the location of the access terminal".

Claim 1 of auxiliary request 4 is identical to claim 1 of auxiliary request 3, except that it does not include the first alternative, i.e.:

- receiving information relating to the location of the mobile device (2); and

- validating the second piece of authentication information only if the information relating to the location of the mobile device indicates that the mobile device is in a predetermined location.

Reasons for the Decision

1. Main request: novelty (Articles 52(1) and 54 EPC)

1.1 The opposition division held that the subject-matter of claim 1 was known from document D16 (point 2.2.3 of the decision under appeal).

1.2 It was common ground between the parties that D16 disclosed all features of claim 1 except for the feature that the image was captured from the display means "using an optical acquiring means of the mobile device".

1.3 D16 discloses a method of authenticating a user, in which the user holds an authentication apparatus 108, which corresponds to the mobile device of present claim 1, to a screen of a personal computer 102, which corresponds to the display means of claim 1, such that the authentication apparatus can capture an image 300 representing a digitally signed block of ciphertext (page 12, lines 23 to 25, and page 13, lines 11 to 15). The authentication apparatus 108 comprises a strip sensor 400 for capturing the image 300, but may be replaced with another form of sensor such as a matrix sensor (page 13, lines 19 to 27). Further, according to claim 1 of D16, the apparatus for obtaining information that can be used to authenticate an entity, which corresponds to the mobile device of claim 1 of the main request, comprises "an image capturing means".

1.4 The board understands the above disclosure of D16 such that an optical acquiring means is used to capture a first piece of authentication information.

1.5 The appellant argued that the terms "strip sensor" or "matrix sensor" used as examples of the means for capturing an image (D16, page 13, lines 19 to 35) did not constitute an enabling disclosure of an optical acquiring means, since the skilled person would not understand these terms in the context of "optical acquiring means".

1.6 The board does not agree. Assuming that the skilled person had no knowledge of "strip sensors" or "matrix sensors", he/she would have knowledge of means for capturing an image in general, of which these sensors as mentioned in D16 are only specific examples. Digital cameras as part of mobile devices were also well-known at the priority date of D16. Hence, the skilled person would have been able to carry out the invention disclosed in D16 using other generally known means for capturing the image. Further, the board has no difficulty in understanding the terms "strip sensors" and "matrix sensors" in the present context as meaning a strip or a matrix of photosensitive sensors. Hence, in the board's judgement, these terms would have been perfectly understood by the skilled person.

1.7 It follows that the corresponding disclosure of D16 is an enabling disclosure.

1.8 The board concludes that the subject-matter of claim 1 of the main request lacks novelty having regard to the disclosure of D16 (Articles 52(1) and 54 EPC).

1.9 The main request is therefore not allowable.

2. Auxiliary request 1: inventive step (Articles 52(1) and 56 EPC)

2.1 Claim 1 of auxiliary request 1, see point VI above, includes, compared with claim 1 of the main request, the following additional feature:

"the authentication request comprises personal information of the user (1) and transactional information related to a transaction which the user (1) wishes to make".

Further, "an optical acquiring means" has been replaced by "a digital camera".

2.2 The opposition division held that the subject-matter of claim 1 of auxiliary request 1, which is identical to present claim 1 of auxiliary request 1, was known from D16 (see point 2.3.3 of the decision under appeal).

2.3 In the board's view, the question of whether or not the "strip sensors" or "matrix sensors" as disclosed in D16 (see points 1.4 to 1.6 above) may be considered as an unambiguous disclosure of a digital camera as mentioned in claim 1 and, if not, would render the claimed subject-matter new, need not be answered, since it would, in any case, have been obvious to the skilled person starting out from D16 as representing the closest prior art to consider the use of a digital camera as the image capturing means. As noted above, digital cameras as part of mobile devices were well-known at the priority date of D16. Hence, it would have been obvious to the skilled person to consider using a digital camera as an alternative to the "strip sensors" or the "matrix sensors" for the purpose of capturing the image from the screen of the personal computer 102.

2.4 The further feature relating to the authentication request comprising personal information of the user and transactional information related to the transaction the user wishes to make would also have been obvious to the skilled person starting out from D16 as the closest prior art for the following reasons.

According to D16, the web server 104, which corresponds to the remote authentication device of claim 1, creates a message confirming an action a person wants the web server to perform. As an example, if the web server 104 is used to transfer money between bank accounts, the message may be "transfer $100 from account #1234 to account #5678" (page 12, lines 6 to 13).

