SYSTEMS AND METHODS FOR ENHANCED CYBERSECURITY IN ELECTRONIC NETWORKS

DETAILED ACTION Status of Claims 1. This office action is in response to RCE filed 12/23/2025. 2. Claims 1-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/23/2025 has been entered. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Step 1: Claims 1-7 are directed to a system; claims 8-14 are directed to a method; claims 15-20 are directed to a non-transitory computer-readable medium – each of which is one of the statutory categories of inventions. Step 2A: A claim is eligible at revised Step 2A unless it recites a judicial exception and the exception is not integrated into a practical application of the application. Prong 1: Prong One of Step 2A evaluates whether the claim recites a judicial exception (an abstract idea enumerated in the 2019 PEG, a law of nature, or a natural phenomenon). Groupings of Abstract Ideas: I. MATHEMATICAL CONCEPTS A. Mathematical Relationships B. Mathematical Formulas or Equations C. Mathematical Calculations II. CERTAIN METHODS OF ORGANIZING HUMAN ACTIVITY A. Fundamental Economic Practices or Principles (including hedging, insurance, mitigating risk) B. Commercial or Legal Interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations) C. Managing Personal Behavior or Relationships or Interactions between People (including social activities, teaching, and following rules or instructions) III. MENTAL PROCESSES. Concepts performed in the human mind (including an observation, evaluation, judgment, opinion). See MPEP 2106.04 (a) (2) Abstract Idea Groupings [R-10.2019] Independent claims 1, 8 and 15 recite the limitations – collect and encrypt user and device attribute data; receive user enrollment request to an application; decrypt encrypted user and device attribute data using decryption keys; apply rules to determine confidence level of request; retrieve a first enrollment procedure corresponding to high level of confidence and a second enrollment procedure corresponding to low level of confidence; direct the user to third-party verification based on first level of confidence or prompt the user for step-up challenge based on second level of confidence; and grant access to secure application in response to completing first or second enrollment procedure – that constitute Mathematical Concepts and/or Mental Process and Commercial/Legal Interactions which is one of the sub-categories of Certain Methods of Organizing Human Activity. The dependent claims further limit the abstract idea to – determining integrity of request, determine unique identifier, compare device attribute data to information database, step-challenge – that also constitute Mental Process and/or Certain Methods of Organizing Human Activity. Controlling access to resources is exactly the sort of process that “can be performed in the human mind, or by a human using a pen and paper,” which the courts have repeatedly deemed unpatentable. See CyberSource Corp. v. Retail Decisions, Inc., (Fed. Cir. 2011). The idea long predates applicant’s claims and is pervasive in human activity, whether in libraries (loaning materials only to card-holding members), office buildings (allowing certain employees entrance to only certain floors), or banks (offering or denying loans to applicants based on suitability and intended use). In each of these circumstances, as in the claims at issue, a request is made for access to a resource, that request is received and evaluated, and then the request is either granted or not. Courts have repeatedly found the concept of controlling access to resources via software to be an abstract idea. See Smart Sys. Innovations, LLC v. Chicago Transit Authority, 873 F.3d 1364, 1371 (Fed. Cir. 2017) (claim involving “denying access to a transit system if the bankcard is invalid” was directed to an abstract idea); Prism Techs. LLC v. T-Mobile USA, Inc., 696 F. App’x 1014, 1017 (Fed. Cir. 2017) (abstract idea of “providing restricted access to resources”); Smartflash LLC v. Apple Inc., 680 F. App’x 977 (Fed. Cir. 2017) (abstract idea of “conditioning and controlling access to data”). See also MPEP 2106.04(a)(2) Abstract Idea Groupings III.C. (“The Federal Circuit found that the claims were directed to the abstract idea of “voting, verifying the vote, and submitting the vote for tabulation”, which is a “fundamental activity that forms the basis of our democracy” and has been performed by humans for hundreds of years. 887 F.3d at 1385-86, 126 USPQ2d at 1504-05.”) Hence under Prong One of Step 2A, claims 1-20 recite a combination of judicial exception(s). See RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea (math) to another abstract idea (encoding and decoding) does not render the claim non-abstract.”). Prong 2: Prong Two of Step 2A evaluates whether the claim recites additional elements that integrate the judicial exception into a practical application of the exception. Limitations that are indicative of integration into a practical application include: Improvements to the functioning of a computer or to any other technology or technical field – see MPEP 2106.05(a) Applying the judicial exception with, or by use of, a particular machine – see MPEP 2106.05(b) Effecting a transformation or reduction of a particular article to a different state or thing – see MPEP 2106.05(c) Applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception – see MPEP 2106.05(e) Limitations that are not indicative of integration into a practical application include: Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f) Adding insignificant extra-solution activity to the judicial exception – see MPEP 2106.05(g) Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h) Additional