Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1-12 and 15-17 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent Application Publication No.: US 2020/0120089 A1 (VARANASI et al.).
As Per Claim 1: VARANASI et al. teaches: A method for performing a remote online authentication process, comprising the steps of:
- providing an authentication device communicately connected to an interrogating entity;
- sending, by the interrogating entity, an I/O request to the authentication device;
- outputting the I/O request on the authentication device, via an I/O interface of the authentication device;
- receiving, on the authentication device, an I/O response, via the I/O interface of the authentication device, and
- verifying whether the received I/O response has been received from a user associated with the authentication device after the I/O request has been output on the authentication device and whether the received I/O response relates to the I/O request.
(VARANASI et al., Abstract, “A multifactor authentication system is implemented to enable interactive access to a secure application. A request to access a secure application can be received via a client device which can initially perform a credential exchange with a server associated with the secure application. Based on an indication that a credential exchange is valid, a secondary authentication request can to be sent to the client device to initiate multifactor authentication. An authentication check issued by an entity associated with the secure application can be scanned at the client device to, and an identification indicator associated with the authentication check and/or a signature of a user of the client device can be extracted. The identification indicator and the signature can be verified or otherwise authenticated, and access to the secure application via the client device can be enabled.”).
(VARANASI et al., Paragraph [0026], “Turning now to FIG. 3, a schematic of an exemplary computing system 300 in operation for authenticating a user 302 and/or user device 304 based on multifactor authentication utilizing an entity issued check, in accordance with some aspects of the technology described herein, is depicted. A user device 304 comprising an optical input device (e.g. optical scanner, camera) can receive a request to access a secure application associated with an entity based on an input received from a user 302 of the user device 304, for example by requesting access via a browser 306 running on the user device 304. In some embodiments access can be requested via a mobile application associated with secure application 310. User device 304 can forward the request to a secure application 310. Secure application 310 can subsequently request one or more user credentials from the user device 304. A user 302 can input any number of user credentials or such user credentials can be stored at the user device 304. The user device 304 can perform a credential exchange with one or more security applications associated with the secure application 310 to be accessed. Based on an indication that the credential exchange has been verified or otherwise successful, an entity security application can send an out-of-band authentication request to an agent 308 running on the user device 304. In response to the out-of-band authentication request, and authentication application can be initiated on the user device 304 (e.g. agent authentication engine 211 of FIG. 2). A user 302 can scan an authentication check via an optical scanner of user device 304. In some embodiments, a determination can be made that the scanning is completed in real-time, for example by agent 308. Further, agent 308 can verify that the scanning of the authentication check is a live scan. Additionally, in some embodiments, the signature of the user may be input via user device 304 by user 302. Alternatively, user 302 may provide a signature on the authentication check during the scanning.”).
As Per Claim 2: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- the verification step includes checking whether the received I/O response results from a life interaction of the associated user with the authentication device.
(VARANASI et al., Paragraph [0015], “In some embodiments of the technology, the agent conducts a liveness check of the scanning operations. In this way it can be determined that the scan of the authentication check is completed in real time and that the scan is based on the live authentication check, rather than a copy or a picture of the authentication check. In other embodiments, the signature of the user can be provided in real time, for example a user can sign the check during the scanning operations or alternatively provide a signature to the user device via an electronic input.”).
As Per Claim 3: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- the step of outputting the I/O request on the authentication device includes presenting a sequence of request signals on the I/O interface.
