T 0330/10 (Resetting passwords/AVAYA) of 1.10.2014

European Case Law Identifier: ECLI:EP:BA:2014:T033010.20141001
Date of decision: 01 October 2014
Case number: T 0330/10
Application number: 07251625.5
IPC class: G06F 21/20
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 274.718K)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: Method and system for resetting passwords
Applicant name: Avaya Inc.
Opponent name: -
Board: 3.5.06
Headnote: -
Relevant legal provisions:
Rules of procedure of the Boards of Appeal Art 15(3)
Rules of procedure of the Boards of Appeal Art 15(5)
Rules of procedure of the Boards of Appeal Art 15(6)
European Patent Convention Art 52
Keywords: Patentable invention - independent method claim (no)
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. The appeal lies against the decision of the examining di­­vision dated 27 November 2009 to refuse European patent application No. 07251625.5 for lack of an inven­tive step, Article 56 EPC 1973.

II. On 28 January 2010, the applicant filed a letter con­taining a notice of appeal and the grounds of appeal. The appeal fee was paid on the same day. The appellant requested that the decision under appeal be set aside and that the application be remitted with an order to grant the patent on the basis of amended claims 1-20 as filed with the same letter. In the annex to the summons to oral pro­ceedings, the board summarised its under­stan­ding that the further application docu­ments were drawings pages 1-2 and description pages 1-7 and 10-18 as originally filed, and descrip­tion pages 8 and 9 as received with a letter of 27 April 2009. Oral pro­cee­dings were also requested prior to any adverse decision by the board.

III. Independent method claim 1 reads as follows:

"A method for resetting passwords comprising:

receiving a request from a purported user to reset a previously set password;

authenticating (106) said purported user as an actual user;

establishing (108) a new password and resetting the previously set password as the new password if the purported user is authenticated as the actual user;

dividing (112) said new password into at least first and second portions;

transmitting (114) said first portion of said new password to said actual user; and

transmitting (116) said second portion of said new password to a location having restricted access;

whereby said actual user has access to said location and is enabled to retrieve both said first and second portions of said new password, and thereby may recreate said new password securely, whereby said actual user has access to said location before said request is received and said new password is established."

Independent claim 7 relates to a "system for resetting passwords" in words closely corresponding to those defining method claim 1.

IV. With a summons to oral proceedings, the board informed the appellant of its preliminary opinion, according to which the appeal would have to be dismissed. The board tended to consider that the subject-matter of the in­de­pendent claims did not constitute an invention in the sense of Article 52(1) EPC. The board also raised objections under Article 56 EPC 1973 over common know­ledge because the claimed inven­tion did not solve a tech­nical problem in a non-obvious manner and, alter­natively, over the prior art on file.

V. In response to the summons, the appellant filed neither comments nor amendments but, with letter of 30 Sep­tem­ber 2014, declared that the applicant-appellant would not attend the oral proceedings. Instead, the request for oral proceedings was withdrawn and a de­ci­sion was requested "on the file as it stands".

VI. The oral proceedings took place as scheduled and, as announced, in the appellant's absence. At the end of the oral proceedings, the chairman announced the decision of the board.

Reasons for the Decision

1. As announced in advance, the duly summoned appellant did not attend the oral proceedings. In accordance with Article 15(3) RPBA, the board relied for its decision only on the appellant's submissions. It was in a posi­tion to decide at the conclusion of the oral pro­cee­dings, since the case was ready for decision (Ar­ticle 15(5) and (6) RPBA), and the volunta­ry ab­sence of the appellant was not a reason for delaying a deci­sion (Ar­ticle 15(3) RPBA).

The invention

2. The application relates to the situation that a user has lost or forgotten a pass­word and needs it to be reset. It discusses known ways for re­setting a pass­word and their advan­tages and disad­van­tages and pro­po­ses a new way meant to avoid the draw­backs of the prior art: Speci­fi­cally, the invention is meant to increase secre­cy of the new pass­word by avoi­ding the risk that the new password is in­ter­cepted du­ring transmission and by eliminating the need to in­volve a trusted third party (see original application, pars. 18-19).

