METHOD AND SYSTEM FOR AUTHENTICATING A USER IN A SESSION INITIATED ON A COMPUTING DEVICE

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Specification No issues have been found with the substitute specification filed 06 October 2025. Response to Arguments Applicant’s arguments with respect to claims 1 and 29 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. In particular, the Ofir et al. (US 2017/0262064 A1) reference used in the previous Office action has been replaced with Reicher et al. (US 2017/0038917 A1). See the 35 U.S.C. 103 section below for detailed analysis. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation is: “a computing device configured to initiate…” in claim 29. Because this claim limitation is being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this limitation interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation recites sufficient structure to perform the claimed function so as to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. “a computing device configured to initiate…”: The specification at page 23, lines 9-17 and referring to figure 6 states--“In step 701, a user initiates a session of, for example, a web application hosted on application server 13, using the web browser software stored in the memory devices of the user computing device 11 and executed on the CPU 382. In the described embodiment, the CPU 382 of the user computing device 11 receives instructions for a login page for display in the web browser from the application server 13 via their respective network connectivity devices 392 and the user inputs login credentials for the web application into the login page, for example a username and password which function as identifiers for the session” and at page 38, lines 21-23--"the login session initiated by the user may not be initiated in a web-browser but in another application hosted by the application server 13.” In this case, the initiating step of the computing device will be interpreted to be the user utilizing web browser software/another application stored in memory on the computing device and executed by the CPU to input login credentials. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 2. Claims 1-3, 5-15, 17, 18, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Franke et al. (US 2017/0257363 A1) in view of in view of Reicher et al. (US 2017/0038917 A1). Regarding claim 1, Franke teaches a method of authenticating a session user in a session initiated on a computing device, e.g., computer 102 (Fig. 1, el. 102), comprising: (i) identifying, by an authentication server, e.g., Authentication Appliance 140 (Fig. 1, el. 140), wherein the authentication appliance 140 may be a server (Para. 53), an authentication device, e.g., mobile device 112 (Fig. 1, el. 112), associated with an identifier for the session…, e.g., at Block 216, the Authentication Appliance 140 may look up the Mobile Device 112 associated with the user identity—identifier for the session-- (Fig. 1, el. 140; Fig. 2, el. 216; Para. 86); at Block 206, the user may provide credentials associated with a user identity to Authentication Appliance 140, wherein the credentials may include a username or user ID and a password (Fig. 2, el. 206; Para. 73); (ii) identifying, by the authentication server, a selection of an authentication verifier from a set of possible authentication verifiers for the session, the selected authentication verifier being communicated by the authentication server to the computing device within the session to the session user, e.g., at Block 204, the user may select in the logon user interface to utilize either a “shared secret” or a “push-to-accept” second factor option for an authentication scheme (Fig. 2, el. 204; Para. 72); at Block 212, Authentication Appliance 140 has successfully verified the user identity and generates a shared secret (Fig. 2, el. 212; Para. 77); at Block 214, the Authentication Appliance 140 may provide Computer 102 with the shared secret for display on Computer 102, so that the user may view and become familiar with the shared secret (Fig. 2, el. 214; Para. 85); where the shared secret is an image designed to be selected in a bank of images, then Authentication Appliance 140 may not only need to generate the shared secret but also supply the other “decoy” images to fill up the bank of images (Para. 112); (iii) providing, by the authentication device, at least two of the set of possible authentication verifiers for selection at the authentication device for the session, the at least two of the set of possible authentication verifiers including the selected authentication verifier, e.g., at Block 218, Authentication Appliance 140 may send an authentication request to the Mobile Device 112 that is associated with the user identity (Fig. 2, el. 218; Para. 88); in response to opening the authentication request, Application 116 may present an authentication user interface on the mobile device for obtaining the additional authentication factor, wherein if the shared secret is an image then the authentication user interface displays a bank of selectable images, with one of those images corresponding to the shared secret, wherein if the shared secret is a pattern then the authentication user interface has an interactive area for drawing the pattern, such as a pattern box or pattern lock (Fig. 1, el. 116; Para. 90); (iv) receiving, by the authentication server, an authentication device selection from the authentication device by a user's selection from the at least two of