Systems and Methods to Ensure Proximity of a Multi-Factor Authentication Device

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims The following claim(s) is/are pending in this office action: 1-2, 4-9, 11-16, 18-23 The following claim(s) is/are amended: 1, 6, 8, 13, 15, 20-23 The following claim(s) is/are new: - The following claim(s) is/are cancelled: 3, 10, 17 Claim(s) 1-2, 4-9, 11-16, 18-23 is/are rejected. Response to Arguments Applicant’s arguments filed in the amendment filed 12/10/2025, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below. Applicant’s Invention as Claimed Claim Rejections - 35 USC § 103 A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 4-9, 11-16, 18-23 are rejected under 35 U.S.C. 103 as being unpatentable over Neuman (US Pub. 2013/0262858) in view of Golwalkar (US Pub. 2017/0208055) in view of Balakrishnan (US Pub. 2019/0036940) and further in view of Knaappila (US Pub. 2020/0103513). With respect to Claim 1, Neuman teaches a method for using multi-factor authentication to authenticate a user account, the method comprising: (Abstract, para. 6; Second user device is used in logging in a first device into a user account. Authentication could use one or more factors such as a password.) Programming a computer system of electronic computer hardware in combination with software to perform operations including: receiving, at an authentication service, an authentication request to authenticate a user account request to use a first service, wherein the authentication request is from an access device; (Fig. 1, paras. 6-7; first user device such as laptop transmits a request to a service provider to login to an account of a service provider. The request is received by network and authentication servers which work together to authenticate the login.) in response to the determining, performing a co-location check by sending a passcode to the access device from the authentication service, wherein the passcode is associated with the authentication request; (Determining will be taught later. paras. 7-8; servers generate a random number that is sent to the first device pursuant to the request.) and receiving, at the authentication service, a communication from the authentication device including the passcode and the unique identifier, wherein the authentication device extracted the passcode from a message broadcast over Bluetooth Low Energy from the access device to determine co-location of the authentication device and the access device. (Broadcasting over Bluetooth LE and a unique identifier will be taught later. paras. 7-8; The first device receives the code. The random number is transferred to the second device. It can be transferred manually by display, or via camera, or audio code or near field radio communication. Para. 9; the second device then transmits the random number to the servers. See also Golwalkar, para. 24; to avoid manually entering the code from a first device to a second device, the code may be broadcast or multicast.) in response to a successful co-location check authenticating the user account with the first service based on the unique identifier and the passcode having been received from the authentication device during the co-location check, (A unique identifier is taught below. paras. 9-13; authentication server authenticates user for the first service based on random number.) Wherein the authentication device and the access device are both under control of a user of the user account. (paras. 7-8; first and second device both operated by first user, may even be same device. See also Golwalkar, paras. 15-21; user uses both devices.) But Neuman does not explicitly teach ensuring geographic proximity. Golwalkar, however, does teach wherein the co-location check ensures geographic proximity between the access device and the authentication device(para. 24; to avoid manually entering the code from a first device to a second device, the code may be broadcast or multicast. Communication may be done via Bluetooth. Bluetooth is a technology that has a limited range and therefore ensures geographic proximity between the devices. See also Balakrishnan, para. 40; system determines whether a login location is the same as a previous location, which is a co-location check that ensures geographic proximity. paras. 53-55; rules based on a distance from previous locations.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of Neuman with the co-location check to perform authentication of the user and further because it would allow for copying to the other device without relying on the user to manually enter the code. (Golwalkar, para. 24) But modified Neuman does not explicitly teach a unique identifier. Balakrishnan, however, does teach determining, based on the received authentication request and contextual information about the request that a co-location check between the access device and an authentication device is required for the user account to access the first service (Examiner asserts that Golwalkar may teach on its own, see Golwalkar, paras. 19-20; Code-based linking used when API on a particular device cannot fully service the authentication, which is a context information about the request. Regardless, see Balakrishnan, para. 40; system may require an additional authentication factor based upon, e.g., a user attempting to log in from a location that is different from one or more previous login locations or if a user is logging in from a particular IP address. IP address, previous and current geographic locations are both contextual information. Fig. 3, paras. 47-48; authentication based on a question based on location. For a co-location check see Golwalkar, paras. 19-24; Bluetooth used to transfer code used for logging in. Further, Examiner asserts that logging in from the same location requiring different authentication is itself a co-location check.) And a unique identifier, the unique identifier uniquely identifying of the first service (para. 36; request is for a resource and the system identifies a resource requested. See also Golwalkar, para. 13-14; service provider. Para. 31; multiple services operated by one or more organizations. See also Neuman, para. 6; multiple services such as banking or merchants.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of modified Neuman with the unique identifier in order to confirm to all devices that a particular service was being logged-in to. But modified Neuman does not explicitly teach Bluetooth Low Energy. Knaappila, however, does teach broadcast over Bluetooth Low Energy (paras. 