2.1 The central idea of the invention is that a newly crea­ted password is transmitted to the requesting user in (at least) two portions via two possibly different channels. The transmission of the "first portion" is essentially un­res­tricted (see claim 1), the "second portion" (or any further ones) should be transmitted to a "location having restricted access" but pro­vides access at least to the requesting user. The user is thus able to retrieve both portions and recreate the complete new password from them. The way in which a pass­word is divided into portions is disclosed as "com-p­le­tely arbitrary" (par. 48).

2.2 The invention as claimed requires that a request to re­set a password is received and that the requesting user is authenticated. The description discloses that a user can request resetting the password by calling a respon­sible "central office" over the phone (see para. 36) and that the authentication can be done "in any known fa­shion", for instance "by interrogating the [user] with one or more security questions" which may be answered orally (see para. 37). The first portion of the new pass­­word may be given immediately, e.g. orally over the telephone, while the second portion may be sent to the user's mobile telephone, voice mailbox or email account (paras. 39 and 43). It is disclosed that, alternatively, the second portion may also be sent to the user's su­per­visor­, e.g. via telephone or email, for personal de­li­ve­ry (para. 44).

Remarks on terminology

3. It is clear from the description that the claimed pass­word is meant to be conven­tio­nal and to subsume, for instance, some kind of PIN (see p. 35). The description discloses that the pass­word is meant to control access to a computing de­vice (par. 0002). Such control is how­ever not claimed, nor is it claimed that the pass­word is actually stored in a com­pu­ting device. A pass­word may also be a nume­rical se­cret which a cus­to­mer has to reproduce orally, e.g. a telephone banking PIN. The claims state that the pass­word to be reset was "pre­vi­ously set" and that the new password is "[re­set] ... as the new password" with­out spe­cifying ex­pli­citly what setting and resetting im­plies. They leave open how the pass­word is to be divided and/or how the por­tions are re­trieved and from where. The claims refer to a "lo­ca­tion having restric­ted access" but to which at least the user has access, but they do not otherwise specify the nature of this "location".

Technical character, Article 52 EPC

4. The description discloses that the user's request to re­set a password may be handled by a central office which the user calls over the telephone. The re­quest and the user authentication can then be performed orally (paras. 36 and 37), and also the first portion of the new password can be communicated orally (para. 39). The independent claims do not exclude the possibi­li­ty that the user, instead of calling a central office, walks up to a service desk and thus does not even use a telephone. Eventually, the user may recreate the new password from the obtained portions in his mind.

4.1 The password itself may be just a numerical secret, a PIN, and the steps of setting and resetting a password may be satisfied by memorising a new password instead of a previously valid password.

4.2 The board is of the opinion that the concept of a "re­stricted access" location by itself does not imply any physi­cal means such as a letter box with a lock or an access-controlled email or voice mail account. Rather, the board con­siders that a person revea­ling a se­cret only to a number of autho­rised persons may also be con­si­dered a "loca­tion having restricted access" in the sense of the claims. In the board's judgment this is consistent with the application, which discloses that, if users do not have access to a secure location them­selves, the second portion of the new password may be sent to a supervisor instead. This interpretation was pre­sented in the annex to the summons to oral pro­cee­dings and was not challenged by the appellant.

4.3 Based on this interpretation the board comes to the con­­­­­clu­sion that the method of claim 1 as drafted sub­sumes a method of commu­ni­ca­ting a secret between people which does not re­­quire any technical means: the claimed steps of setting a password and establishing a new pass­word, of dividing the new password into two por­tions, and of re­creating the new password from the two portions relate to activities which users can carry out in their minds and which thus define a mere mental ac­ti­vity (cf. Ar­ticle 52(2)(c) EPC). The remaining steps of re­cei­ving a request, of authenticating a user, of trans­mitting the two portions to the user and to "a lo­cation having re­stricted access", respectively, and of retrie­ving the portions can be carried out by per­sons inter­ac­ting with each other without using any tech­nical means.

4.4 Due to the lack of any technical feature, method claim 1 thus does not have technical character and is therefore not to be regarded as an invention in the sense of Article 52(1) EPC.

4.5 The board notes that it has no occasion either to devi­ate from its further objections raised with the summons to oral proceedings, namely lack of inventive step over common knowledge and over D1, Article 56 EPC 1973. In view of the above finding, however, these ob­jections need not be addressed in this decision.

Order

For these reasons it is decided that:

The appeal is dismissed.

Quick Navigation