elements recited by the independent claims, beyond the abstract idea, include: a computing device comprising one or processors; user computing device; non-transitory computer-readable storage medium; authentication webpage; third-party website associated the third-party computing device. (Examiner notes that there is no mention of third-party computing device in the specification; the only device disclosed is user computing device.). Based on figures 2-5 and para [0038], [0039], [0053], [0077] all of above elements are generic computing components. Additional elements recited by the dependent claims include: applying transport level security mechanism; applying message level security mechanism; directing authentication webpage to third party website. Encryption/decryption keys has been mentioned in the specification (para [0067]) at a very high level of generality such that the limitation “decrypt the encrypted … data” amount to no more than mere instructions to apply Mathematical Concepts or Mental Process using generic components (see MPEP 2106.05(f)). Additional Element Instructions / Extra Solution Activity in response to the user accessing a publicly available website and selecting to access a secure application associated with the third-party computing device while accessing the publicly available website, cause the user computing device to be automatically directed to the authentication webpage, the authentication webpage linking non-sensitive information associated with the user to sensitive information associated with the user; 2106.05(f) Mere Instructions To Apply An Exception cause display of the authentication webpage on the user interface of the user computing device, the authentication webpage configured to collect user attribute data and device attribute data, the user attribute data corresponding to the non-sensitive information associated with the user, the device attribute data including data elements associated with identifying the user computing device that is captured by the authentication webpage while the user computing device is electronically accessing the authentication webpage; 2106.05(f) Mere Instructions To Apply An Exception cause the user computing device to encrypt the user attribute data and the device attribute data by implementing a data security mechanism, the user attribute data and the device attribute data encrypted to ensure integrity and confidentiality of the user attribute data and the device attribute data sent between the user computing device and the computing device, the data security mechanism implemented to ensure integrity and confidentiality of data transmitted over the electronic network 2106.05(f) Mere Instructions To Apply An Exception receive, from the authentication webpage and in response to the non-sensitive information being received via the user interface displaying the authentication webpage, a request to electronically enroll the user and the user computing device into the secure application, the request including (a) the encrypted user attribute data, and (b) the encrypted device attribute; 2106.05(g) Insignificant Extra-Solution Activity decrypt the encrypted user attribute data and the encrypted device attribute data using decryption keys; 2106.05(f) Mere Instructions To Apply An Exception apply one or more rules of a plurality of rules stored in the one or more memory devices to the decrypted user attribute data and the decrypted device attribute data to 2106.05(f) Mere Instructions To Apply An Exception determine, based on the application of the one or more rules, an authentication confidence level of the request, wherein the authentication confidence level represents a high level of confidence that the request is legitimate or a low level of confidence that the request is legitimate; 2106.05(f) Mere Instructions To Apply An Exception identify, from a plurality of computer enrollment instructions stored in the one or more memory devices and based on the determined authentication confidence level, a first computer enrollment instruction or enrollment into the secure application corresponding to the high level of confidence and a second computer enrollment instruction for electronic enrollment into the secure application corresponding to the low level of confidence; 2106.05(f) Mere Instructions To Apply An Exception transmit, via the network interface and based on the determined authentication confidence level, one of the identified first computer enrollment instruction or the second computer enrollment instruction to the user computing device to complete the enrollment into the secure application without automatically exposing the other more sensitive information linked to the non-sensitive information; 2106.05(g) Insignificant Extra-Solution Activity in response to transmitting the identified first computer enrollment instruction, cause the user computing device, using the identified first computer enrollment instruction, to automatically direct the authentication webpage displayed on the user interface to the third-party computing device to complete the electronic enrollment, thereby expediting the electronic enrollment associated with the high level of confidence while ensuring authorized access to information stored at the third-party computing device; 2106.05(g) Insignificant Extra-Solution Activity in response to transmitting the identified second computer enrollment instruction, cause the user computing device, using the identified second computer enrollment instruction, to (a)display, on the user interface, a prompt requesting user input in response to a step-up challenge to obtain additional information associated with the user, and (b) transmit the user input to the computing device to direct the authentication webpage to the third-party computing device to complete the electronic enrollment in response to the computing device verifying the user input as a correct response to the step-up challenge, thereby ensuring the authorized access to the information stored at the third-party computing device while preventing public exposure of the other more sensitive information; 2106.05(g) Insignificant Extra-Solution Activity in response to completion of either the first computer enrollment instruction or the second computer enrollment instruction via the user interface, grant the user computer device access to the secure application associated with the third-party computing device. 