the set of possible authentication verifiers, the authentication device selection including data…that represents the user's interaction with the authentication device, e.g., at Block 220, the user may enter the shared secret into the authentication user interface presented on their Mobile Device 112 (Fig. 2, el. 220; Para. 92), and the Application 116 may be configured to send an authentication response to Authentication Appliance 140 once the user enters the shared secret (Para. 93); the user enters, selects, draws, or reproduces what they believe the shared secret is into the prompt, and Application 116 may then return an authentication response back to Authentication Appliance 140 at (8) (Fig. 3, el. 8; Para. 118); and (v) determining, by the authentication server, if the authentication device selection matches the selected authentication verifier as communicated within the session to the computing device, e.g., at Block 222, Mobile Device 112 and/or Authentication Appliance 140 will compare the user-entered shared secret with the reference shared secret that was generated by Authentication Appliance 140 in Block 212, wherein this comparison can be done by the Authentication Appliance 140 (Fig. 2, el. 222; Para. 94). Franke does not clearly teach the authentication device comprising at least one inertial measuring unit; and the authentication device selection including data from the at least one inertial measuring unit that represents the user's interaction with the authentication device. Reicher teaches the…device, e.g., handheld device 260 (Fig. 2C, el. 260), wherein the device 260 is a handheld device such as a cell phone (e.g., iPhone), PDA, tablet PC, portable music or media player, gaming device or other handheld device with a display screen (Para. 79), comprising at least one inertial measuring unit, e.g., device 260 includes technology that allows it to sense its position and/or motion, such as one or more accelerometers (Para. 80), and the…device selection including data from the at least one inertial measuring unit that represents the user's interaction with the…device, e.g., detection of “pouring” motions (e.g., motion 252 shows the device being tilted as if the user is pouring into icon 274) can be facilitated by tilt sensor(s) and/or accelerometer(s), and sufficient number of such detection components can be provided so as to allow motion-based temporary selection and/or permanent selection of icons having both x and y components (Fig. 2C, el. 252, 274; Para. 85); in view 250 of FIG. 2C, graphical menu 270 is displayed on screen 262 and includes icons 271-274, wherein the user initiated some action to cause the graphical menu to be displayed (Fig. 2C, el. 250, 262, 271-274; Para. 81); in view 252 of FIG. 2C, x, y, and z axes are illustrated to indicate repositioning of the device by the user, wherein device 260 detects movement of the device 260 along motion path 285 and temporarily selects the icon within the graphical menu that is positioned in the detected direction from the point of view of the center of the graphical menu (Fig. 2C, el. 252, 285; Para. 82). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Franke to include (i) identifying, by an authentication server, an authentication device associated with an identifier for the session, the authentication device comprising at least one inertial measuring unit; and (iv) receiving, by the authentication server, an authentication device selection from the authentication device of a user's selection from the at least two of the set of possible authentication verifiers, the authentication device selection including data from the at least one inertial measuring unit that represents the user's interaction with the authentication device, using the known method of enabling icons to be selected using motions detected by tilt sensors and/or accelerometers, as taught by Reicher, in combination with the user authentication system of Franke, for the purpose of providing improved ways of interacting with mobile devices that: improves speed and efficiency; reduces repetitive motion injury; is more intuitive; and/or operates well on small display screens (Reicher-Para. 38). Another benefit of the combination would be providing another option for the system to authenticate the user that would benefit users that would rather not directly interact with the touchscreen. Another benefit of the combination would be that there would be a lower probability that a malicious user would perform the predefined gesture, thereby decreasing the likelihood of identity theft. Regarding claim 2, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on computing device according to claim 1, wherein identifying, by the authentication server, the selection of the authentication verifier from the set of possible authentication verifiers for the session includes selecting the authentication verifier from the set of possible authentication verifiers for the session, e.g., at Block 204, the user may select in the logon user interface to utilize either a “shared secret” or a “push-to-accept” second factor option for an authentication scheme (Franke-Para. 72); where the shared secret is an image designed to be selected in a bank of images, then Authentication Appliance 140 may not only need to generate the shared secret but also supply the other “decoy” images to fill up the bank of images (Franke-Para. 112). Regarding claim 3, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on computing device according to claim 2, wherein