DETAILED ACTION
Acknowledgements
This office action is in response to the claims filed 09/24/2025.
Claims 1, 19, 23 and 30 are amended.
Claims 2-4, 7, 13, 20 and 21 are cancelled.
Claims 1, 5, 6, 8-12, 14-19 and 22-30 are pending.
Claims 1, 5, 6, 8-12, 14-19 and 22-30 have been examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 1, 19 and 30 are objected to because of the following informalities: claims 1, 19 and 30 recite “the received response to the enrollment request verification from the first user device wherein the second device is verified” and claim 1 recites “wherein the second authentication factor and the first identifier are associated with the user;;”. Appropriate correction is required.
Response to Arguments
Applicant's arguments filed 09/24/2025 have been fully considered but they are not persuasive.
101
Applicant argues “These steps constitute an authentication protocol that enhances security and user experience across devices; they are performed automatically, at electronic speeds, and could not practically be executed by human minds or pen- and-paper processes… Every limitation is confined to technical operations performed by a computing system: receiving identity-related data sets, verifying the user once, generating and depositing encrypted cookies on separate devices, associating device- specific authentication factors in a datastore, and re-using those factors for later verification. These steps address a technological problem (secure cross-device authentication)….” Examiner disagrees.
Taking Applicant’s description of the claim’s concepts “receiving identity-related data sets(insignificant extra solution activity), verifying the user once (abstract idea as verifying a user is a commercial or business practice), generating and depositing encrypted cookies on separate devices(First, the disclosure does not provide for how this cookie is generated, but explains that is cookie is data that works as an identifier. Generating an identifier of a device is not an additional element and instead works as more verification data towards the abstract idea, depositing is sending data- insignificant extra solution activity), associating device- specific authentication factors in a datastore (in the claims, recited as “storing” an insignificant extra solution activity), and re-using those factors for later verification (this concept is neither claimed or positively recited in the claims). For example, the claim recites “in response to detecting, by the computing system, selection of the link by the second user device:” According to the disclosure(¶ 31), “commerce platform may send a text message, MMS message, email, etc. with a link having an embedded identifier associated with the request to enroll another user device. The identifier in the link may be short lived (e.g., expiring) and/or single use, such that when commerce platform receives link selection, validity of the link and the embedded identifier are checked to determine if the link is still valid (e.g., verification that the ID in the link has not expired, has not been previously used, etc.) and to which user (e.g. user of user device 130) the request is originating from.” The recited “detecting” is actually receiving the selection. This is another insignificant extra-solution activity of a generic computing device.
Applicant has explained the their application to be is a business improvement. The recited technology of the claims, the “computing system”, is not improved, “it is important to keep in mind that an improvement in the abstract idea itself (e.g. a recited fundamental economic concept) is not an improvement in technology. For example, in Trading Technologies Int’l v. IBG, 921 F.3d 1084, 1093-94, 2019 USPQ2d 138290 (Fed. Cir. 2019), the court determined that the claimed user interface simply provided a trader with more information to facilitate market trades, which improved the business process of market trading but did not improve computers or technology.” MPEP 2106.05(a) (II). The rejection is maintained.
112
Due to Applicant’s amendments, prior 112 rejections are withdrawn.
Claim Interpretation
“in response to a positive verification of the true identity of the user, generating, by the computing system, a first cookie comprising a first identifier of the user and collecting a first authentication factor generated by a first user device, wherein the first identifier of the first cookie is associated with the first authentication factor for identity verification reuse”
Claim Interpretation – According to the disclosure(¶ 27), “If agreed to by the user of user device 130, commerce platform will generate a cookie with a unique identifier (e.g., a cryptographic string, random number, hash of user data, etc. unique to the user of user device 130). The cookie is a piece of data that is deposited on the user device 130 that includes the identifier as well as other information that the commerce platform 110 may use to identify the user of user device 130. In embodiments, the identifier is encrypted by a key of the commerce platform 110 prior to being deposited on the user device 130.”
in response to detecting, by the computing system, selection of the link by the second user device:
Claim Interpretation – According to the disclosure(¶ 31), For example, commerce platform may send a text message, MMS message, email, etc. with a link having an embedded identifier associated with the request to enroll another user device. The identifier in the link may be short lived (e.g., expiring) and/or single use, such that when commerce platform receives link selection, validity of the link and the embedded identifier are checked to determine if the link is still valid (e.g., verification that the ID in the link has not expired, has not been previously used, etc.) and to which user (e.g. user of user device 130) the request is originating from.
