DETAILED ACTION
This Non Final Office Action is in response to Request for Continued Examination filed on 01/21/2026. Claims 1, 14 and 19 have been amended. Claims 3-4 16-17 have been or previously canceled. Claims 1-2, 5-15 and 18-20 filed on 01/07/2026 remain pending in the application.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 09/22/2022 are accepted.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 01/21/2026 has been entered.
Response to Arguments
Applicant's arguments in Pages 9-11 filed 01/07/2026 have been fully considered and are considered moot in light of the new ground of rejection below and the newly found prior art Valdivia (US 20140173695 A1). Please see detailed rejections below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 6, 10-11, 13, 14-15, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Schwartz et. al. (US 20200364354 A1), hereinafter Schwartz in view of PARK (US 20220201492 A1), hereinafter PARK, Yoon (US 12225008 B1) and Valdivia (US 20140173695 A1).
Regarding claim 1, Schwartz teaches a method for authentication of users for access to web applications (Schwartz Abstract and Figure 3 illustrates a system for authenticating user to access web applications as disclosed in e.g. [0053] “Authorization token 312 may include any type of token that enables a computing entity (e.g., applications, services, etc.) to access a resource. Examples of authorization token 312 include, but are not limited to, web tokens that enable access to web or other network-accessible resources, access tokens, tokens generated in accordance with the Open Authorization (OAuth) standard, Microsoft® Windows NT tokens, etc. ”), the method comprising:
receiving, by a processor, a user identifier and a biometric identifier for a user with a request to access one or more relying party applications (Schwartz Figure 3 illustrates user computing device 102 receiving user identifying and biometric information for a user accessing application [0028] “…user login credentials (e.g., a user name and/or password), a user alias, an account number, biometric information, or any other information or credentials that may be used to secure access to a resource.”, where the user information is received by the computing device, which includes a processor, from the user);
validating, [[by the processor]], the user identifier and the biometric identifier for the user with the request to access the one or more relying party applications (Schwartz [0028] “…authorization server 108 may comprise an identity service or identity provider configured to validate identity information of an entity requesting an authorization token, including but not limited to user login credentials (e.g., a user name and/or password), a user alias, an account number, biometric information, or any other information or credentials that may be used to secure access to a resource.”, where the validation is performed at the authorization server 108, as opposed to the computing device 102);
retrieving, by the processor, an authentication token for the user from an external trusted source [[when an identity service provider is not available, the identity service provider being a provider of the authentication token to the external trusted source]] (Schwartz [0028] “…In accordance with implementations, token issuer 110 of authorization server 108 may generate and issue a token for transmission to computing device 102”, where the token is retrieved by the computing device from the token issuer 110 at 108);
forwarding, by the processor, the authentication token for the user retrieved from the external trusted source to the one or more relying party applications (Schwartz Figure 3 336 [0047] “As will be described in greater detail below, when application 302 attempts to access a resource by transmitting 336 the received authorization token to the appropriate resource provider, the resource provider”, [0059] “After application 302 obtains authorization token 312 as described earlier, application 302 may attempt to access resources consistent with the scope of the granted authorization token by interacting with the appropriate resource provider, such as resource server 112. In examples, application 302 may also provide authorization token 312 to resource protector 320 in conjunction with the attempted access of the resource. ”); and
receiving, on the processor, authentication from the one or more relying party applications for the user to access the one or relying party applications (Schwartz Figure 3 338 [0047] “…where resource protector 320 extracts a trust indication that indicates that application 302 and/or virtual machine 104 may not be secure, resource protector 320 may be configured to protect secured resources 116 by creating a backup of the requested resources (e.g., by creating resource snapshot 322) in advance of granting access 338 to such resources. ”).
Schwartz does not disclose the below limitation. Emphasis in italic.