(VARANASI et al., Paragraph [0026], “Turning now to FIG. 3, a schematic of an exemplary computing system 300 in operation for authenticating a user 302 and/or user device 304 based on multifactor authentication utilizing an entity issued check, in accordance with some aspects of the technology described herein, is depicted. A user device 304 comprising an optical input device (e.g. optical scanner, camera) can receive a request to access a secure application associated with an entity based on an input received from a user 302 of the user device 304, for example by requesting access via a browser 306 running on the user device 304. In some embodiments access can be requested via a mobile application associated with secure application 310. User device 304 can forward the request to a secure application 310. Secure application 310 can subsequently request one or more user credentials from the user device 304. A user 302 can input any number of user credentials or such user credentials can be stored at the user device 304. The user device 304 can perform a credential exchange with one or more security applications associated with the secure application 310 to be accessed. Based on an indication that the credential exchange has been verified or otherwise successful, an entity security application can send an out-of-band authentication request to an agent 308 running on the user device 304. In response to the out-of-band authentication request, and authentication application can be initiated on the user device 304 (e.g. agent authentication engine 211 of FIG. 2). A user 302 can scan an authentication check via an optical scanner of user device 304. In some embodiments, a determination can be made that the scanning is completed in real-time, for example by agent 308. Further, agent 308 can verify that the scanning of the authentication check is a live scan. Additionally, in some embodiments, the signature of the user may be input via user device 304 by user 302. Alternatively, user 302 may provide a signature on the authentication check during the scanning.”).
VARANASI et al., includes requesting multiple credentials.
As Per Claim 4: The rejection of claim 3 is incorporated and further VARANASI et al. teaches:
- the step of receiving the I/O response on the authentication device includes a user interaction with the presented sequence of request signals.
(VARANASI et al., Paragraph [0019], “Client device 104 can comprise any type of computing device or user device capable of use by a user that includes an optical input device. By way of example and not limitation, a client device 104 can include an agent authentication engine 116 configured to run on the client device. The agent authentication engine 116 can comprise an extraction module 118 and a scan verification module 120. The extraction module 118 can operate in conjunction with the client device 104, and more particularly an optical input device or scanning device (e.g. a camera, an optical sensor, and the like). Extraction module 118 can scan and/or extract one or more features of an authentication check (e.g. authentication check 210 of FIG. 2) to be utilized for one or more authentication or verification processes. For example, extraction module 118 can, based on a scan of an authentication check, extract a unique identifier associated with the authentication check. The unique identifier can in some instances be a numerical or graphic marking. The scan verification module 120 can operate in conjunction with the client device 104, and more particularly an optical input device or scanning device of the client device 104. The scan verification module can in some embodiments perform a liveness check, for example a verification that authentication check being presented to the client device 104 and the features of the authentication check presented are done in real-time and are that of a verifiable object, and not a copy or imitation. The liveness check enables the agent authentication engine 116 and/or the entity authentication engine to discriminate between the real factors of the authentication check and artificial copies or imitations of those features, for example in this way spoofing of the authentication check through the use of photographs can be avoided.”).
As Per Claim 5: The rejection of claim 3 is incorporated and further VARANASI et al. teaches:
- the sequence of request signals include audible, optical and/or tactile patterns.
(VARANASI et al., Paragraph [0019], “Client device 104 can comprise any type of computing device or user device capable of use by a user that includes an optical input device. By way of example and not limitation, a client device 104 can include an agent authentication engine 116 configured to run on the client device. The agent authentication engine 116 can comprise an extraction module 118 and a scan verification module 120. The extraction module 118 can operate in conjunction with the client device 104, and more particularly an optical input device or scanning device (e.g. a camera, an optical sensor, and the like). Extraction module 118 can scan and/or extract one or more features of an authentication check (e.g. authentication check 210 of FIG. 2) to be utilized for one or more authentication or verification processes. For example, extraction module 118 can, based on a scan of an authentication check, extract a unique identifier associated with the authentication check. The unique identifier can in some instances be a numerical or graphic marking. The scan verification module 120 can operate in conjunction with the client device 104, and more particularly an optical input device or scanning device of the client device 104. The scan verification module can in some embodiments perform a liveness check, for example a verification that authentication check being presented to the client device 104 and the features of the authentication check presented are done in real-time and are that of a verifiable object, and not a copy or imitation. The liveness check enables the agent authentication engine 116 and/or the entity authentication engine to discriminate between the real factors of the authentication check and artificial copies or imitations of those features, for example in this way spoofing of the authentication check through the use of photographs can be avoided.”).
As Per Claim 6: The rejection of claim 3 is incorporated and further VARANASI et al. teaches:
- the sequence of request signals include a shift of a pattern.