“transmitting, by the computing system, an enrollment request verification to the first user device”
Claim Interpretation –According to the disclosure(¶ 60), “For example, a text message, email, instant message, etc. may be sent by processing logic to a first, enrolled user device querying whether the user initiated the second user device enrollment.”
Claim Rejections - 35 USC § 101
,35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 5, 6, 8-12, 14-19 and 22-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Subject Matter Eligibility Standard
When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (101 Analysis: Step 1). Even if the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (101 Analysis: Step 2a(Prong 1), and if so, Identify whether there are any additional elements recited in the claim beyond the judicial exception(s), and evaluate those additional elements to determine whether they integrate the exception into a practical application of the exception. (101 Analysis: Step 2a (Prong 2). If additional elements does not integrate the exception into a practical application of the exception, claim still requires an evaluation of whether the claim recites additional elements that amount to an inventive concept (aka “significantly more”) than the recited judicial exception. If the claim as a whole amounts to significantly more than the exception itself (there is an inventive concept in the claim), the claim is eligible. If the claim as a whole does not amount to significantly more (there is no inventive concept in the claim), the claim is ineligible. (101 Analysis: Step 2b).
The 2019 PEG explains that the abstract idea exception includes the following groupings of subject matter: a) Mathematical concepts b) Certain methods of organizing human activity and c) Mental processes
Analysis
In the instant case, claim 1 is directed to a method, and claims 19 and 30 are directed to an article of manufacture.
Step 2a.1– Identifying an Abstract Idea
The claims recite the steps of “receiving… data… verifying… identity …generating …a first cookie… … …collecting… data … depositing, … cookie…storing… transmitting… result … transmitting the link… transmitting… verification… verifying… identity… generating a second cookie… collecting… storing… data … depositing the second cookie… and …verifying… device.” The recited limitations fall within the certain methods of organizing human activity grouping of abstract ideas, specifically, business behaviors, for example, verifying and registering multiple devices for the same user. Accordingly, the claims recites an abstract idea.
See MPEP 2106.
Step 2a.2 – Identifying a Practical Application
The claim does not currently recite an additional and the present elements do not integrate the judicial exception into a practical application.
The claim recites “in response to detecting, by the computing system, selection of the link by the second user device:” According to the disclosure(¶ 31), “ For example, commerce platform may send a text message, MMS message, email, etc. with a link having an embedded identifier associated with the request to enroll another user device. The identifier in the link may be short lived (e.g., expiring) and/or single use, such that when commerce platform receives link selection, validity of the link and the embedded identifier are checked to determine if the link is still valid (e.g., verification that the ID in the link has not expired, has not been previously used, etc.) and to which user (e.g. user of user device 130) the request is originating from.” The recited “detecting” is actually receiving the selection. This is another insignificant extra-solution activity of a generic computing device.
According to the disclosure (27, 42), “ If agreed to by the user of user device 130, commerce platform will generate a cookie with a unique identifier (e.g., a cryptographic string, random number, hash of user data, etc. unique to the user of user device 130). The cookie is a piece of data that is deposited on the user device 130 that includes the identifier as well as other information that the commerce platform 110 may use to identify the user of user device 130…. In response, verification manager 220 instructs cookie generator 230 to generate a device cookie for the second user device and second factor(s) collector 240”. First, the disclosure does not provide for how this cookie is generated, but explains that is cookie is data that works as an identifier. Generating an identifier of a device is not an additional element and instead works as more verification data towards the abstract idea.
Accordingly, even in combination, this additional element does not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Mere instructions to apply the exception using generic computer components and limitations to a particular field of use or technological environment do not amount to practical applications. The claim in directed to an abstract idea.