For the web server 104 to create such a message, it must previously have received information about the amount of money to be transferred, which the board considers to be transactional information related to a transaction the user wishes to make. It must also previously have received information about the account numbers, which the board considers to be information comprising personal information of the owner of these account numbers. These two pieces of information can thus be considered as being part of the authentication request which is sent to the web server 104.

The board notes that D16 does not unambiguously disclose that either of the account numbers refers to a bank account in the name of the person carrying out the method, whereas the claimed method involves personal information "of the user" as part of the authentication request, which is therefore more specific. It would, however, have been obvious to the skilled reader that the method of D16 may be used in connection with the person's own account, it being noted that D16 does not contain any pointers or features relating to an authentication of a person for the purpose of a money transfer using a third person's bank account.

2.5 The appellant argued in this respect that D16 did not unambiguously disclose that the authentication request was sent by the user. This is, however, not necessary, since claim 1 leaves it open which entity sends the authentication request.

2.6 Finally, the board notes that the two above-mentioned features (see point 2.1 above) are not interrelated. Indeed, this had not been argued by the appellant either.

2.7 It follows that the subject-matter of claim 1 of auxiliary request 1 does not involve an inventive step when starting out from D16 and taking into account the common general knowledge of the person skilled in the art (Articles 52(1) and 56 EPC).

2.8 Auxiliary request 1 is therefore not allowable.

3. Auxiliary request 2: inventive step (Articles 52(1) and 56 EPC)

3.1 Claim 1 of auxiliary request 2 includes, compared with claim 1 of auxiliary request 1, the following additional feature:

"the second piece of authentication information comprises a signature over a message contained in the first piece of authentication information, wherein the message contained in the first piece of authentication information is displayed to the user, and the signature is generated if the transaction is accepted by the user".

3.2 The opposition division held that the subject-matter of claim 1 would be obvious to the skilled person when starting out from D2 as the closest prior art and taking into account the teaching of D5.

3.3 The appellant agreed with the opposition division's view that the difference between the claimed subject-matter and the disclosure of D2 according to a first embodiment was that the first piece of authentication information is received at the mobile device from an access terminal and that this first piece of authentication information is presented as an image on a display means of the access terminal and captured therefrom using a digital camera of the mobile device. The board agrees.

3.4 The problem solved by these distinguishing features may be formulated as improving the known method such that user convenience is increased. Entering a long challenge would clearly not be user-friendly, since in D2 it has to be entered manually by the user.

3.5 This problem was already identified in D2 and was solved in a second embodiment in which a personal card reader is physically connected to the cardholder's PC device, thereby obviating a manual entry of the challenge by the user (D2, page 16, lines 20 to 24, and page 24, lines 5 to 9).

An alternative solution to the above problem is known from document D5 which discloses a security device which comprises, inter alia, an optical signal-receiving element or sensor 22 for reading a code sent from a computer 15 of a service provider to a display 16 for use for online transactions (see the abstract and Figure 1). The sensor 22 consists of a matrix of photoelectric cells 22a of the type similar to that used in video cameras. Each cell comprises a microlens for focusing light originating from a portion of the screen 16 that is smaller than a dot of an alternation of black and white dots, defining a binary matrix structure, displayed on the screen (paragraphs [0032] and [0035]). The sensor 22 is linked to control electronics 28 which comprises a microprocessor 30 (paragraphs [0035] and [0039]). In the board's view, the sensor 22 may thus be considered as constituting a digital camera.

3.6 Faced with the above-mentioned problem, it would thus have been obvious to the skilled person to alternatively make use of the solution disclosed in D5, thereby arriving at the method claimed in claim 1, without exercising inventive skill.

3.7 The appellant argued that the optical signal-receiving element of D5 could not be considered a digital camera, since it consisted of a matrix of photoelectric cells each comprising a microlens. The board disagrees. The combination of a lens, which allows focusing (see D5, paragraph [0035]), with a photosensor is generally considered as constituting a camera, as it allows the projection of a picture onto a screen (in this case onto the matrix of photoelectric cells). A matrix of photoelectric cells each having a microlens may also be considered as forming a matrix of microcameras.