2106.05(f) Mere Instructions To Apply An Exception Examiner thus finds that any additional element(s), beyond the judicial exception, has been recited at a high level of generality such that the claim limitations amount to no more than mere instructions to apply the exception using generic components. The combination of additional elements does not purport to improve the functioning of a computer or effect an improvement in any other technology or technical field. Instead, the additional elements do no more than “use the computer as a tool” and/or “link the use of the judicial exception to a particular technological environment or field of use.” The focus of the claims is not on improvement in computers, but on certain independently abstract ideas – collect and encrypt user and device attribute data; receive user enrollment request to an application; decrypt encrypted user and device attribute data using decryption keys; apply rules to determine confidence level of request; retrieve a first enrollment procedure corresponding to high level of confidence and a second enrollment procedure corresponding to low level of confidence; direct the user to third-party verification based on first level of confidence or prompt the user for step-up challenge based on second level of confidence; and grant access to secure application in response to completing first or second enrollment procedure – that merely uses generic components as tools. Steps that do no more than spell out what it means to “apply it on a computer” cannot confer patent eligibility. Indeed, nothing in claim 1 improves the functioning of the computer, makes it operate more efficiently, or solves any technological problem. See Trading Techs. Int’l, Inc. v. IBG LLC, 921 F.3d 1378, 1384-85 (Fed. Cir. 2019). Hence, under Prong Two of Step 2A, the additional elements, individually or in combination, do not integrate the judicial exception into a practical application. Hence, the claims are ineligible under Step 2A. Step 2B: In Step 2B, the evaluation consists of whether the claim recites additional elements that amount to an inventive concept (aka “significantly more”) than the recited judicial exception. As discussed in Prong Two, the additional elements in the claims amount to no more than mere instructions to apply the exception using generic components, which is insufficient to provide an inventive concept. When considered individually or as an ordered combination, the additional elements fail to transform the abstract idea of – collect and encrypt user and device attribute data; receive user enrollment request to an application; decrypt encrypted user and device attribute data using decryption keys; apply rules to determine confidence level of request; retrieve a first enrollment procedure corresponding to high level of confidence and a second enrollment procedure corresponding to low level of confidence; direct the user to third-party verification based on first level of confidence or prompt the user for step-up challenge based on second level of confidence; and grant access to secure application in response to completing first or second enrollment procedure – into significantly more. See MPEP 2106.05(f) Mere Instructions To Apply An Exception [R-10.2019]. (2) Whether the claim invokes computers or other machinery merely as a tool to perform an existing process. Use of a computer or other machinery in its ordinary capacity for economic or other tasks (e.g., to receive, store, or transmit data) or simply adding a general purpose computer or computer components after the fact to an abstract idea (e.g., a fundamental economic practice or mathematical equation) does not integrate a judicial exception into a practical application or provide significantly more. Hence, the claims are ineligible under Step 2B. Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to a judicial exception without significantly more. Response to Arguments Applicant's arguments filed 12/30/2025 have been fully considered but they are not persuasive. 101 Applicant argues that the human mind cannot practically provide authentication webpage configured to collect user attribute and device attribute data and that the human mind cannot encrypt user attribute and device attribute data. Examiner finds this unpersuasive because the applicant appears to have conflated abstract idea with additional elements. The limitation “cause display of the authentication webpage on the user interface of the user computing device, the authentication device configured to collect user attribute data and device attribute data …” is an additional element and not part of the abstract idea. Encrypting user attribute data and device attribute data, decrypting the encrypted data – are mere data processing steps that can be accomplished by any generic mathematical algorithm; however, the specification does not specify any particular encryption and decryption algorithm(s) but instead mentions encryption/decryption keys in para [0067] at a very high level of generality. Moreover, Examiner points out that the applicant makes a blanket assertion that the “recitations of the present claims cannot practically be performed in the human mind” (page 17 of arguments filed 11/25/2025) without specifying which particular recitation cannot be performed in the human mind. Examiner notes that the limitations “determine, based on the application of one or more rules, an authentic confidence level of the request …” “identify, … based on the determined authentication confidence level … a first enrollment instruction … corresponding to the high level of confidence and a second … enrollment instruction … corresponding to the low level of confidence” – are directed to mitigating the risk that ensures that the enrollment request is legitimate and therefore falls under the abstract subcategory of Fundamental Economic Practices which is one of the subcategories of Certain Methods of Organizing Human Activity. Alternatively, determining, based on rules, whether an enrollment request corresponds to high level of confidence or a low level of confidence – involves observation, evaluation, judgment and opinion – and hence also falls under the Mental Process grouping of abstract ideas. See also MPEP 2106.04 (a)(2) Abstract Idea Groupings III. MENTAL PROCESS C. 2. Performing a mental process in a computer environment. The patentee in FairWarning claimed a system and method of detecting fraud and/or misuse in a computer environment, in which information regarding accesses of a patient’s personal health information was analyzed according to one of several rules (i.e., related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific user) to determine if the activity indicates improper access. 839 F.3d. at 1092, 120 USPQ2d at 1294. The court determined that these claims were directed to a mental process of detecting misuse, and that the claimed rules here were “the same questions (though perhaps phrased with different words) that humans in analogous situations detecting fraud have asked for decades, if not centuries.” 839 F.3d. at 1094-95, 120 USPQ2d at 1296. The claimed invention merely represents the computerized equivalent of human verification of customers seeking enrollment akin to passengers undergoing verification before being allowed to board an airplane or enter a private facility. For example, before a user enters a merchant store, he/she is directed to a verification office where his/her authenticity can be verified by presenting verification credentials or subjecting to step-up challenge before being allowed entry to the store. Applicant’s invention merely places the concept of user authentication in an automated context using user device, third party device and authentication webpage as substitutes for human actors. Courts have consistently held that the mere automation of manual processes using generic computers does not constitute a patentable improvement in computer technology (Credit Acceptance Corp. v. Westlake Services). See Versata Development Group v. SAP America (Fed. Cir. 2015) (“Courts have examined claims that required the use of a computer and still found that the underlying, patent-ineligible invention could be performed via pen and paper or in a person’s mind.”). Applicant argues, citing para [0033] that the claimed system provide “the technical advantages of at least one of: (a) reducing automatic disclosure of an issuing bank based on cardholder information such as email address and/or phone number; (b) reducing spear fishing attacks on cardholders because the issuing bank information is available; (c) providing a streamlined digital wallet enrollment procedure for cardholders on trusted or low risk computing devices; (d) providing an enhanced digital wallet enrollment procedure for cardholder on non-trusted or high risk computing devices; and (e) increasing fraud protection for cardholders.” Examiner finds this unpersuasive. Examiner notes that the features listed above such as reduced disclosure, reduced spear phishing, streamlined procedure, enhanced enrollment procedure and increased fraud protection – merely reflect desired effects or aspirational results stemming from the application of abstract ideas rather any concrete technical steps to achieve such result or effect. Reducing disclosure of bank or cardholder information is achieved by encrypting data which is an abstract idea. Reducing spear phishing, providing streamlined enrollment procedure and increased fraud protection are the intended results or effects of calculating user confidence level and requiring the user to undergo step-up challenge. None of the aforementioned aspirational features describe any technical improvements; rather they reflect the results of implementing judicial exceptions. See MPEP 2106.05(f) (3) (“describes “the effect or result dissociated from any method by which maintaining the state is accomplished” and does not provide a meaningful limitation because it merely states that the abstract idea should be applied to achieve a desired result”). Examiner also points out that the following features – “digital wallet” or “trusted device” – are not present in the pending claims. As explained earlier, displaying authentication webpage to collect user attribute data and device attributed date is merely data gathering activity. Encrypting user attribute data and device attribute data for confidentiality is an abstract idea. Receiving encrypted user attribute data and encrypted device attribute data from the authentication webpage is data gathering activity. Directing the user from the publicly available website to the authentication webpage of the user computing device is merely