14-15 November 2018
|European Case Law Identifier:||ECLI:EP:BA:2014:T033010.20141001|
|Date of decision:||01 October 2014|
|Case number:||T 0330/10|
|IPC class:||G06F 21/20|
|Language of proceedings:||EN|
|Download and more information:||
|Title of application:||Method and system for resetting passwords|
|Applicant name:||Avaya Inc.|
|Relevant legal provisions:||
|Keywords:||Patentable invention - independent method claim (no)|
Summary of Facts and Submissions
I. The appeal lies against the decision of the examining division dated 27 November 2009 to refuse European patent application No. 07251625.5 for lack of an inventive step, Article 56 EPC 1973.
II. On 28 January 2010, the applicant filed a letter containing a notice of appeal and the grounds of appeal. The appeal fee was paid on the same day. The appellant requested that the decision under appeal be set aside and that the application be remitted with an order to grant the patent on the basis of amended claims 1-20 as filed with the same letter. In the annex to the summons to oral proceedings, the board summarised its understanding that the further application documents were drawings pages 1-2 and description pages 1-7 and 10-18 as originally filed, and description pages 8 and 9 as received with a letter of 27 April 2009. Oral proceedings were also requested prior to any adverse decision by the board.
III. Independent method claim 1 reads as follows:
"A method for resetting passwords comprising:
receiving a request from a purported user to reset a previously set password;
authenticating (106) said purported user as an actual user;
establishing (108) a new password and resetting the previously set password as the new password if the purported user is authenticated as the actual user;
dividing (112) said new password into at least first and second portions;
transmitting (114) said first portion of said new password to said actual user; and
transmitting (116) said second portion of said new password to a location having restricted access;
whereby said actual user has access to said location and is enabled to retrieve both said first and second portions of said new password, and thereby may recreate said new password securely, whereby said actual user has access to said location before said request is received and said new password is established."
Independent claim 7 relates to a "system for resetting passwords" in words closely corresponding to those defining method claim 1.
IV. With a summons to oral proceedings, the board informed the appellant of its preliminary opinion, according to which the appeal would have to be dismissed. The board tended to consider that the subject-matter of the independent claims did not constitute an invention in the sense of Article 52(1) EPC. The board also raised objections under Article 56 EPC 1973 over common knowledge because the claimed invention did not solve a technical problem in a non-obvious manner and, alternatively, over the prior art on file.
V. In response to the summons, the appellant filed neither comments nor amendments but, with letter of 30 September 2014, declared that the applicant-appellant would not attend the oral proceedings. Instead, the request for oral proceedings was withdrawn and a decision was requested "on the file as it stands".
VI. The oral proceedings took place as scheduled and, as announced, in the appellant's absence. At the end of the oral proceedings, the chairman announced the decision of the board.
Reasons for the Decision
1. As announced in advance, the duly summoned appellant did not attend the oral proceedings. In accordance with Article 15(3) RPBA, the board relied for its decision only on the appellant's submissions. It was in a position to decide at the conclusion of the oral proceedings, since the case was ready for decision (Article 15(5) and (6) RPBA), and the voluntary absence of the appellant was not a reason for delaying a decision (Article 15(3) RPBA).
2. The application relates to the situation that a user has lost or forgotten a password and needs it to be reset. It discusses known ways for resetting a password and their advantages and disadvantages and proposes a new way meant to avoid the drawbacks of the prior art: Specifically, the invention is meant to increase secrecy of the new password by avoiding the risk that the new password is intercepted during transmission and by eliminating the need to involve a trusted third party (see original application, pars. 18-19).
2.1 The central idea of the invention is that a newly created password is transmitted to the requesting user in (at least) two portions via two possibly different channels. The transmission of the "first portion" is essentially unrestricted (see claim 1), the "second portion" (or any further ones) should be transmitted to a "location having restricted access" but provides access at least to the requesting user. The user is thus able to retrieve both portions and recreate the complete new password from them. The way in which a password is divided into portions is disclosed as "com-pletely arbitrary" (par. 48).
2.2 The invention as claimed requires that a request to reset a password is received and that the requesting user is authenticated. The description discloses that a user can request resetting the password by calling a responsible "central office" over the phone (see para. 36) and that the authentication can be done "in any known fashion", for instance "by interrogating the [user] with one or more security questions" which may be answered orally (see para. 37). The first portion of the new password may be given immediately, e.g. orally over the telephone, while the second portion may be sent to the user's mobile telephone, voice mailbox or email account (paras. 39 and 43). It is disclosed that, alternatively, the second portion may also be sent to the user's supervisor, e.g. via telephone or email, for personal delivery (para. 44).
Remarks on terminology
3. It is clear from the description that the claimed password is meant to be conventional and to subsume, for instance, some kind of PIN (see p. 35). The description discloses that the password is meant to control access to a computing device (par. 0002). Such control is however not claimed, nor is it claimed that the password is actually stored in a computing device. A password may also be a numerical secret which a customer has to reproduce orally, e.g. a telephone banking PIN. The claims state that the password to be reset was "previously set" and that the new password is "[reset] ... as the new password" without specifying explicitly what setting and resetting implies. They leave open how the password is to be divided and/or how the portions are retrieved and from where. The claims refer to a "location having restricted access" but to which at least the user has access, but they do not otherwise specify the nature of this "location".
Technical character, Article 52 EPC
4. The description discloses that the user's request to reset a password may be handled by a central office which the user calls over the telephone. The request and the user authentication can then be performed orally (paras. 36 and 37), and also the first portion of the new password can be communicated orally (para. 39). The independent claims do not exclude the possibility that the user, instead of calling a central office, walks up to a service desk and thus does not even use a telephone. Eventually, the user may recreate the new password from the obtained portions in his mind.
4.1 The password itself may be just a numerical secret, a PIN, and the steps of setting and resetting a password may be satisfied by memorising a new password instead of a previously valid password.
4.2 The board is of the opinion that the concept of a "restricted access" location by itself does not imply any physical means such as a letter box with a lock or an access-controlled email or voice mail account. Rather, the board considers that a person revealing a secret only to a number of authorised persons may also be considered a "location having restricted access" in the sense of the claims. In the board's judgment this is consistent with the application, which discloses that, if users do not have access to a secure location themselves, the second portion of the new password may be sent to a supervisor instead. This interpretation was presented in the annex to the summons to oral proceedings and was not challenged by the appellant.
4.3 Based on this interpretation the board comes to the conclusion that the method of claim 1 as drafted subsumes a method of communicating a secret between people which does not require any technical means: the claimed steps of setting a password and establishing a new password, of dividing the new password into two portions, and of recreating the new password from the two portions relate to activities which users can carry out in their minds and which thus define a mere mental activity (cf. Article 52(2)(c) EPC). The remaining steps of receiving a request, of authenticating a user, of transmitting the two portions to the user and to "a location having restricted access", respectively, and of retrieving the portions can be carried out by persons interacting with each other without using any technical means.
4.4 Due to the lack of any technical feature, method claim 1 thus does not have technical character and is therefore not to be regarded as an invention in the sense of Article 52(1) EPC.
4.5 The board notes that it has no occasion either to deviate from its further objections raised with the summons to oral proceedings, namely lack of inventive step over common knowledge and over D1, Article 56 EPC 1973. In view of the above finding, however, these objections need not be addressed in this decision.
For these reasons it is decided that:
The appeal is dismissed.