Park discloses validating, by the processor, the user identifier and the biometric identifier for the user with the request to access the one or more relying party applications (Park illustrates in e.g. Figure 10, mobile device 1010, including a processor, receiving user biometric information and validating the biometric information and if successful, a request is made and a token is retrieved for accessing an application 0146 “the user may agree to provide identity information (e.g., date of birth) utilized for adult authentication through the electronic device 1010, and execute authentication determining whether or not the user is a rightful person to provide the corresponding identity information, by inputting, for example, biometric information to the electronic device 1010. For example, if the user's biometric authentication is successful, the electronic device 1010 may transmit the requested identity information for adult authentication, as retrieved from the digital ID information stored in the electronic device 1010, to an authentication server 1030 (e.g., the authentication server 430 in FIG. 4). For example, the authentication server 1030 may perform authentication for the corresponding identity information and transmit authentication information including an address and/or token for the authentication result to the electronic device 1010.”, [0147] “For example, the electronic device 1010 may transmit the authentication information including the address and/or token received from the authentication server to the convenience store POS device 1020.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz to incorporate the teaching of Park to utilize the above feature, with the motivation of confirming User information to grant access to applications, as recognized by (Park Abstract [0144-0146] and throughout).
Schwartz in view of Park do not disclose the below limitation. Emphasis in italic.
Yoon discloses…an authentication token for the user from an external trusted source when an identity service provider is not available, the identity service provider being a provider of the authentication token to the external trusted source (Yoon Col. 12 line 53-63 “The private keys preferably do not leave their respective devices. However, in some implementations, a private key is shared in a limited manner by related devices. For example, an authentication server private key can be shared among a group of authentication servers 11. In such implementations, any one of these servers 11 is enabled to perform the authentication server functions at any stage in the methods described further herein, without changing the server keys involved. This provides redundancy in the event that one of the servers 11 becomes unavailable or inaccessible.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park to incorporate the teaching of Schwartz in view of Park to utilize the above feature, with the motivation of providing redundancy avoiding interruptions of authentication server functions, as recognized by (Yoon Col. 12 line 53-63 and throughout).
Schwartz in view of Park and Yoon does not explicitly disclose the below limitation.
Valdivia discloses replacing, by the processor, the authentication token in the external trusted source with an updated authentication token after a number of logins by the user (Valdivia [0021] “After the occurrence of a logoff event, access to the account will not be permitted without re-authentication of some kind If logged off, the user may have to obtain another token …the token may include a counter that can be decremented or incremented each time the user logs in using the token. When the counter is equal to a predetermined minimum number (such as zero) or a maximum number (such as ten) the token may be deemed "expired", and may no longer be accepted by the authentication server to login the account access device…the authentication server may exchange the presented login token for a new login token that is sent to the account access device for a subsequent login…”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park and Yoon to incorporate the teaching of Valdivia to utilize the above feature, with the motivation of securing access by using event-based geolocation-based updated tokens, as recognized by (Valdivia [0021] and throughout).
Regarding claim 14, claim 14 recites similar limitations to claim 1, therefore, rejected with the same rationale and motivation applied to claim 1.
Regarding claim 19, claim 19 recites similar limitations to claim 1, therefore, rejected with the same rationale and motivation applied to claim 1.
Regarding claim 2, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1, wherein the authentication token is always retrieved from the external trusted source for the user to access the one or more relying party applications (Schwartz [0028] “…In accordance with implementations, token issuer 110 of authorization server 108 may generate and issue a token for transmission to computing device 102”, where the token is always retrieved by the computing device from the token issuer 110 at 108).
Regarding claim 15, claim 15 recites similar limitations to claim 2, therefore, rejected with the same rationale and motivation applied to claim 2.
Regarding claim 20, claim 20 recites similar limitations to claim 2, therefore, rejected with the same rationale and motivation applied to claim 2.
Regarding claim 3 (Canceled).
Regarding claim 6, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1, wherein the authentication token for the user is not retrieved from cache of a user browser in a computer system associated with the processor (Schwartz [0028] “…In accordance with implementations, token issuer 110 of authorization server 108 may generate and issue a token for transmission to computing device 102”, where the token is retrieved by the computing device from the token issuer 110 at 108, it is obvious in light of Schwartz only disclosing explicitly disclosing that the token is retrieved from the authorization server 108 as opposed to a cache in the computing device).
Regarding claim 10, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1, further comprising:
Schwartz does not explicitly teach the below limitation.
