Cosmokey v. Duo Security is more about the Federal Circuit than the patented authentication method accused of being a patent-ineligible abstract idea. The court’s analysis is remarkable for at least two reasons. It skipped Alice step one, and then conflated what should have been its step-one analysis with Alice step two. In the end, the court came to what I believe is the right result, that the subject matter is patent eligible, but it did so at the expense of sound reasoning and unfairly jeopardizing the validity of Cosmokey’s patent.
Cosmokey’s patent U.S. No. 9,246,903 (the ‘903 patent) by Adenuga claims a low-complexity high-security method of authenticating a mobile device user in a transaction. Claim one was the object of the court’s analysis and is reproduced here for reference.
“1. A method of authenticating a user to a transaction at a terminal, comprising the steps of:
transmitting a user identification from the terminal to a transaction partner via a first communication channel,
providing an authentication step in which an authentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user,
as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel,
ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction,
ensuring that said response from the second communication channel includes information that the authentication function is active, and
thereafter ensuring that the authentication function is automatically deactivated.”.
The specification indicates that the last three steps of claim one describe the improvement over the prior art. To summarize, the authentication function of a mobile device is normally inactive and is only activated by the user within a small window at the time of the transaction. A fraudulent transaction would almost certainly fail because, short of stealing the mobile device itself, the hacker would have no way of ensuring that the authentication function is activated at just the right moment. No special hardware is needed to practice the invention, and the user need not enter multiple authentication factors. Cosmokey’s solution is simple and secure.
The trial court found this claim invalid in a judgment on the pleadings for being directed to the abstract idea of authentication in Alice step one, reasoning that the claimed invention “is not materially different from” a similar case where the court found that “providing restricted access to resources” is abstract. At Alice step two the trial court found no inventive concept, holding that the other elements of the claim merely teach “generic computer functionality to perform the abstract concept of authentication”.
On appeal, the Federal Circuit carefully articulated the two-step Alice test and then proceeded to skip the first step. Referring to Alice step one, the Federal Circuit disagreed with the trial court’s interpretation of its precedent, stating that “improving security… can be a non-abstract computer-functionality improvement if done by a specific technique that departs from earlier approaches to solve a specific computer problem.” The court said point blank that it is “not convinced” by the trial court that the claims are merely “directed to the abstract idea of authentication”. Rather, the claims are directed to “activation of the authentication function, communication of the activation within a predetermined time, and automatic deactivation of the authentication function”. That is, the court corrected the trial court’s erroneous finding in Alice step one, reframing the “directed to” analysis to a more specific focus of the claimed advance over the prior art.
The court even identified what it termed the “critical question”: whether its corrected focus is an abstract idea or a specific improvement. It was on the cusp of a conventional Alice step one conclusion, when it decided that “we need not answer this question” because it can accept the trial court’s incorrect Alice step one analysis and resolve the case in step two. …What? The conclusion in step one is supposed to determine whether to engage in step two. If the claims are not directed to a judicial exception, then the analysis ends; the claims are patent eligible.
If courts ignore the logical flow of the Alice test at step one, they will inevitably engage in absurdities in step two. For instance, the court begins to engage in a typical Alice step two analysis, discussing whether the claim includes additional elements providing “an inventive concept that transforms the abstract idea into a patent-eligible invention”. However, there is no need to transform anything unless step one indicates that the claims are directed to an abstract idea. This court all but concluded that the claims are not directed to an abstract idea. Nonetheless, the court proceeded with Alice step two, finding that the last four steps of claim one are not “conventional”, and that the ’903 patent claims recite an inventive concept, a typical Alice step two finding. But, then the court goes on to say that the inventive concept is “a specific improvement to authentication…” As Judge Reyna points out in his concurrence, “this is a step one rationale” transplanted into step two. But, not only is this an Alice step one rationale, a few paragraphs earlier the majority acknowledged that this very rationale belongs to step one.
The court then seemingly drifts in and out of its abandoned Alice step one analysis. At one point the court said that, in contrast to cases cited by Duo, Cosmokey’s “claim limitations are more specific and recited an improved method for overcoming hacking”, a step one rationale. At another point the court concluded that “the claims recite an inventive concept” because in Ancora it recognized “that improving computer or network security can constitute ‘a non-abstract computer-functionality improvement…’”, again using a step one rationale to find an inventive concept in step two.
Skipping Alice step one is logically unsound and it jeopardizes validity. If the analysis should have ended in step one, step two becomes a conflated and confused hybrid analysis as the Federal Circuit demonstrates in Cosmokey. It is impossible to transform a judicial exception into a patent eligible invention without first identifying a judicial exception. But, more importantly, it creates an unfair and unreasonable risk of finding a claim invalid in step two that would have passed step one.
 Cosmokey Solutions GmbH & Co. KG v. Duo Security LLC, 2020-2043 Slip Op. (Fed. Circ. Oct. 4, 2021).
 U.S. No. 9,246,903 at col. 10 ll. 39060.
 See Cosmokey, at 3.
 See Cosmokey, at 3.
 See Cosmokey, at 6 citing Prism Tech[nologies] LLC v. T-Mobile USA, Inc., 696 F. App’x 1014 (Fed. Cir. 2017).
 See Cosmokey, at 6.
 Cosmokey, at 9.
 Cosmokey, at 10.
 See Cosmokey, at 10.
 Cosmokey, at 10 citing Amdocs (Israel) Ltd. v. Openet Telecom, Inc., 841 F.3d 1288, 1303 (Fed. Cir. 2016) (explaining that “even if [the claim] were directed to an abstract idea under step one, the claim is eligible under step two”).
 Cosmokey, at 11.
 Cosmokey, at 11-12.
 Cosmokey, at 4 (concurrence) citing Enfish, 822 F.3d at 1336 (“[T]he first step in the Alice inquiry in this case asks whether the focus of the claims is on the specific asserted improvement in computer capabilities . . . or, instead, on a process that qualifies as an ‘abstract idea’ for which computers are invoked merely as a tool.”); McRO, Inc. v. Bandai Namco Games Am., Inc., 837 F.3d 1299, 1314 (Fed. Cir. 2016) (“It is the incorporation of the claimed rules, not the use of the computer, that improved the existing technological process . . . .” (internal quotation marks omitted)).
 Cosmokey, at 9.
 Cosmokey, at 14.
 Cosmokey, at 14 citing Ancora Techs., Inc. v. HTC Am., Inc., 908 F.3d 1343, 1349 (Fed. Cir. 2018).