(VARANASI et al., Paragraph [0015], “In some embodiments of the technology, the agent conducts a liveness check of the scanning operations. In this way it can be determined that the scan of the authentication check is completed in real time and that the scan is based on the live authentication check, rather than a copy or a picture of the authentication check. In other embodiments, the signature of the user can be provided in real time, for example a user can sign the check during the scanning operations or alternatively provide a signature to the user device via an electronic input.”).
As Per Claim 7: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- the verification step includes determining a dynamic response behavior in the received I/O response.
(VARANASI et al., Paragraph [0015], “In some embodiments of the technology, the agent conducts a liveness check of the scanning operations. In this way it can be determined that the scan of the authentication check is completed in real time and that the scan is based on the live authentication check, rather than a copy or a picture of the authentication check. In other embodiments, the signature of the user can be provided in real time, for example a user can sign the check during the scanning operations or alternatively provide a signature to the user device via an electronic input.”).
As Per Claim 8: The rejection of claim 7 is incorporated and further VARANASI et al. teaches:
- the dynamic response behavior in the received I/O response dynamically relates to the presented sequence of request signals.
(VARANASI et al., Paragraph [0015], “In some embodiments of the technology, the agent conducts a liveness check of the scanning operations. In this way it can be determined that the scan of the authentication check is completed in real time and that the scan is based on the live authentication check, rather than a copy or a picture of the authentication check. In other embodiments, the signature of the user can be provided in real time, for example a user can sign the check during the scanning operations or alternatively provide a signature to the user device via an electronic input.”).
As Per Claim 9: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- the received I/O response includes audible, optical and/or tactile patterns.
(VARANASI et al., Paragraph [0019], “Client device 104 can comprise any type of computing device or user device capable of use by a user that includes an optical input device. By way of example and not limitation, a client device 104 can include an agent authentication engine 116 configured to run on the client device. The agent authentication engine 116 can comprise an extraction module 118 and a scan verification module 120. The extraction module 118 can operate in conjunction with the client device 104, and more particularly an optical input device or scanning device (e.g. a camera, an optical sensor, and the like). Extraction module 118 can scan and/or extract one or more features of an authentication check (e.g. authentication check 210 of FIG. 2) to be utilized for one or more authentication or verification processes. For example, extraction module 118 can, based on a scan of an authentication check, extract a unique identifier associated with the authentication check. The unique identifier can in some instances be a numerical or graphic marking. The scan verification module 120 can operate in conjunction with the client device 104, and more particularly an optical input device or scanning device of the client device 104. The scan verification module can in some embodiments perform a liveness check, for example a verification that authentication check being presented to the client device 104 and the features of the authentication check presented are done in real-time and are that of a verifiable object, and not a copy or imitation. The liveness check enables the agent authentication engine 116 and/or the entity authentication engine to discriminate between the real factors of the authentication check and artificial copies or imitations of those features, for example in this way spoofing of the authentication check through the use of photographs can be avoided.”).
As Per Claim 10: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- the verification step includes analyzing a dynamic response behavior in the received I/O response in terms of time moment, time duration and/or spatial characteristics.
(VARANASI et al., Paragraph [0015], “In some embodiments of the technology, the agent conducts a liveness check of the scanning operations. In this way it can be determined that the scan of the authentication check is completed in real time and that the scan is based on the live authentication check, rather than a copy or a picture of the authentication check. In other embodiments, the signature of the user can be provided in real time, for example a user can sign the check during the scanning operations or alternatively provide a signature to the user device via an electronic input.”).
As Per Claim 11: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- the verification step is performed using historic data received from the associated user.