Park discloses receiving, by the processor, the biometric identifier from a biometric authentication device, the biometric authentication device including one or more of a sensor, a scanning device, or an electronic reader, the biometric identifier being at least one physiological characteristic of the user, and wherein the at least one physiological characteristic is selected from one or more of fingerprints, palm veins, face recognition, DNA (deoxyribonucleic acid), palm print, hand geometry, iris recognition, retina, and/or odor/scent (Park [0067] “…the sensor module 216 may include a biometric sensor for producing data used to recognize the user's biometric information. For example, the biometric sensor may include a fingerprint sensor that detects a user's fingerprint and/or an image sensor (e.g., an infrared sensor) that detects feature points of the user's iris or face.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz to incorporate the teaching of Park to utilize the above feature, with the motivation of confirming User information to grant access to applications, as recognized by (Park Abstract [0144-0146] and throughout).
Regarding claim 11, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 10.
Schwartz does not teach the below limitation.
Park discloses wherein the biometric authentication device is a first mobile device, the first mobile device configured to be in communication with a second mobile device configured to host the processor (Park illustrates n Figure 1 a computing device 101, i.e. second mobile device hosting the processing server, receiving sensor biometric data from the sensor module, i.e. first mobile device, which is in communication with the second mobile device and can be a single component as disclosed in [0026] “…some of the components (e.g., the sensor module 176, the camera module 180, or the antenna module 197) may be implemented as a single component (e.g., the display module 160).”, [0033] “According to an embodiment, the display module 160 may include a touch sensor adapted to detect a touch, or a pressure sensor adapted to measure the intensity of force incurred by the touch.”, [0035, 0067, 0079]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz to incorporate the teaching of Park to utilize the above feature, with the motivation of confirming User information to grant access to applications, as recognized by (Park Abstract [0144-0146] and throughout).
Regarding claim 13, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1.
Schwartz does not disclose additional authentication factors.
Park discloses wherein the processor is part of a multi-function peripheral; and requesting, by the processor, one or more additional authentication factors from the user for multifactor authentication of the user for access to the multi-function peripheral and retrieval of the authentication token for the user from the external trusted source and access to the one or relying party applications (Park [0063] “According to certain embodiments, the processor 211 may bind (e.g., associate) the received digital ID to, for example, at least one piece of the user's biometric information input through the sensor module 216 or other secure information (e.g., a user password or a secure pattern), and store the same in the secure element 213.”, [0067] “According to certain embodiments, the sensor module 216 may include a biometric sensor for producing data used to recognize the user's biometric information. For example, the biometric sensor may include a fingerprint sensor that detects a user's fingerprint and/or an image sensor (e.g., an infrared sensor) that detects feature points of the user's iris or face.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz to incorporate the teaching of Park to utilize the above feature, with the motivation of confirming User information by using multi factor authentication to grant access to applications, as recognized by (Park Abstract [0144-0146] and throughout).
Claims 5 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Schwartz et. al. (US 20200364354 A1), hereinafter Schwartz in view of PARK (US 20220201492 A1), hereinafter PARK, Yoon (US 12225008 B1), and Valdivia and Chauhan (US 20200104478 A1), hereinafter Chauhan and BARHUDARIAN (US 20210152547 A1), hereinafter BARHUDARIAN.
Regarding claim 5, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1.
Schwartz in view of Park and Yoon and Valdivia does not explicitly disclose the below limitation.
Chauhan teaches further comprising: receiving, by the processor, the updated authentication token for the user from the identity service provider (Chauhan [0014, 0151]); and forwarding, by the processor, the updated authentication token for the user to the external trusted source (Chauhan [0151]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park and Yoon and Valdivia to incorporate the teaching of Chauhan to utilize the above feature, with the motivation of providing token even when there is intermittent connectivity experienced, as recognized by (Chauhan [0151] Abstract and throughout).
Schwartz in view of Park and Yoon and Valdivia and Chauhan does not explicitly teach requesting, by the processor, the authentication token for the user from the identity service provider. However, Barhudarian et al teaches requesting, by the processor, an updated authentication token for the user from an identity service provider (Barhudarian [0007], lines 1-5, “new ID token is being requested”).