Step 2b
The claim limitations recite “receiving/collecting” “transmitting/depositing” “encrypting” “performing” and “verifying” which are not additional elements and they amount to no more than mere instructions to apply the exception using a generic computer component. For the same reason these elements are not sufficient to provide an inventive concept. This is also determined to be well-understood, routine and conventional activity in the field. The Symantec, TLI, and OIP Techs, court decision cited in MPEP 2106.05(d)(II) indicates that mere receipt or transmission of data over a network is a well-understood, routine and conventional function when it is claimed in a merely generic manner, as it is here. Therefore, when considering the additional elements alone, and in combination, there is no inventive concept in the claim and thus the claim is not eligible.
Viewed as a whole, instructions/method claims recite the concept of business behaviors as performed by a generic computer. The claims do not currently recite any additional elements or combination of additional elements that amount to significantly more than the judicial exception. The elements used to perform the claimed judicial exception amount to no more than mere instructions to implement the abstract idea in a network, and/or merely uses a network as a tool to perform an abstract idea and/or generally linking the use of the judicial exception to a particular environment.
Dependent claims 5, 6, 8-9, 14-18, 22, and 26-29 provide descriptive language surrounding the abstract idea. As such, these elements do not provide the significantly more to the underlying abstract idea necessary to render the invention patentable.
Claims 10 and 23 discuss functions in more descriptive detail of the steps geared toward the abstract idea. As such, these elements do not provide the significantly more to the underlying abstract idea necessary to render the invention patentable.
Dependent claims 11, 12, 24 and 25 recite insignificant extra solution activity such as receiving and storing information. As such, these elements do not provide the significantly more to the underlying abstract idea necessary to render the invention patentable.
The claims do not, for example, purport to improve the functioning of the computer itself. Nor do they effect an improvement in any other technology or technical field. Therefore, based on case law precedent, the claims are claiming subject matter similar to concepts already identified by the courts as dealing with abstract ideas. See Alice Corp. Pty. Ltd., 573 U.S. 208 (citing Bilski v. Kappos, 561, U.S. 593, 611 (2010)).
The claims at issue amount to nothing significantly more than an instruction to apply the abstract idea using some unspecified, generic computer. See Alice Corp. Pty. Ltd., 573 U.S. 208. Mere instructions to apply the exception using a generic computer component and limitations to a particular field of use or technological environment cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). Therefore, the claim is not patent eligible.
Conclusion
The claim as a whole, does not amount to significantly more than the abstract idea itself. This is because the claim does not affect an improvement to another technology or technical filed; the claim does not amount to an improvement to the functioning of a computer system itself; and the claim does not move beyond a general link of the use of an abstract idea to a particular technological environment.
Accordingly, the Examiner concludes that there are no meaningful limitations in the claim that transform the judicial exception into a patent eligible application such that the claim amounts to significantly more than the judicial exception itself.
Dependent claims do not resolve the deficiency of independent claims and accordingly stand rejected under 35 USC 101 based on the same rationale.
Dependent claims 5, 6, 8-12, 14-18 and 22-29 are also rejected.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1, 5, 6, 8-12, 14-19 and 22-30 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1, 19 and 30 recite “transmitting, by the computing system, an enrollment request verification to the first user device; verifying, by the computing system, the purported identity of the user as the true identity of the user for the second device based on the received response to the enrollment request verification from the first user device wherein the second device is verified without transmission of the second set of user data by the second device….” According to the disclosure(¶ 41, 42, 59, 60), “Processing logic optionally verifies second device enrollment request on a first device of the user (processing block 510) For example, a text message, email, instant message, etc. may be sent by processing logic to a first, enrolled user device querying whether the user initiated the second user device enrollment. …. Processing logic then generates a cookie having an ID for the second user device (processing block 512).” There does not appear to be an additional verification step of the “purported identity of the user as the true identity of the user for the second device based on the received response to the enrollment request verification from the first user device”. From the disclosure, the message is sent querying whether the user made the second device enrollment and following that a cookie is generated. The disclosure does not provide that based on the message response “verifying, by the computing system, the purported identity of the user as the true identity of the user for the second device.” The disclosure does not provide support for the claimed limitations. Dependent claims 5, 6, 8-12, 14-18 and 22-29 are also rejected.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 5, 6, 8-12, 14-19 and 22-30 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 19 and 30 recite “receiving, by the computing system, a second set of user data associated with the user of the first system to verify a purported identity of the user;…verifying, by the computing system, the purported identity of the user as a true identity of the user based on the first set of user data and the second set of user data… verifying, by the computing system, the purported identity of the user as the true identity of the user for the second device based on the received response to the enrollment request verification from the first user device wherein the second device is verified without transmission of the second set of user data by the second device….” The claim is unclear and indefinite. The limitation appears to be redundant. First, the “second set of user data” appears to be related to verifying the purported identity of the user as a true identity of the user, secondly, there is no recited limitation of the “second set of user data” to any user device, it is unclear what relation the “second set of user data” has to the second device that verification of the second device would or not need that information to be verified. Finally, the second device is never verified, the limitation is directed at “verifying, by the computing system, the purported identity of the user as the true identity of the user for the second device”. The claims are unclear and indefinite. Dependent claims 5, 6, 8-12, 14-18 and 22-29 are also rejected.