2-4; Bluetooth Low Energy. Paras. 89-94; broadcasting of advertising packets. See also Golwalkar, para. 24; to avoid manually entering the code from a first device to a second device, the code may be broadcast or multicast. Communication may be done via Bluetooth.) It would have been obvious to one of ordinary skill prior to the effective filing date to combine the method of modified Neuman with the Bluetooth Low Energy to save energy. (Knaappila, para. 3) With respect to Claim 2, modified Neuman teaches the method of claim 1, and Neuman also teaches further comprising: sending a successful authentication message to the first service, wherein the successful authentication message causes the first service to establish a session between the access device and a resource. (A unique ID will be taught later. paras. 10-14; authentication server authenticates the user based on random number and transmits notification of authentication. See also Golwalkar, para. 23, 57; authentication service reports successful authentication and user can access resource, which suggests that the successful authentication is also reported to the resource.) And Golwalkar also teaches wherein the successful authentication message causes the first service to establish a session between the access device and a resource. (para. 23, 53, 57; authentication service reports successful authentication and user can access resource, which suggests that the successful authentication is also reported to the resource.) The same motivation to combine as the independent claim applies here. And Balakrishnan also teaches a unique ID (para. 36; request is for a resource and the system identifies a resource requested. See also Golwalkar, para. 13-14; service provider. Para. 31; multiple services operated by one or more organizations. See also Neuman, para. 6; multiple services such as banking or merchants.) The same motivation to combine as the independent claim applies here. With respect to Claim 4, modified Neuman teaches the method of claim 1, and Golwalkar also teaches further comprising: setting a time period associated with the unique identifier and passcode, wherein after the time period expires, the unique identifier and passcode are no longer valid to authenticate the user account with the first service. (A unique id will be taught later. paras. 33-34; codes may be valid for a predetermined length of time such as an hour or a day. Para. 16; expiration of code. See also Richardson, paras. 62-64; temporary id assigned and used to verify during a pre-determined timeframe.) The same motivation to combine as the independent claim applies here. And Balakrishnan also teaches a unique identifier (para. 36; request is for a resource and the system identifies a resource requested. See also Golwalkar, para. 13-14; service provider. Para. 31; multiple services operated by one or more organizations. See also Neuman, para. 6; multiple services such as banking or merchants.) The same motivation to combine as the independent claim applies here. With respect to Claim 5, modified Neuman teaches the method of claim 1, and Balakrishnan also teaches a unique identifier (para. 36; request is for a resource and the system identifies a resource requested. See also Golwalkar, para. 13-14; service provider. Para. 31; multiple services operated by one or more organizations. See also Neuman, para. 6; multiple services such as banking or merchants.) The same motivation to combine as the independent claim applies here. And Knaappila also teaches wherein when the authentication device extracts a unique ID and the passcode from the broadcasted message, the authentication device is not required to be paired with the access device. (para. 4; transmission of an advertising packet with a unique identifier that is used by the receiving device. paras. 4, 101, 103-104; identifier is transmitted in an advertisement packet, which is before pairing takes place. Service discovery may occur without pairing taking place. Data transfer can take place during advertising state.) The same motivation to combine as the independent claim applies here. With respect to Claim 6, modified Neuman teaches the method of claim 1, and Golwalkar also teaches wherein the communication further comprises additional contextual information associated with at least one of the user account, the access device, and the authentication device. (para. 15; email and password for account. para. 17; browser may be already authenticated or may require input of security credentials or authentication factors. para. 32; username, password, biometric information of the user, social security number, answers to knowledge-based questions. Para. 34; device identifiers, network addresses, MAC addresses, serial numbers for the devices. Paras. 42-44; version number used to identify what authentication is supported by the device.) The same motivation to combine as the independent claim applies here. With respect to Claim 7, modified Neuman teaches the method of claim 1, and Neuman also teaches wherein the first service is associated with an access policy configured at an authentication service, the access policy specifies a rule for determining when a unique ID and the passcode are sent to the access device. (A unique ID will be taught later. paras. 132-133; authentication policy that identifies what types of authentication data such as password or biometric is needed. Para. 186; authentication is valid for a set period of time. See also Golwalkar, para. 17; device may already be authenticated. Para. 16; expiration of a code. Para. 32-34; trusted security credentials such as device identifiers, MAC addresses or passwords are long-lived credentials and may never expire or may expire after months. Para. 33; codes may expire after a time or in response to events. Para. 53; user may also have to provide a knowledge-based question if certain resources have a higher level of security.) And Balakrishnan also teaches a unique identifier (para. 36; request is for a resource and the system identifies a resource requested. See also Golwalkar, para. 13-14; service provider. Para. 31; multiple services operated by one or more organizations. See also Neuman, para. 6; multiple services such as banking or merchants.) The same motivation to combine as the independent claim applies here. With respect to Claim 8, it is substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying. Further, Neuman teaches a computing system comprising: at least one processor; and at least one memory storing instructions that, when executed by the processor, configure the system to perform operations including: (para. 39; processor and memory containing instructions that configured the processor.) With respect to Claims 9, 11-14, they are substantially similar to Claims 2, 4-7, respectively and are rejected in the same manner, the same art and reasoning applying. With respect to Claim 15, it is substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying. Further, Neuman teaches a non-transitory computer-readable storage medium, the computer-readable storage medium including instructions that when executed by a computer, cause the computer to: (para. 39; non-transitory storage medium such as a hard disk.) With respect to Claims 16, 18-20, they are substantially similar to Claims 2, 4-6, respectively and are rejected in the same manner, the same art and reasoning applying. With respect to Claim 21, modified Neuman teaches the method of Claim 1, and Balakrishnan also teaches wherein the contextual information includes at least one of: an IP address of the access device, a browser version, an identification of browser extensions; an operating system on the access device; a type of access device; a time of day; and/or geographical information. (para. 40; location of device, time or day, IP address.) The same motivation to combine as the independent claim applies here. With respect to Claims 22-23, they are substantially similar to Claim 21 and are rejected in the same manner, the same art and reasoning applying. Remarks Applicant submits a Pre-Appeal Request (“Request”, 12/10/2025). A Pre-Appeal Conference was convened. Applicant’s arguments are unpersuasive for the reasons below, but the Conference raises an issue sua sponte and Examiner reopens to fix the issue. Examiner cites the Bluetooth LE specification above and all claims are rejected under the additional teaching. Applicant argues at Request, pgs. 2-3 that the independent claims are nonobvious because a unique identifier with a passcode is “a pre-shared key that allows the authentication device to select the correct BLE advertisement.” The argument is unpersuasive. Applicant admits the prior art teaches identifiers and passcodes separately, see Request, pg. 2; “While identifiers and passcodes appear separately in the prior art…”. Applicant either admits or at least does not challenge the proffered motivation to combine, see Request, pg. 3; “The Office’s ‘confirm which service’ rationale might motivate a label or context field in an ordinary login flow…”. Consequently, Applicant does not raise a proper legal dispute to the rejection. The dispute Applicant raises is that the motivation Examiner gives is different from Applicants (Request, pg. 2; “This is not a mere label; it is a pre-shared key that allows the authentication device to select the correct BLE advertisement…”). But a motivation different for Applicant’s is permissible, see MPEP 2144(II). To the extent Applicant relies upon what is done with the identifier, the argument is unpersuasive because it argues an unclaimed feature. Claim 1 “send[s] a passcode and a unique identifier to the access device” and “receiv[es], at the authentication service, a communication from the authentication device including the passcode and the unique identifier.” Those limitations are consistent with what Applicant calls “a label or context field in an ordinary login flow” and do not require using the unique identifier by the authentication device in any manner. Consequently, the argument argues an unclaimed feature, see MPEP 707.07(f). Because Applicant admits or does not deny the relevant features of the rejection logic and premises an argument on legally irrelevant differences, the argument is unpersuasive. Applicant additionally argues that the cited references “do not suggest pairless BLE filtering or dual-channel synchronization.” The argument is unpersuasive because it argues unclaimed features in Claim 1. Examiner is unsure of what dual-channel synchronization is meant to refer to, but Examiner notes that the references specifically nominate a near-field communication for transferring the passcode and contemplate a much larger distance between the authentication service and the access/authentication devices. i.e. The references suggest using a first channel for the authentication service to access- or authentication-device communication, and a second channel for the access device-authentication device communication. Regardless, the feature is not claimed and Examiner need not tilt at windmills as to what Applicant may be referring to. The claim only nominates Bluetooth LE and Applicant does not dispute the Bluetooth LE citation. With respect to “pairless” BLE Filtering, the feature does not exist in Claim 1, so the argument is unpersuasive. However, the Conference notes that Claim 5 includes the limitation “wherein when the authentication device extracts the unique identifier and the passcode from the broadcasted message, the authentication device is not required to be paired with the access device.” Examiner cited Bluetooth and WiFi from Golwalkar and took official notice of Bluetooth LE. WiFi can be broadcast, and Bluetooth LE can be broadcast, but Bluetooth pairs. While Examiner took official notice of Bluetooth LE, Examiner did not take official notice that Bluetooth LE can be broadcast. (Although, Examiner notes, Applicant suggests that Bluetooth LE can be broadcast because it provides no teaching for making Bluetooth LE broadcast-capable.) While an inherent property of an item may be disclosed by a reference by disclosing the item itself (see MPEP 2163.07(a), 2112.01), that rule does not necessarily apply to official notice. Further, Claim 5 textually cites broadcasting that only mentions WiFi and Bluetooth, not Bluetooth LE. To complete the disclosure Examiner will reopen and cite a Bluetooth LE reference that teaches the broadcasting of an advertisement packet with a unique identifier. The amended claims are taught above. The arguments for nonobviousness are unpersuasive. All claims remain rejected. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS P CELANI whose telephone number is (571)272-1205. The examiner can normally be reached on M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NICHOLAS P CELANI/Examiner, Art Unit 2449