AUTHENTICATOR WITH PASSIVELY-PROVISIONED AUTHENTICATION CREDENTIAL

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see page 8, filed 07/28/2025, with respect to the objection to the drawings have been fully considered. The objection to the drawings has been withdrawn. Applicant’s arguments, see pages 8-9, filed 07/28/2025, with respect to the rejection of claims 1-20 under 35 U.S.C. § 112(a) have been fully considered. The rejection of claims 1-20 under 35 U.S.C. § 112(a) have been withdrawn in response to the amended claims no longer reciting an authentication token generation step. Applicant’s arguments, see pages 8-9, filed 07/28/2025, with respect to the rejection of claims 1-20 under 35 U.S.C. § 112(b) have been fully considered. The rejection of claims 1-20 under 35 U.S.C. § 112(b) have been withdrawn. Applicant’s arguments, see pages 12-14, filed 07/28/2025, with respect to the rejection of claims 1-5, 9-13, 16-20 under 35 U.S.C. § 102(a)(1) and the rejection of claims 6-8, and 14-15 under 35 U.S.C. § 103 have been fully considered, but they are not persuasive. Applicant attests that the previously presented Kong reference “fails to disclose or suggest any communication between different iframes… Critically, Kong does not disclose or suggest the use of a pair of iframes embedded in different webpages to passively transfer an access credential between those webpages. Nor does Kong contemplate cross-frame communication as a mechanism for credential provisioning. The claimed invention’s reliance on such cross-frame communication between distinct browser contexts is a key differentiator and is not taught or suggested by Kong”. The Examiner respectfully disagrees. First, the Kong reference clearly discloses an embodiment including at least two inline frames AUTHORIZATION PROVIDER 1 IFRAME “712” and AUTHORIZATION PROVIDER 2 IFRAME in Figure 7, see below: Kong Figure 7: PNG media_image1.png 490 716 media_image1.png Greyscale Secondly, Kong paragraphs [0061] and [0066] explicitly disclose cross-tab/cross-iframe communication on relaying authorization results. Lastly, In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., cross-frame communication) are not recited in rejected independent claims 1, 9, and 16. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Therefore, for the reasons set for above the rejection of claims 1-5, 9-13, 16-20 under 35 U.S.C. § 102(a)(1) and the rejection of claims 6-8, and 14-15 under 35 U.S.C. § 103 will be maintained. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1-5, 9-13, 16-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kong et. al. (US Publication No. US 2015/0341347 A1) hereinafter Kong. Regarding Claim 1: Kong discloses an authentication system with passive provisioning of an authentication token to authenticate a user, the authentication system comprising: memory; a processing system (Kong Fig. 5, [0070], [0075]); a widget executable by the processing system and stored in the memory that controls a user interface and that is embedded in a first inline frame (iframe) of a first webpage (Kong Fig. 6-7, [0058-0062] widgets enumerated); and an authenticator stored in the memory that, when executed by the processing system, is configured to perform operations that include (Kong Fig. 6-7, [0041-0045] authorization provider, [0060-0065]): storing an authentication token in association with a first session ID associated with a set of inputs received through the user interface (Kong Fig. 3 and 6-7, [0041-0048] authorization provider issues tokens; [0053-0057] session ID handling contemplated); launching a second webpage, the second webpage including: a second iframe populated with the authentication token (Kong Fig. 6-7, [0053-0061] cross-tab communication), the second iframe identifying a second URL in a same domain as a first URL identified by the first iframe embedded within the first webpage (Kong Fig. 6-7, [0053-0065] cross-tab communication includes a particular schema or URL in the request or redirect); a communication instruction executable by the second webpage to transmit the authentication token from the second iframe embedded within the second webpage to the widget embedded within the first webpage (Kong Fig. 6-7, [0053-0066] cross-tab communication includes a particular schema or URL in the request or redirect); receive a verification token and a verification session ID from the widget (Kong Fig. 6-7, [0058-0064] widgets using an authorization provider may relay session IDs, tokens, and authorization results); and in response to verifying a first match between the verification token and the authentication token and a second match between the verification session ID and the first session ID, providing the widget with access to the confidential user account information (Kong Fig. 3 and 6-7, [0058-0065] widgets using an authorization provider may relay session IDs, tokens, and authorization results; same origin iframe contemplated). Regarding Claim 2: Kong further discloses the authentication system of claim 1 (Kong Fig. 5, [0070], [0075]), wherein