selecting the authentication verifier from the set of possible authentication verifiers for the session includes randomly selecting the authentication verifier from the set of possible authentication verifiers for the session, e.g., the Authentication Appliance 140 may then generate the pattern at random to be within the specified parameters (Franke-Para. 111); within the specified parameters, Authentication Appliance 140 may generate the shared secret and decoy images at random (Franke-Para. 112). Regarding claim 5, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein providing, by the authentication server, at least two of the set of possible authentication verifiers for selection at the authentication device for the session comprises providing from 8 to 100 of the set of possible authentication verifiers for the session for selection at the authentication device, e.g., at Block 218, Authentication Appliance 140 may send an authentication request to the Mobile Device 112 that is associated with the user identity (Franke-Fig. 2, el. 218; Para. 88); the application on their mobile device may have a user interface displaying a number of selectable images for the user to choose from, wherein the application may display nine letters and the user may need to select the letter that matches the shared secret in order to complete the authentication sequence (Franke-Para. 79); Interactive Portion 1104 illustrates a bank of nine images of symbols, and the user may select one of the images as the shared secret image that was displayed on Computer 102 (Franke-Fig. 11, el. 1104; Para. 156). Regarding claim 6, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein providing, by the authentication server, at least two of the set of possible authentication verifiers for selection at the authentication device for the session comprises providing a graphical user interface operable to receive the authentication device selection, e.g., the application on their mobile device may have a user interface displaying a number of selectable images for the user to choose from, wherein the application may display nine letters and the user may need to select the letter that matches the shared secret in order to complete the authentication sequence (Franke-Para. 79); Interactive Portion 1104 illustrates a bank of nine images of symbols, and the user may select one of the images as the shared secret image that was displayed on Computer 102 (Franke-Fig. 11, el. 1104; Para. 156). Regarding claim 7, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 6, wherein the graphical user interface is provided in the form of an interactive push overlay notification to the authentication device, e.g., at Block 218, Authentication Appliance 140 may send an authentication request to the Mobile Device 112 that is associated with the user identity, wherein the authentication request may include a push notification sent from Authentication Appliance 140 to Mobile Device 112, and the push notification may, upon opening, direct an Application 116 on Mobile Device 112 to open (Franke-Para. 88). Regarding claim 8, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein each of the set of possible authentication verifiers comprises a different respective drag direction for at least one object, and wherein the selected authentication verifier being communicated to the computing device includes the at least one object being dragged in a specific direction and wherein, providing, by the authentication server, at least two of the set of possible authentication verifiers for selection at the authentication device for the session includes providing the at least one object for display at the authentication device with a plurality of possible drag directions for selection by the user, e.g., the shared secret may be a pattern and the user may be expected to reproduce the pattern on their mobile device (Franke-Para. 78); if the shared secret is a pattern designed to be drawn in a pattern box or pattern lock displayed on a touchscreen display, then the shared secret may be constrained by the dimensions of the pattern box, the number of strokes in the pattern, the requirement that the strokes be connected in a way that they can be drawn without the user lifting their finger off the touchscreen, and so forth (Franke-Para. 111); shown on the display of Computer 102 is a Sharing User Interface 500, in which the shared secret generated by Authentication Appliance 140 is provided to the user to view, wherein the shared secret is Pattern 502, wherein Pattern 502 is a connective pattern in a 3×3 pattern box that has a “Z” shape and starts from the top-left portion of the pattern box (Franke-Fig. 5, el. 502; Para. 127); the only difference is that the user has drawn Pattern 702 in the Interactive Portion 604, wherein Pattern 702 is a “Z” shape pattern starting from the top-left of the pattern box (Franke-Fig. 7, el. 702; Para. 134). Regarding claim 9, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 8, wherein step (v) includes determining if the drag direction of the at least one object selected by the user at the authentication device matches the specific drag direction of the at least one object communicated to the computing device, e.g., at Block 222, Mobile Device 112 and/or Authentication Appliance 140 will compare the user-entered shared secret with the reference shared secret that was generated by Authentication Appliance 140 in Block 212, wherein this comparison can be done by the Authentication Appliance 