delegating the task of verifying the authenticity of the user to the issuer via step-up challenge – which is a certain method of organizing human activity. Collecting user attribute data and device attribute data is necessary to determine the confidence level of the user enrollment request. See MPEP 2106.05(g) Insignificant Extra-Solution Activity [R-10.2019] ((3) Whether the limitation amounts to necessary data gathering and outputting, (i.e., all uses of the recited judicial exception require such data gathering or data output). See Mayo, 566 U.S. at 79, 101 USPQ2d at 1968; OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1092-93 (Fed. Cir. 2015) (presenting offers and gathering statistics amounted to mere data gathering).). See also the PTAB Decision from the parent application: Moreover, even assuming, for the sake of argument, that the features that Appellant identifies can properly be considered additional elements, we are not persuaded that these features (i.e., automatically redirecting a user computing device from a merchant’s website to an authentication website; verifying that the new user is registered with an issuer; calculating a confidence level that the user’s enrollment request is not fraudulent; and, based on the confidence level, requiring the user to complete a first enrollment procedure or a second enrollment procedure) “cooperate with the claim as a whole” to provide a technological improvement or an improvement to a technical field. To the extent claim 1 reflects an improvement at all, that improvement is, at best, an improvement to the abstract idea of mitigating the risk of fraud, applied in the context of enrolling new users in a network-based service, which is not enough for patent eligibility. See SAP Am., Inc. v. InvestPic, LLC, 898 F.3d 1161, 1170 (Fed. Cir. 2018) (“[P]atent law does not protect such claims[, i.e., claims to an asserted advance in the realm of abstract ideas], without more, no matter how groundbreaking the advance.”). This is particularly so where, as here, we find no indication in the Specification, nor does Appellant direct us to any indication, that the operations recited in claim 1 require any specialized computer hardware or other inventive computer components, invoke any allegedly inventive programming, or that the claimed invention is implemented using other than generic computer components as tools operating in their ordinary capacity. (Page 18, PTAB Dec.) Ex parte JOHN D. CHISHOLM Appeal 2024-002993 Application 15/335,906 For the above reasons, Applicant’s arguments are not persuasive. Applicant analogizes the claims to BASCOM. Examiner respectfully disagrees. The key fact in BASCOM was the presence of a structural change in “installation of a filtering tool at a specific location, remote from the end users, with customizable filtering features specific to each end user. This design gives the filtering tool both the benefits of a filter on a local computer and the benefits of a filter on the ISP server.” BASCOM, 827 F.3d at 1350. This structural change occurred in the context of the internet as it existed at filing in March 1997 when dial up internet service was still prevalent. It was not the idea of having user customizable filtering located separately from the user that was inventive, but the manner of accomplishing it in that context, as the relatively primitive internet architecture at that time did not readily lend itself to such filtering. Filtering located separately from the user was already performed. “To overcome some of the disadvantages of installing filtering software on each local computer, another prior art system relocated the filter to a local server.” Id. at 1344. But it was known that allowing user customization there was desirable. “However, the one-size-fits-all filter on the local server was not ideal.” Id. The BASCOM filter was invented prior to the now prevalent use of self identifying devices with media access control (MAC) addresses. Thus, absent that, “BASCOM explains that the inventive concept rests on taking advantage of the ability of at least some ISPs to identify individual accounts that communicate with the ISP server, and to associate a request for Internet content with a specific individual account.” Id. Thus, BASCOM solved the problem of how to create the structural relationship known to be desired by finding a way to relate a user to a centrally located filter at a time when how to do so was unclear. It was not the structural relation per se, but how it was accomplished that was inventive. No analogous technological hurdle is described in the current invention. As noted above, verifying the authenticity of an enrollment request is not a technical problem but an abstract idea. Merely directing a user to an authentication webpage to under one step or two step authentication challenge is not a technical solution to a technical problem but merely carrying out certain methods of organizing human activity. For the above reasons, BASCOM is inapposite here. See also: Appellant maintains that “just as in BASCOM, [where ‘the location of installation of the tool contravened the conventional system’s arrangement of functions for Internet filtering tools,’]” claim 1 “recite[s] a software tool that contravenes the conventional prior art arrangement of functions within the system in order to solve a specific, identified technical problem in the prior art” (Appeal Br. 20–21). But Appellant does not identify, and we do not find here any improvement to computer technology analogous to that described in BASCOM or any additional element or combination of elements recited in claim 1 that yields an improvement in the functioning of a computer. Unlike the filtering