The appellant further argued that the skilled person starting out from D2 would not have looked for alternative solutions to the solution provided in D2, i.e. a connected personal card reader, since the teaching of D2 with respect to solving the problem of user convenience by using a connected personal card reader, which corresponds to the mobile device of claim 1, was a complete teaching. This argument, however, disregards the fact that a connected card reader imposes specific hardware requirements for connecting the components in question. This is irrespective of whether the connection is a wired or a wireless connection (see page 15, lines 25-29 of D2). Further, the board notes that in D2 it is stated that a connected reader can behave as an unconnected reader if no connection is available (page 16, line 31, to page 17, line 1), in which case the above-mentioned problem would no longer be solved. In view of the foregoing, the skilled person would thus not be prevented from looking for alternative solutions.

The appellant further argued that a cable-connected personal card reader as disclosed in the second embodiment of the method of D2 would be considered by the skilled person as more advantageous than a solution using optical acquiring means as suggested in D5, since a connected card reader would allow a bi-directional data exchange between the personal card reader and the cardholder's PC device, which corresponds to the access terminal of claim 1 of auxiliary request 2. The board is not convinced by this argument, since a bi-directional connection may also introduce disadvantages, e.g. with respect to security issues.

3.8 It follows that the subject-matter of claim 1 of auxiliary request 2 does not involve an inventive step when starting out from D2 and taking into account the teaching of D5 (Articles 52(1) and 56 EPC).

3.9 Auxiliary request 2 is therefore not allowable.

4. Auxiliary request 3: inventive step (Articles 52(1) and 56 EPC)

4.1 Claim 1 of auxiliary request 3 includes, compared with claim 1 of auxiliary request 2, the following additional wording:

"wherein the step of generating the second piece of authentication information is done using the International Mobile Equipment Identity, IMEI, information relating to the Subscriber Identity Module, SIM, or any other information specific to the mobile device (2) of the user (1);

wherein the step of sending the second piece of authentication information to the remote authentication device is done by the mobile device; and

wherein the step of validating the second piece of authentication information comprises:

- receiving information relating to the location of the mobile device (2); and

- validating the second piece of authentication information only if the information relating to the location of the mobile device indicates that the mobile device is in a predetermined location;

or comprises:

- receiving information relating to the location of the mobile device (2);

- receiving information relating to the location of the access terminal (4);

- comparing the location of the mobile device with the location of the access terminal; and

- validating the second piece of authentication information only if the location of the mobile device matches the location of the access terminal".

4.2 The opposition division held that the subject-matter of claim 1 would be obvious to the skilled person based on D2 as the closest prior art and taking into account the teachings of D5 and D7.

4.3 It was common ground between the parties that from the above wording, the first alternative, i.e.

- "receiving information relating to the location of the mobile device (2); and

- validating the second piece of authentication information only if the information relating to the location of the mobile device indicates that the mobile device is in a predetermined location"

was not known from D2.

4.4 These features solve, when starting out from D2, the problem of providing a further security element. Increasing the security for security sensitive transactions, such as money transfers, was a general objective for the skilled person at the priority date. Further, the problem of providing a further security element is unrelated to the problem solved by the feature relating to the optical capturing of the first piece of authentication information (see points 3.3 and 3.4 above). Hence, the skilled person would look for further prior art, in addition to document D5, in order to solve the present problem, i.e. providing a further security element.

4.5 Document D7 relates to the secure login over a public network and discloses, for the purpose of increasing the requirements on security products (paragraph [0002]), a method in which, during the login to a communication system using a mobile unit, a token entered into the mobile unit is appended with a global unique identity, which corresponds to information relating to the location of the mobile device, which eventually is verified at an authorisation center against allowed identities (column 3, line 42, to column 4, line 6). This has the effect that the token with the appended global unique identity, which together correspond to the second piece of authentication information in claim 1, are only validated if the information relating to the location of the mobile device indicates that the mobile device is in a predetermined location.

4.6 It would thus have been obvious to the skilled person, when faced with the above-mentioned problem, that the location-based security feature disclosed in D7 could be used for the same purpose in the method of D2. He would thus arrive at the subject-matter of claim 1 of auxiliary request 3 without exercising inventive skill.