140 (Franke-Fig. 2, el. 222; Para. 94); the shared secret may be a pattern and the user may be expected to reproduce the pattern on their mobile device (Franke-Para. 78); if the shared secret is a pattern designed to be drawn in a pattern box or pattern lock displayed on a touchscreen display, then the shared secret may be constrained by the dimensions of the pattern box, the number of strokes in the pattern, the requirement that the strokes be connected in a way that they can be drawn without the user lifting their finger off the touchscreen, and so forth (Franke-Para. 111); the shared secret is Pattern 502, wherein Pattern 502 is a connective pattern in a 3×3 pattern box that has a “Z” shape and starts from the top-left portion of the pattern box (Franke-Fig. 5, el. 502; Para. 127); the only difference is that the user has drawn Pattern 702 in the Interactive Portion 604, wherein Pattern 702 is a “Z” shape pattern starting from the top-left of the pattern box (Franke-Fig. 7, el. 702; Para. 134). Regarding claim 10, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein each of the set of possible authentication verifiers comprises a different respective number and wherein the selected authentication verifier being communicated to the computing device includes specifying at least one specific number to select from the respective numbers, and wherein providing, by the authentication server, at least two of the set of possible authentication verifiers for selection at the authentication device includes providing an interface displaying the respective numbers for selection by the user, e.g., the shared secret may be an image, picture, or symbol and the user may be expected to select that specific image out of a bank of images presented on their mobile device, wherein the image may be an image of a letter or number (Franke-Para. 79); as shown in FIG. 11, the total pool of images could just be symbols “O”, “P”, “Q”, “X”, “Y”, “Z”, “7”, “8”, “9” and the shared secret would have to be one of those symbols (Franke-Fig. 11; Para. 162). Regarding claim 11, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 10, wherein step (v) includes determining if the respective number or numbers selected by the user at the authentication device matches the at least one specific number communicated to the computing device, e.g., at Block 222, Mobile Device 112 and/or Authentication Appliance 140 will compare the user-entered shared secret with the reference shared secret that was generated by Authentication Appliance 140 in Block 212, wherein this comparison can be done by the Authentication Appliance 140 (Franke-Fig. 2, el. 222; Para. 94); the shared secret may be an image, picture, or symbol and the user may be expected to select that specific image out of a bank of images presented on their mobile device, wherein the image may be an image of letter or number (Franke-Para. 79); Interactive Portion 1104 illustrates a bank of nine images of symbols, and the user may select one of the images as the shared secret image that was displayed on Computer 102 (Franke-Fig. 11, el. 1104; Para. 156); as shown in FIG. 11, the total pool of images could just be symbols “O”, “P”, “Q”, “X”, “Y”, “Z”, “7”, “8”, “9” and the shared secret would have to be one of those symbols (Franke-Fig. 11; Para. 162). Regarding claim 12, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein each of the set of possible authentication verifiers comprises a different respective button of a plurality of buttons and wherein the selected authentication verifier being communicated to the computing device includes specifying at least one button to select from the plurality of buttons, and wherein providing, by the authentication device, at least two of the set of possible authentication verifiers for selection at the authentication device includes providing at least two of the plurality of buttons for display at the authentication device for selection by the user, e.g., Interactive Portion 1104 illustrates a bank of nine images of symbols, and the user may select one of the images as the shared secret image that was displayed on Computer 102 (Franke-Fig. 11, el. 1104; Para. 156). Regarding claim 13, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein each of the set of possible authentication verifiers comprises a different respective pattern and wherein the selected authentication verified being communicated to the computing device includes specifying at least one specific pattern from the respective buttons, and wherein providing, by the authentication device, at least two of the set of possible authentication verifiers for selection at the authentication device comprises providing an interface operable to receive a user drawing of a selected pattern at the authentication device, e.g., the shared secret may be a pattern and the user may be expected to reproduce the pattern on their mobile device (Franke-Para. 78); if the shared secret is a pattern designed to be drawn in a pattern box or pattern lock displayed on a touchscreen display, then the shared secret may be constrained by the dimensions of the pattern box, the number of strokes in the pattern, the requirement that the strokes be connected in a way that they can be drawn without the user lifting their finger off the touchscreen, and so forth (Franke-Para. 111); the shared secret is Pattern 502, wherein Pattern 502 is a connective pattern in a 3×3 pattern box that has a “Z” shape and starts from the top-left portion of the pattern box (Franke-Fig. 