system improvements in BASCOM that added significantly more to the abstract idea in that case, and improved the performance of the computer system itself, the claimed invention here merely uses generic computing components performing generic computer functions to implement an abstract idea. (Page 23, PTAB Dec.) Ex parte JOHN D. CHISHOLM Appeal 2024-002993 Application 15/335,906 Applicant argues that the present claims include an ordered combination of limitations that operate in a non-conventional and non-generic way to eliminating unauthorized access to an electronic network and enhancing cybersecurity of an electronic network. Examiner respectfully disagrees. Examiner also points out that controlling access to resources is exactly the sort of process that “can be performed in the human mind, or by a human using a pen and paper,” which the courts have repeatedly deemed unpatentable. See CyberSource Corp. v. Retail Decisions, Inc., (Fed. Cir. 2011). The idea long predates applicant’s claims and is pervasive in human activity, whether in libraries (loaning materials only to card-holding members), office buildings (allowing certain employees entrance to only certain floors), or banks (offering or denying loans to applicants based on suitability and intended use). In each of these circumstances, as in the claims at issue, a request is made for access to a resource, that request is received and evaluated, and then the request is either granted or not. Courts have repeatedly found the concept of controlling access to resources via software to be an abstract idea. See Smart Sys. Innovations, LLC v. Chicago Transit Authority, 873 F.3d 1364, 1371 (Fed. Cir. 2017) (claim involving “denying access to a transit system if the bankcard is invalid” was directed to an abstract idea); Prism Techs. LLC v. T-Mobile USA, Inc., 696 F. App’x 1014, 1017 (Fed. Cir. 2017) (abstract idea of “providing restricted access to resources”); Smartflash LLC v. Apple Inc., 680 F. App’x 977 (Fed. Cir. 2017) (abstract idea of “conditioning and controlling access to data”). The present claims are no different. An ordered combination of the claimed limitations recites a series of abstract ideas (as set forth the Prong 1). Encrypting user data is an abstract idea. Determining the confidence level of a user and asking a step-up challenge when the confidence level is low – is not technological improvement but a certain method of organizing human activity and/or mental process. This is akin to asking a person to answer additional questions when he or she is unable to satisfy a first level of confidence. See also MPEP 2106.04(a)(2) Abstract Idea Groupings III.C. (“The Federal Circuit found that the claims were directed to the abstract idea of “voting, verifying the vote, and submitting the vote for tabulation”, which is a “fundamental activity that forms the basis of our democracy” and has been performed by humans for hundreds of years. 887 F.3d at 1385-86, 126 USPQ2d at 1504-05.”). The additional elements - user computing device; non-transitory computer-readable storage medium; authentication webpage; third-party website associated the third-party computing device – have been generically recited in the specification and drawings and do no more than implement the abstract ideas. An ordered combination of the limitations amount to no more than applying the series of abstract ideas on generic components. The claimed limitations do not recite (i) an improvement to the functionality of a computer or other technology or technical field; (ii) a “particular machine” to apply or use the judicial exception; (iii) a particular transformation of an article to a different thing or state; or (iv) any other meaningful limitation. See MPEP 2106.05 (a)-(c), (e)-(h). Hence, the additional elements, individually or in combination, do not integrate the abstract idea into a practical application or provide significantly more. See MPEP 2106.05(f). Finally, with respect to applicant’s arguments about lack of prior art citation, Examiner points out that courts have consistently held that arguments about the lack of preemption risk cannot save claims that are deemed to only be directed to patent-ineligible subject matter. (“While preemption may signal patent ineligible subject matter, the absence of complete preemption does not demonstrate patent eligibility.”) Ariosa Diagnostics, Inc. v. Sequenom, Inc., 788 F.3d 1371, 1379 (Fed. Cir. 2015); (“where a patent’s claims are deemed only to disclose patent ineligible subject matter under the Mayo framework, as they are in this case, preemption concerns are fully addressed and made moot.”) Ariosa, 788 F.3d at 1379See also Myriad, 569 U.S. at 591, 106 USPQ2d at 1979 (“Groundbreaking, innovative, or even brilliant discovery does not by itself satisfy the §101 inquiry.”). Cf. Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1151, 120 USPQ2d 1473, 1483 (Fed. Cir. 2016) (“a new abstract idea is still an abstract idea”). See also OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1362-63 (Fed. Cir. 2015) (“[T]hat the claims do not preempt all price optimization or may be limited to price optimization in the e-commerce setting do not make them any less abstract.”). For the above reasons, Applicant’s arguments are not persuasive. 103 The obviousness rejection has been withdrawn in view of the amendments filed 12/23/2025. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARUNAVA CHAKRAVARTI whose telephone number is (571)270-1646. The examiner can normally be reached 9 AM - 5 PM ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached at 571-270-3602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ARUNAVA CHAKRAVARTI/Primary Examiner, Art Unit 3692