4.7 The appellant argued that the skilled person starting out from D2 and considering the teaching of D5 for the purpose of using optical acquiring means and wanting to increase the security measures would make use of the means disclosed in D5 for that purpose, namely a biometric sensor 26, and, hence, would not be tempted to look for any further prior art. The board does not agree. The skilled person seeking a solution to improve the security of security-relevant transactions would consider various known security options, and taking into account the circumstances of for example availability and costs of the suggested means, would choose from amongst these options those means which he would deem useful and feasible for the specific process under consideration. Hence, the fact that D5 discloses a security feature would be no bar for the skilled person to consider further or alternative security options.

4.8 The appellant further argued that the problems solved by the feature relating to the optical acquiring means, and by the feature relating to location of the mobile device respectively, were interrelated and could not be solved independently without exercising inventive skill. The appellant considered that using optical acquiring means would, in addition to the problem stated at point 3.4 above, allow the use of a longer challenge, which would increase the security of the authentication method. This effect would also be a reason as to why the skilled person would not look any further for other solutions to increase security.

However, as has been pointed out in point 4.7 above, the skilled person faced with the problem of improving the security of security-relevant transactions would consider various known security options and choose the one which he would deem useful and feasible for the process under consideration. Hence, the fact that the optical acquiring means known from D5 would allow increasing the security through the easy implementation of a longer challenge, would be no bar for the skilled person to consider further security options.

4.9 The board concludes that the subject-matter of claim 1 of auxiliary request 3 does not involve an inventive step when starting out from D2 and taking into account the teachings of D5 and D7 (Articles 52(1) and 56 EPC).

4.10 Auxiliary request 3 is therefore not allowable.

5. Auxiliary request 4: admissibility (Article 12(4) RPBA)

5.1 Claim 1 of auxiliary request 4 corresponds to claim 1 of auxiliary request 3, except that the first alternative referred to in point 4 above has been deleted.

5.2 The claims of auxiliary request 4 are identical to the claims of auxiliary request 6 filed before the opposition division at the oral proceedings. The opposition division did not admit this request "as it is late filed, Rule 116(2) EPC" and "for the reason of being late filed, according to Rule 116(1) EPC" (see points 1.17.18 and 2.8.1 of the decision under appeal and point 16.9 of the minutes). No further reasoning was given.

5.3 Article 12(4) RPBA gives the board the discretion to hold inadmissible requests which could have been presented or were not admitted in the first instance proceedings.

It is established case law that any late filing of requests during an opposition procedure may be admitted at the opposition division's discretion (see, e.g., T 2415/13, point 1.3 of the reasons). For the parties and the board to be in a position to determine whether or not this discretion was exercised in accordance with the right principles or whether or not it was exercised in an unreasonable way (see G 7/93, OJ EPO 1994, 775; point 2.6 of the reasons), the reasoning on which the discretion was based must be set out in the decision.

In the present case, no reasoning was given (see point 5.2 above). Consequently, the board can only guess as to why the opposition division decided to not admit the late-filed request. Without any reasoning, the board is thus not in a position to determine whether the opposition division's discretion had been exercised in accordance with the right principles and in a reasonable way and hence, is not in a position to hold inadmissible the same request as filed with the statement of grounds of appeal. Auxiliary request 4 is therefore admitted into the appeal proceedings.

6. Remittal (Article 111(1) EPC)

6.1 Article 111(1) EPC gives the board the discretion to remit a case to the department of first instance. According to established case law, if no substantive examination as to the allowability of the subject-matter of a new, admissible request has been carried out by the department of first instance, the case is remitted, unless specific reasons present themselves for doing otherwise.

6.2 In the present case, as no substantive examination has been carried out and the board sees no specific reasons for not remitting the case, the case is remitted to the department of first instance.

7. Costs (Article 104 EPC and Rule 88 EPC)

7.1 Respondent II requested that in case of a remittal, the costs it would incur in connection with the further prosecution before the first instance and any subsequent appeal proceedings be paid by the appellant.

7.2 From the wording of Article 104(1) EPC ("costs [a party] has incurred" (underlining by the board)), Rule 88(2) EPC, which relates to a bill of costs, and Article 16(1) RPBA, it follows that a decision on an apportionment of costs cannot be made in respect of future costs, as requested by respondent II.

7.3 Therefore, the board rejects the request.

Order

For these reasons it is decided that:

1. The decision under appeal is set aside.

2. The case is remitted to the department of first instance for further prosecution on the basis of the set of claims of auxiliary request 4 filed with the statement of grounds of appeal.