5, el. 502; Para. 127); the only difference is that the user has drawn Pattern 702 in the Interactive Portion 604, wherein Pattern 702 is a “Z” shape pattern starting from the top-left of the pattern box (Franke-Fig. 7, el. 702; Para. 134). Regarding claim 14, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, wherein the each of the set of possible authentication verifiers comprises a different respective location on the authentication device to be tapped, e.g., Interactive Portion 1104 illustrates a bank of nine images of symbols, and the user may select one of the images as the shared secret image that was displayed on Computer 102 (Franke-Fig. 11, el. 1104; Para. 156), wherein the chance of a user randomly guessing correctly can be reduced by increasing the number of images that the user must select from, and the chance can be reduced even further by requiring the user select multiple images, numbers, or letters, and even further yet by requiring the multiple images be selected in a specific sequence (e.g., forming a word) (Franke-Para. 83). Regarding claim 15, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1, further comprising selecting the set of possible authentication verifiers from a superset comprising a plurality of sets of possible authentication verifiers, e.g., the overall pool of images could be symbols, or the letters of the alphabet and the numbers 0-9 such that there are thirty-six different images in the pool (Franke-Para. 112). Regarding claim 17, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on a computing device according to claim 1. Franke does not clearly teach wherein the authentication device comprises a plurality of inertial measuring units and wherein receiving an authentication device selection from the authentication device includes receiving data from each of the plurality of inertial measuring units. Reicher further teaches wherein the…device comprises a plurality of inertial measuring units and wherein receiving an…device selection from the…device includes receiving data from each of the plurality of inertial measuring units, e.g., detection of “pouring” motions (e.g., motion 252 shows the device being tilted as if the user is pouring into icon 274) can be facilitated by tilt sensor(s) and/or accelerometer(s), and sufficient number of such detection components can be provided so as to allow motion-based temporary selection and/or permanent selection of icons having both x and y components (Fig. 2C, el. 252, 274; Para. 85); in view 250 of FIG. 2C, graphical menu 270 is displayed on screen 262 and includes icons 271-274, wherein the user initiated some action to cause the graphical menu to be displayed (Fig. 2C, el. 250, 262, 271-274; Para. 81); in view 252 of FIG. 2C, x, y, and z axes are illustrated to indicate repositioning of the device by the user, wherein device 260 detects movement of the device 260 along motion path 285 and temporarily selects the icon within the graphical menu that is positioned in the detected direction from the point of view of the center of the graphical menu (Fig. 2C, el. 252, 285; Para. 82). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Franke to include wherein the authentication device comprises a plurality of inertial measuring units and wherein receiving an authentication device selection from the authentication device includes receiving data from each of the plurality of inertial measuring units, using the known method of enabling icons to be selected using motions detected by tilt sensors and/or accelerometers, as taught by Reicher, in combination with the user authentication system of Franke, using the same motivation as in claim 1. Regarding claim 18, Franke in view of Reicher teaches the method of authenticating a session user in a session initiated on computing device according to claim 1, wherein the authentication device comprises a token device, e.g., Mobile Device 112 may be a personal computer or workstation, or it may be a mobile phone or other portable electronic device, such as a tablet or notebook computer (Franke-Para. 59). Regarding claim 29, Franke teaches a system for authenticating a session user in a session, the session comprising an identifier, e.g., at Block 216, the Authentication Appliance 140 may look up the Mobile Device 112 associated with the user identity—identifier for the session-- (Fig. 1, el. 140; Fig. 2, el. 216; Para. 86); at Block 206, the user may provide credentials associated with a user identity to Authentication Appliance 140, wherein the credentials may include a username or user ID and a password (Fig. 2, el. 206; Para. 73), the system comprising: a computing device, e.g., computer 102 (Fig. 1, el. 102), configured to initiate the session, e.g., at Block 216, the Authentication Appliance 140 may look up the Mobile Device 112 associated with the user identity (Fig. 1, el. 140; Fig. 2, el. 216; Para. 86); a logon user interface is provided on Computer 102 that allows the user to provide Authentication Appliance 140 with credentials associated with their user identity (Para. 70); if Authentication Appliance 140 is web-based, then the logon user interface may be generated in a separate browser on Computer 102 that collects the user-submitted credentials and selected authentication method to submit to Authentication Appliance 140 (Para. 71); at Block 206, the user may provide credentials associated with a user identity to Authentication Appliance 140, wherein the credentials may include a username or user ID and a password (Fig. 