the communication instruction broadcasts the authentication token along a communication channel that the widget is subscribed to (Kong Fig. 6-7, [0053-0065] cross-tab communication includes a particular schema or URL in the request or redirect). Regarding Claim 3: Kong further discloses the authentication system of claim 1 (Kong Fig. 5, [0070], [0075]), wherein the authentication token is a secondary authentication credential stored responsive to verification of a first authentication credential (Kong [0038-0047]). Regarding Claim 4: Kong further discloses the authentication system of claim 1 (Kong Fig. 5, [0070], [0075]), wherein the authenticator populates the second iframe embedded within the second webpage with the authentication token by using cross-frame communication (Kong Fig. 6-7, [0053-0065] cross-tab communication includes a particular schema or URL in the request or redirect). Regarding Claim 5: Kong further discloses the authentication system of claim 1 (Kong Fig. 5, [0070], [0075]), wherein the second webpage is of a first domain that is different than a second domain of the widget and a third domain of the first webpage (Kong claim 19 and 20 plurality of contexts may comprise sub-domains). Regarding Claims 9 and 16: Claim 9. Kong discloses a method for passive provisioning of an authentication token to authenticate a user, the method comprising (Kong [0055], [0075]): receiving, at an authenticator, an account access request from a widget embedded in a first inline frame (iframe) of a first webpage (Kong Fig. 3, [0034], [0048-0049]), the account access request being associated with a user (Kong Fig. 3, [0048-0051]); determining, at the authenticator, a first session ID associated with verification confirmation of a first access credential (Kong Fig. 3 and 6-7, [0041-0048] authorization provider issues tokens; [0053-0057] session ID handling contemplated); storing, by the authenticator, an authentication token in association with the first session ID (Kong Fig. 3 and 6-7, [0041-0048] authorization provider issues tokens; [0053-0057] session ID handling contemplated); launching, by the authenticator, a second webpage including: a second iframe populated with the authentication token (Kong Fig. 6-7, [0053-0061] cross-tab communication), the second iframe identifying a URL in a same domain as a URL identified by the first iframe embedded within the first webpage (Kong Fig. 6-7, [0053-0065] cross-tab communication includes a particular schema or URL in the request or redirect); and a communication instruction executable by the second webpage to transmit the authentication token from the second iframe embedded within the second webpage to the widget embedded within the first iframe of the first webpage (Kong Fig. 6-7, [0053-0066] cross-tab communication includes a particular schema or URL in the request or redirect); receiving, at the authenticator, a verification token and a verification session ID from the widget based at least in part on execution of the communication instruction (Kong Fig. 6-7, [0058-0064] widgets using an authorization provider may relay session IDs, tokens, and authorization results); and in response to verifying a match between the verification token and the authentication token and a match between the verification session ID and the first session ID, granting the widget access to confidential account information of the user (Kong Fig. 3 and 6-7, [0058-0065] widgets using an authorization provider may relay session IDs, tokens, and authorization results; same origin iframe contemplated). Claim 16 recites substantially the same content and is therefore rejected under the same rationales. Kong discloses one or more tangible computer-readable storage media encoding computer-executable instructions for executing a computer process for user authentication (Kong Fig. 5, [0070], [0075]). Regarding Claims 10 and 17: Claim 10. Kong discloses the method of claim 9 (Kong [0055], [0075]), wherein execution of the communication instruction broadcasts the authentication token along a communication channel that the widget is subscribed to (Kong Fig. 6-7, [0053-0065] cross-tab communication includes a particular schema or URL in the request or redirect). Claim 17 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claims 11 and 20: Claim 11. Kong discloses the method of claim 9 (Kong [0055], [0075]), wherein the second iframe is populated with the authentication token by using cross-frame communication (Kong Fig. 6-7, [0053-0065] cross-tab communication includes a particular schema or URL in the request or redirect). Claim 20 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claim 12: Kong discloses the method of claim 9 (Kong [0055], [0075]), wherein the second webpage is of a first domain that is different than a second domain of the first iframe and the second iframe (Kong claim 19 and 20 plurality of contexts may comprise sub-domains). Regarding Claim 13: Kong discloses the method of claim 12 (Kong [0055], [0075]), wherein the first webpage is of a third domain different than the first