(VARANASI et al., Paragraph [0020], “Data storage 108 can comprise data sources and/or data systems, which are configured to make data available to any of the various constituents of operating environment 100, or systems 200 and 300 described in connection to FIGS. 2 and 3. For example, in one embodiment, one or more data sources 108 can provide (or make available for access) datasets for use by any client device 104 and/or entity device, such as server 106. Data source 108 can be discrete from client device 104 and/or server 106 or can be incorporated and/or integrated into at least one of such components. In some embodiments, data source 108 can comprise a single dataset or a collection of datasets. In various embodiments, the data source 108 stores a shared collection of datasets that can be interpreted, analyzed, and/or processed by a client device 104 and/or entity server 106. According to some embodiments described herein, an authentication check can be pre-registered by the entity to aid in the authentication process. For example, pre-registering an authentication check can include storing an identification indicator in association with the signature of the user. Additionally, the client device itself can be uniquely mapped to the user by storing a client device identification is association with the identification indicator of the authentication check and/or the signature of the user.”).
As Per Claim 12: The rejection of claim 4 is incorporated and further VARANASI et al. teaches:
- including a step of generating historic data using data from user interactions with presented request signals.
(VARANASI et al., Paragraph [0020], “Data storage 108 can comprise data sources and/or data systems, which are configured to make data available to any of the various constituents of operating environment 100, or systems 200 and 300 described in connection to FIGS. 2 and 3. For example, in one embodiment, one or more data sources 108 can provide (or make available for access) datasets for use by any client device 104 and/or entity device, such as server 106. Data source 108 can be discrete from client device 104 and/or server 106 or can be incorporated and/or integrated into at least one of such components. In some embodiments, data source 108 can comprise a single dataset or a collection of datasets. In various embodiments, the data source 108 stores a shared collection of datasets that can be interpreted, analyzed, and/or processed by a client device 104 and/or entity server 106. According to some embodiments described herein, an authentication check can be pre-registered by the entity to aid in the authentication process. For example, pre-registering an authentication check can include storing an identification indicator in association with the signature of the user. Additionally, the client device itself can be uniquely mapped to the user by storing a client device identification is association with the identification indicator of the authentication check and/or the signature of the user.”).
As Per Claim 15: The rejection of claim 11 is incorporated and further VARANASI et al. teaches:
- the historic data are stored in a secure element.
(VARANASI et al., Paragraph [0021], “Computing device and/or entity server 106 can be any computing device associated with an entity that is capable of running a secure application which can be accessed by a client device 104. The entity server 106 can be in operable communication with data storage 108. In some embodiments, data storage 108 can be a secure data store that is dedicated to entity server 106. The entity server 106 can be implemented to run and/or host one or more secure applications to be accessed by client device 104. The entity server 106 can comprise an entity authentication engine 110 to authenticate a client device 104 on the entity server 106 such that the client device can perform secure transactions with the entity server 106. The entity authentication engine 110 can comprise a biometric authentication module 112 and an identifier validation module 114. The biometric authentication module 112 can use biometric information extracted from an authentication check to verify the biometric information as part of an authentication process. The identifier validation module 114 can use identification information extracted from an authentication check to verify the unique identification marking of the authentication check as part of an authentication process. Access to a secure application associated with an entity can be enabled based on a verification of biometric information, identifier information, or both.”).
As Per Claim 16: The rejection of claim 1 is incorporated and further VARANASI et al. teaches:
- results of the verification step are used for authorizing the user associated with the authentication device to interact with a platform application.
(VARANASI et al., Paragraph [0026], “Turning now to FIG. 3, a schematic of an exemplary computing system 300 in operation for authenticating a user 302 and/or user device 304 based on multifactor authentication utilizing an entity issued check, in accordance with some aspects of the technology described herein, is depicted. A user device 304 comprising an optical input device (e.g. optical scanner, camera) can receive a request to access a secure application associated with an entity based on an input received from a user 302 of the user device 304, for example by requesting access via a browser 306 running on the user device 304. In some embodiments access can be requested via a mobile application associated with secure application 310. User device 304 can forward the request to a secure application 310. Secure application 310 can subsequently request one or more user credentials from the user device 304. A user 302 can input any number of user credentials or such user credentials can be stored at the user device 304. The user device 304 can perform a credential exchange with one or more security applications associated with the secure application 310 to be accessed. Based on an indication that the credential exchange has been verified or otherwise successful, an entity security application can send an out-of-band authentication request to an agent 308 running on the user device 304. In response to the out-of-band authentication request, and authentication application can be initiated on the user device 304 (e.g. agent authentication engine 211 of FIG. 2). A user 302 can scan an authentication check via an optical scanner of user device 304. In some embodiments, a determination can be made that the scanning is completed in real-time, for example by agent 308. Further, agent 308 can verify that the scanning of the authentication check is a live scan. Additionally, in some embodiments, the signature of the user may be input via user device 304 by user 302. Alternatively, user 302 may provide a signature on the authentication check during the scanning.”).