2, el. 206; Para. 73); the techniques herein are performed by computer system 1400 in response to hardware processor(s) 1404 executing one or more sequences of one or more instructions contained in main memory 1406, wherein execution of the sequences of instructions contained in main memory 1406 causes processor(s) 1404 to perform the process steps described herein (Fig. 14, el. 1400, 1404, 1406; Para. 184); an authentication device, e.g., mobile device 112 (Fig. 1, el. 112), associated with the identifier…, e.g., at Block 216, the Authentication Appliance 140 may look up the Mobile Device 112 associated with the user identity—identifier for the session-- (Fig. 1, el. 140; Fig. 2, el. 216; Para. 86); at Block 206, the user may provide credentials associated with a user identity to Authentication Appliance 140, wherein the credentials may include a username or user ID and a password (Fig. 2, el. 206; Para. 73); and an authentication server, e.g., Authentication Appliance 140 (Fig. 1, el. 140), wherein the authentication appliance 140 may be a server (Para. 53), communicatively coupled to the computing device and the authentication device (Fig. 1), and configured to: identify the authentication device from the identifier for the session, e.g., at Block 216, the Authentication Appliance 140 may look up the Mobile Device 112 associated with the user identity—identifier for the session-- (Fig. 1, el. 140; Fig. 2, el. 216; Para. 86); at Block 206, the user may provide credentials associated with a user identity to Authentication Appliance 140, wherein the credentials may include a username or user ID and a password (Fig. 2, el. 206; Para. 73), identify a selection of an authentication verifier from a set of possible authentication verifiers for the session, e.g., at Block 204, the user may select in the logon user interface to utilize either a “shared secret” or a “push-to-accept” second factor option for an authentication scheme (Fig. 2, el. 204; Para. 72); at Block 212, Authentication Appliance 140 has successfully verified the user identity and generates a shared secret (Fig. 2, el. 212; Para. 77); at Block 214, the Authentication Appliance 140 may provide Computer 102 with the shared secret for display on Computer 102, so that the user may view and become familiar with the shared secret (Fig. 2, el. 214; Para. 85); where the shared secret is an image designed to be selected in a bank of images, then Authentication Appliance 140 may not only need to generate the shared secret but also supply the other “decoy” images to fill up the bank of images (Para. 112); communicate the selected authentication verifier within the session to the computing device of the session user, e.g., at Block 214, the Authentication Appliance 140 may provide Computer 102 with the shared secret for display on Computer 102, so that the user may view and become familiar with the shared secret (Fig. 2, el. 214; Para. 85); where the shared secret is an image designed to be selected in a bank of images, then Authentication Appliance 140 may not only need to generate the shared secret but also supply the other “decoy” images to fill up the bank of images (Para. 112); communicate at least two of the set of possible authentication verifiers including the selected authentication verifier to the authentication device for selection at the authentication device, e.g., at Block 218, Authentication Appliance 140 may send an authentication request to the Mobile Device 112 that is associated with the user identity (Fig. 2, el. 218; Para. 88); in response to opening the authentication request, Application 116 may present an authentication user interface on the mobile device for obtaining the additional authentication factor, wherein if the shared secret is an image then the authentication user interface displays a bank of selectable images, with one of those images corresponding to the shared secret, wherein if the shared secret is a pattern then the authentication user interface has an interactive area for drawing the pattern, such as a pattern box or pattern lock (Fig. 1, el. 116; Para. 90); wherein the authentication device is arranged to receive a user's selection of an authentication device selection from the at least two of the set of possible authentication verifiers, and to communicate the authentication device selection to the authentication server, the authentication device selection including data…that represents the user’s interaction with the authentication device, e.g., at Block 220, the user may enter the shared secret into the authentication user interface presented on their Mobile Device 112 (Fig. 2, el. 220; Para. 92), and the Application 116 may be configured to send an authentication response to Authentication Appliance 140 once the user enters the shared secret (Para. 93); the user enters, selects, draws, or reproduces what they believe the shared secret is into the prompt, and Application 116 may then return an authentication response back to Authentication Appliance 140 at (8) (Fig. 3, el. 8; Para. 118); Mobile Device 112 is a smart phone with a touch screen that makes it simple and convenient for a user to quickly provide input (e.g., the selection of user interface elements shown on the screen) (Para. 59); Mobile Device 112 may be connected to the global internet via wireless networking (Para. 60), and wherein, the authentication server is further configured to determine if the authentication device selection matches the selected authentication verifier as communicated within