domain and the second domain (Kong claim 19 and 20 plurality of contexts may comprise sub-domains). Regarding Claim 18: Kong discloses the one or more tangible computer-readable storage media of claim 16 (Kong Fig. 5, [0070], [0075]), wherein the authentication token is a secondary authentication credential stored by the authenticator responsive to confirmation of successful verification of a first authentication credential associated with the user (Kong Fig. 3, [0034], [0048-0051]). Regarding Claim 19: Kong discloses the one or more tangible computer-readable storage media of claim 16 (Kong Fig. 5, [0070], [0075]), wherein the second webpage is of a first domain that is different than a second domain shared by the first iframe and the second iframe and different from a third domain of the first webpage (Kong claim 19 and 20 plurality of contexts may comprise sub-domains). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 6-7 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Kong in view of Nishant et. al. (US Publication No. US 2019/0012390 A1) hereinafter Nishant. Regarding Claim 6: Kong discloses the authentication system of claim 1 (Kong Fig. 5, [0070], [0075]). Kong does not explicitly disclose wherein the widget is a chat widget and the authenticator is included in a chat bot that communicates with the chat widget to provide content to the user interface. Nishant teaches wherein the widget is a chat widget and the authenticator is included in a chat bot that communicates with the chat widget to provide content to the user interface (Nishant Fig. 7A-7C and 13A, [0135-0140] taught chat bot interacts with the user and posts chat box options in a chat bot window to the user interface). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the authentication system and widget handling disclosed by Kong with the chat widget and chat bot taught by Nishant. The motivation for this combination would be to provide automated services and answers simple user queries recognized as important by Nishant (Nishant [0037]). Regarding Claim 7: The combination of Kong and Nishant further teaches the authentication system of claim 6 (Kong Fig. 5, [0070], [0075]), wherein the first session ID uniquely identifies a chat session supported by the chat widget (Kong Fig. 3 and 6-7, [0058-0065] widgets using an authorization provider may relay session IDs, tokens, and authorization results; same origin iframe contemplated). Regarding Claim 14: Kong discloses the method of claim 9 (Kong [0055], [0075]). Kong does not disclose wherein the widget is a chat widget and the authenticator is part of a chat bot that communicates with the chat widget to push content to a user interface defined by the first iframe. Nishant teaches wherein the widget is a chat widget and the authenticator is part of a chat bot that communicates with the chat widget to push content to a user interface defined by the first iframe (Nishant Fig. 7A-7C and 13A, [0135-00140] taught chat bot interacts with the user and posts chat box options in a chat bot window to the user interface). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the authentication method and widget handling disclosed by Kong with the chat widget and chat bot taught by Nishant. The motivation for this combination would be to provide automated services and answers simple user queries recognized as important by Nishant (Nishant [0037]). Regarding Claim 15: The combination of Kong and Nishant further teaches the method of claim 14 (Kong [0055], [0075]), wherein the first session ID uniquely identifies a chat session supported by the chat widget (Kong Fig. 3 and 6-7, [0058-0065] widgets using an authorization provider may relay session IDs, tokens, and authorization results; same origin iframe contemplated). Claim(s) 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kong in view of Mehta et. al. (US Publication No. US 2017/0357957 A1) hereinafter Mehta. Regarding Claim 8: Kong discloses the authentication system of claim 1 (Kong Fig. 5, [0070], [0075]). Kong does not disclose wherein the second webpage is automatically closed following execution of the communication instruction. Mehta teaches wherein the second webpage is automatically closed following execution of the communication instruction (Mehta Fig. 1(a) and 3(b), [0039-0042] second webpage closed automatically). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the authentication system disclosed by Kong with the automatic webpage closing taught by Mehta. The motivation for this combination would be to declutter the user’s screen once authentication is confirmed or denied. Conclusion The prior art made of record in the submitted PTO-892 Notice of References Cited and not relied upon is considered pertinent to applicant’s disclosure. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIGUEL A LOPEZ whose telephone number is (703)756-1241. The examiner can normally be reached 8:00AM-5:00PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /M.A.L./ Examiner, Art Unit 2496 /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496