It would have been obvious to one of ordinary skill in the art, before the effective day of the invention, that one would be motivated to combine the teachings of Barhudarian et al within the concept illustrated by Schwartz in view of Park, Yoon and Valdivia and Chauhan for automatically and efficiently updating the token.
Regarding claim 18, claim 18 recites similar limitations to claim 5, therefore, rejected with the same rationale and motivation applied to claim 5.
Claims 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Schwartz et. al. (US 20200364354 A1), hereinafter Schwartz in view of PARK (US 20220201492 A1), hereinafter PARK, Yoon (US 12225008 B1) and Valdivia and McNeely (US 20170366529 A1), hereinafter McNeely.
Regarding claim 7, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1.
Schwartz in view of Park and Yoon and Valdivia does not teach the below limitation.
McNeely discloses wherein the external trusted source is a secure container (McNeely [0064] “authentication token is received from the USB VPN device (i.e. secure container)”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park and Yoon and Valdivia to incorporate the teaching of McNeely to utilize the above feature, with the motivation of allowing for more security and manageability, as recognized by (McNeely Abstract [0037] and throughout).
Regarding claim 8, Schwartz in view of Park and Yoon and Valdivia and McNeely teaches the method according to claim 7.
Schwartz in view of Park and Yoon and Valdivia does not teach the below limitation.
McNeely discloses wherein the secure container is a universal serial bus (USB) device or a secure digital (SD) card (McNeely [0064] “authentication token is received from the USB VPN device”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park, Yoon and Valdivia to incorporate the teaching of McNeely to utilize the above feature, with the motivation of allowing for more security and manageability, as recognized by (McNeely Abstract [0037] and throughout).
Regarding claim 9, Schwartz in view of Park and Yoon teaches the method according to claim 1.
Schwartz in view of Park and Yoon and Valdivia does not teach the below limitation.
McNeely discloses wherein the external trusted source is a secure external drive (McNeely [0064] “authentication token is received from the USB VPN device (i.e. secure external drive)”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park and Yoon and Valdivia to incorporate the teaching of McNeely to utilize the above feature, with the motivation of allowing for more security and manageability, as recognized by (McNeely Abstract [0037] and throughout).
Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Schwartz et. al. (US 20200364354 A1), hereinafter Schwartz in view of PARK (US 20220201492 A1), hereinafter PARK, Yoon (US 12225008 B1) and Valdivia and Lopez (US 20240380597 A1), hereinafter Lopez.
Regarding claim 12, Schwartz in view of Park and Yoon and Valdivia teaches the method according to claim 1.
Schwartz in view of Park and Yoon and Valdivia does not explicitly disclose the below limitation.
Lopez discloses further comprising: retrieving, by the processor, one or more of
a time setting from an application setting a time period to the external trusted source for the user and a login setting for a number of logins to the external trusted source for the user, the time setting or the login setting determining a validity of the authentication token in the external trusted source based on the time setting or the login setting for the user; and forwarding, by the processor, the authentication token for the user to the trusted source when the time setting or the login setting has not been exceeded by the user (Lopez discloses token with time duration, as disclosed in [0046], forwarded to token requestor computer 40 in Figure 2 as disclosed in [0090]. Further time to live and number of time is disclosed in [0039] and [0049, 0081, 0085]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Schwartz in view of Park and Yoon and Valdivia to incorporate the teaching of Lopez to utilize the above feature, with the motivation of ensuring transactions are only valid for a limited time, or number of times, therefore enhancing security.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Khalid (US 20150089621 A1) “[0021] For authentication responses 122 granting access, the access manager 118 may be further configured to generate a hash token 128 based on the received authentication request 120, such that upon successful authentication the access manager 118 may provide the hash token 128 back to the subscriber device 110 to use in subsequent login attempts. [0022] … As one example, a new salt value 130 may be applied to the hashing algorithm every N days (e.g., 30 days) or after a predetermined number of logins, thereby forcing a manual subscriber login and new hash token 128 generation at various intervals.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705. The examiner can normally be reached Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BASSAM A NOAMAN/Primary Examiner, Art Unit 2497