A Per Claim 17: Claim 17 is substantially a restatement of the method of claim 1 as a computer program product and is rejected under substantially the same reasoning.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 13 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2020/0120089 A1 (VARANASI et al.) in view of United States Patent Application Publication No.: US 2021/0110014 A1 (Turgeman et al.).
As Per Claim 13: The rejection of claim 1 is incorporated and further VARANASI et al. does not explicitly teach the following limitation however Turgeman et al. in analogous art does teach the following limitation:
- repeatedly sending the same I/O requests to the authentication device for training the user associated with the authentication device to develop a unique I/O response.
(Turgeman et al., Paragraph [0058], “Some embodiments may identify a fraudulent usage session by training the user to a particular behavior and testing for such behavior; for example, by launching aberrations that cause the user to change its mode of interaction within the next few seconds or minutes and while the aberration is still carried on. For example, the system may change the relation between the physical movement of the mouse and the virtual or on-screen cursor or pointer during the log-in process, and then make another modification subsequent to the log-in process. Similarly, the system may modify the delay time or delay interval between the pressing-down of a key on the keyboard, and the appearance of the suitable character on the screen. The system may generate other, small, aberrations in proximity to a button or link that needs to be clicked or selected, thereby requiring the user to aim the mouse more accurately; or in a touch-screen device, introducing an artificial delay between touching an on-screen key until character appears on the screen, thereby causing the user to prolong or extend the pressing time or touching time. In some embodiments, one of the two sessions may be injected with such aberrations, whereas another of the two sessions (e.g., the later-starting session) may not be injected with such aberrations; and sampling and analysis of input unit events may enable the system to distinguish between a local (genuine) user and a remote attacker.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Turgeman et al. in to the method of VARANASI et al. as Turgeman et al. provides a direct enhancement to the liveness check in VARANASI et al. in looking for a fraudulent user.
As Per Claim 14: The rejection of claim 1 is incorporated and further VARANASI et al. does not explicitly teach the following limitation however Turgeman et al. in analogous art does teach the following limitation:
- a subsequent I/O request deviates in an aspect from earlier I/O requests, in particular in terms of layout, colour and/or dimensions.
(Turgeman et al., Paragraph [0058], “Some embodiments may identify a fraudulent usage session by training the user to a particular behavior and testing for such behavior; for example, by launching aberrations that cause the user to change its mode of interaction within the next few seconds or minutes and while the aberration is still carried on. For example, the system may change the relation between the physical movement of the mouse and the virtual or on-screen cursor or pointer during the log-in process, and then make another modification subsequent to the log-in process. Similarly, the system may modify the delay time or delay interval between the pressing-down of a key on the keyboard, and the appearance of the suitable character on the screen. The system may generate other, small, aberrations in proximity to a button or link that needs to be clicked or selected, thereby requiring the user to aim the mouse more accurately; or in a touch-screen device, introducing an artificial delay between touching an on-screen key until character appears on the screen, thereby causing the user to prolong or extend the pressing time or touching time. In some embodiments, one of the two sessions may be injected with such aberrations, whereas another of the two sessions (e.g., the later-starting session) may not be injected with such aberrations; and sampling and analysis of input unit events may enable the system to distinguish between a local (genuine) user and a remote attacker.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Turgeman et al. in to the method of VARANASI et al. as Turgeman et al. provides a direct enhancement to the liveness check in VARANASI et al. in looking for a fraudulent user.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170. The examiner can normally be reached 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BENJAMIN A KAPLAN/Examiner, Art Unit 2434