the session to the computing device, e.g., at Block 222, Mobile Device 112 and/or Authentication Appliance 140 will compare the user-entered shared secret with the reference shared secret that was generated by Authentication Appliance 140 in Block 212, wherein this comparison can be done by the Authentication Appliance 140 (Fig. 2, el. 222; Para. 94). Franke does not clearly teach the authentication device comprising at least one inertial measuring unit; and the authentication device selection including data from the at least one inertial measuring unit that represents the user's interaction with the authentication device. Reicher teaches the…device, e.g., handheld device 260 (Fig. 2C, el. 260), wherein the device 260 is a handheld device such as a cell phone (e.g., iPhone), PDA, tablet PC, portable music or media player, gaming device or other handheld device with a display screen (Para. 79), comprising at least one inertial measuring unit, e.g., device 260 includes technology that allows it to sense its position and/or motion, such as one or more accelerometers (Para. 80), and the…device selection including data from the at least one inertial measuring unit that represents the user's interaction with the…device, e.g., detection of “pouring” motions (e.g., motion 252 shows the device being tilted as if the user is pouring into icon 274) can be facilitated by tilt sensor(s) and/or accelerometer(s), and sufficient number of such detection components can be provided so as to allow motion-based temporary selection and/or permanent selection of icons having both x and y components (Fig. 2C, el. 252, 274; Para. 85); in view 250 of FIG. 2C, graphical menu 270 is displayed on screen 262 and includes icons 271-274, wherein the user initiated some action to cause the graphical menu to be displayed (Fig. 2C, el. 250, 262, 271-274; Para. 81); in view 252 of FIG. 2C, x, y, and z axes are illustrated to indicate repositioning of the device by the user, wherein device 260 detects movement of the device 260 along motion path 285 and temporarily selects the icon within the graphical menu that is positioned in the detected direction from the point of view of the center of the graphical menu (Fig. 2C, el. 252, 285; Para. 82). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Franke to include the authentication device comprising at least one inertial measuring unit; and the authentication device selection including data from the at least one inertial measuring unit that represents the user's interaction with the authentication device, using the known method of enabling icons to be selected using motions detected by tilt sensors and/or accelerometers, as taught by Reicher, in combination with the user authentication system of Franke, for the purpose of providing improved ways of interacting with mobile devices that: improves speed and efficiency; reduces repetitive motion injury; is more intuitive; and/or operates well on small display screens (Reicher-Para. 38). Another benefit of the combination would be providing another option for the system to authenticate the user that would benefit users that would rather not directly interact with the touchscreen. Another benefit of the combination would be that there would be a lower probability that a malicious user would perform the predefined gesture, thereby decreasing the likelihood of identity theft. Relevant Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Pande et al. (US 2019/0364027 A1)—Pande discloses the accelerometer 210 may also track hand gestures as well—identifying whether a user uses shake and motion gestures to select various options while using the mobile device 102 (Para. 30). Ofir et al. (US 2017/0262064 A1)—Ofir discloses the user device and/or the wearable device may be configured to provide input data 114 to the gesture analysis engine, wherein the input data may comprise sensor data 114a, wherein the sensor data may comprise raw data collected by the accelerometer and the gyroscope on the wearable device (Fig. 2, el. 114, 114a; Para. 96, 97). The gesture analysis engine may be further configured to analyze the sensor data to determine a probability of the user performing a predefined gesture (Para. 102). Cao et al. (US 2011/0145899 A1)—Cao discloses a method for authenticating a user includes receiving a user identification, confirming the user identification, sending a request to the user to perform a single action on a communication device, creating a session to receive the single action from the communication device, receiving an identifier from the communication device, using the identifier to verify that the user has the communication device, and authenticating the user based on the confirmed user information and the verification that the user has the communication device (Abstract). Johansson et al. (US 9,264,419 B1)—Johansson discloses representations of authentication objects are provided for selection via an interface. An authentication object may be generated to include information obtained from one or more sensors of a device. A selected authentication object may contain information sufficient for authentication with a corresponding system. The interface may provide multiple representations of authentication objects that are usable with different service providers. The interface, executed by a first device, may be configured to authenticate a second device (Abstract). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 03 November 2025 /Jeremy S Duffield/Primary Examiner, Art Unit 2498