Claims 1, 19 and 30 recite “generating, by the computing system, a second cookie comprising the first identifier;… verifying, by the computing system, in response to a subsequent request to verify the second user device, the second user device, based on collecting the second cookie and the second authentication factor”. The claim language is unclear and indefinite. The second cookie is generated by the computing system. The claim is unclear and indefinite as to how verification is performed for the additional device based on the collected cookie, when a cookie was not collected and it is also unclear where this cookie was collected from given the computing system generated the cookie. The claim is unclear and indefinite. Dependent claims 5, 6, 8-12, 14-18 and 22-29 are also rejected.
Claims 1, 19 and 30 recite “storing, by the computing system, the first identifier with the second authentication factor in the accounts data store, wherein the second authentication factor and the first identifier are associated with the user … verifying, by the computing system, in response to a subsequent request to verify the second user device, the second user device, based on collecting the second cookie and the second authentication factor …wherein verifying the second user device comprises: in response to determining that a match between the second authentication factor and the first identifier does not exist within the accounts data store, initiating a full identity verification request, thereby treating the second user device as a new user and in response to determining that the match between the second authentication factor and the first identifier does exist within the accounts data store: verifying the purported identity of the user of the second user device as the true identity of the user”. The claims are unclear and indefinite. The association and storing of the second authentication factor and the first identifier, as written in the claims, already occur before the subsequent request and “verifying the second user device”. It is therefore an impossible premise that “wherein verifying the second user device comprises: in response to determining that a match between the second authentication factor and the first identifier does not exist within the accounts data store, initiating a full identity verification request, thereby treating the second user device as a new user.” The claims are unclear and indefinite. Dependent claims 5, 6, 8-12, 14-18 and 22-29 are also rejected.
Claims 1, 19 and 30 recite “initiating a full identity verification request….”The terms in the claim is a relative term which renders the claim indefinite. The term “full identity verification” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Dependent claims 5, 6, 8-12, 14-18 and 22-29 are also rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Rolfe et al. (11218480) teaches enrolling multiple user devices, authentication factors and device identifiers.
Malik et al. (US 20170357976) (“Malik”) teaches verifying user data for a transaction and generating a cookie for user recognition.
Amalapurapu et al (US 20140337513) (“Amalapurapu”) teaches verifying received user data for a transaction with a merchant and generating a cookie for user recognition for future transactions.
Sureka (US11605083) (“Sureka”) teaches “Multifactor authentication systems and methods employ an online payment server processor that authenticates a user in an online session with a merchant website server processor based on data representing one or more predefined authentication factors received from a user device processor”
Griffith et al. (US 11,144,923) (“Griffith”) teaches “One of the methods includes obtaining information from a user device indicating a user identity of a user operating the user device, the user device being in communication with a content server. A confidence associated with the user identity of the user is determined. Requests from the content server for profile information associated with the user identity are responded to, such that authorization levels of requested profile information are determined to be satisfied based on the confidence.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ILSE I IMMANUEL whose telephone number is (469)295-9094. The examiner can normally be reached Monday-Friday 9:00 am to 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEHA H PATEL can be reached on (571) 270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ILSE I IMMANUEL/Primary Examiner, Art Unit 3699