MULTI-DEVICE FIDO VALIDATION WITH DPK

DETAILED ACTION Examiner's Note: The Examiner has pointed out particular references contained in the prior art of record within the body of this action for the convenience of the Applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply. Applicant, in preparing the response, should consider fully the entire reference as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s remarks filed on 01/28/2026 have been fully considered. Regarding claim[s] 1 – 20 under the obviousness rejection, applicant’s arguments are moot because the new ground of rejection does not rely on all the references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below. The examiner will respond to all other remarks that do not concern the prior art rejections, if any, in the office action below. Response to Amendment Status of the instant application: Claim[s] 1 – 20 are pending in the instant application. Regarding claim[s] 1 – 20 under the obviousness rejection, applicant’s claim amendments have been considered, therefore, the rejection is withdrawn. However, there is a new prior art rejection on the claims to address the newly added claim amendments in the office action below. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or non-obviousness. Claim(s) 1, 4 – 9, 12 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nambula et al. [US PGPUB # 2023/0318855] in view of KWON et al. [US PGPUB # 2020/0275274], further in view of Hui et al. [US PGPUB # 2015/0365238] As per claim 1. Nambula does teach a Fast Identity Online (FIDO) server [paragraph: 0025, lines 1 – 7, The access server 106 may include or implement a hardware-based computer device configured to communicate data and information with the other components of the operating environment 100 via the network 108. The access server 106 may be associated with a passwordless authentication system such as the access server implemented in the fast identification online (FIDO) system.], comprising: a storage device [Figure # 1, access server # 106]; and a processor [paragraph: 0016, lines 1 – 7, processor] configured to register a first user device as a primary user device of a user account at the FIDO server [paragraph: 0025, lines 1 – 8, The access server 106 may include or implement a hardware-based computer device configured to communicate data and information with the other components of the operating environment 100 via the network 108. The access server 106 may be associated with a passwordless authentication system such as the access server implemented in the fast identification online (FIDO) system. The access server 106 may enable the managed devices 102 and 112 to register.], wherein the processor receives a public key generated by the first user device from the first user device and stores the public key in the storage device [paragraph: 0025, lines 8 – 12, During registration, the user 113 creates a new key pair. The public key is registered with the service and the user 113 retains the private key at a local device such as in the key storage 110 or 116.]. Nambula does not clearly teach receive a registration request for the user account from a second user device, wherein the registration request comprises a signed device public key of the second user device; verify the signed device public key of the second user device based on the public key of the first user device; and in response to successful verification of the signature, register the second user device as a secondary user device of the user account at the FIDO server. However, Kwok does teach receive a registration request for the user account from a second user device, wherein the registration request comprises a signed device public key of the second user device [Kwon, paragraph: 0142, lines 4 – 16, For example, the first electronic device 201 may perform the user authentication by performing a FIDO-based authentication protocol. The first electronic device 201 may receive a user input of biometric information from a user (e.g., the user 205 of FIG. 6), and transmit a digital signature value including a pre-registered public key and ensuring validity of the biometric information to an authentication server (e.g., the authentication server 225 of FIG. 6) to perform the FIDO-based authentication protocol.]; verify the signed device public key of the second user device based on the public key of the first user device [Kwon, paragraph: 0142, lines 4 – 16, For example, the first electronic device 201 may perform the user authentication by performing a FIDO-based authentication protocol. The first electronic device 201 may receive a user input of biometric information from a user (e.g., the user 205 of FIG. 6), and transmit a digital signature value including a pre-registered public key and ensuring validity of the biometric information to an authentication server (e.g., the authentication server 225 of FIG. 6) to perform the FIDO-based authentication protocol.]; and in response to successful verification of the signature, register the second user device as a secondary user device of the user account at the FIDO server [Kwon, paragraph: 0131, According to an embodiment, the second electronic device 501 may perform identity authentication for the transmission of the identification information before performing operation 705. For example, the second electronic device 501 may receive a user input of requesting registration of the identification information, and perform the identity authentication for a user (e.g., the user 205 of FIG. 6) in response to the received user input. According to an embodiment, the second electronic device 501 performs the identity authentication using at least one of a SMS, a video call, and biometric information to identity that the owner of the first electronic device 201 and the owner of the second electronic device 501 are the same person]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nambula and Kwok in order for the sharing of data between users of a first and second managed devices in an unsecure network of Nambula to include encrypting operations of Kwok. This would allow for the data transiting between the first and second managed devices to be secure in encrypted form. See paragraph: 0138 of Kwok. Nambula and Kwok do not clearly teach the claim limitation of: “wherein the signed device public key is signed by a private key corresponding to the public key of the first user device.” However, Hui does teach the claim limitation of: “wherein the signed device public key is signed by a private key corresponding to the public key of the first user device [paragraph: 0063, The techniques presented herein provide a computer-implemented method, apparatus and computer readable media (storing processor-executable instructions) for, at a device manager for an endpoint device, presenting a first public key of a first public-private key pair to a network management system as part of a request for one or more work orders, each work order comprising information used to configure an endpoint device in a secure manner, wherein the information is specific to the endpoint device, associated with a user role, and valid for a specified period of time. The device manager receives from the network management system the work order signed using a second private key of a second public-private key pair, the work order including the first public key, and provides the signed work order to the endpoint device for validation of the signed work order using a second public key. Once validated, the device manager sends all subsequent communications from the device manager to the endpoint device such that the communications are signed with the first private key. A network interface unit may be configured to send and receive communications over a network.].” It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nambula as modified and Hui in order for the sharing of data between users of a first and second managed devices in an unsecure network of Nambula as modified to include accessing the data based on specific attributes of the requesting user of Hui. This would allow for the data transiting between the first and second managed devices to access based on the role of the requesting user, or time limit to which the data can be access by a requesting user. See paragraph: 0064 of Hui As per claim 4. Nambula as modified does teach the FIDO server of claim 1, wherein the processor is further configured to receive a request to access the user account at the FIDO server from the second user device [Kwon, paragraph: 0063, According to an embodiment, in operation 260-1, the client 230 may receive a user input requesting registration of the identification information. The registration of the identification information may indicate that the identification information of the user 205 stored in the eID token 210 is stored in the secure element 240. When an application (e.g., the application 146 of FIG. 1) or a web browser requires registration of a user account to store the identification information, the client 230 may receive the user input for requesting the registration of the user account through the application or the web browser.], verify that the request is signed by the private key of the first user device [Kwon, paragraph: 0142, lines 4 – 16, For example, the first electronic device 201 may perform the user authentication by performing a FIDO-based authentication protocol. The first electronic device 201 may receive a user input of biometric information from a user (e.g., the user 205 of FIG. 6), and transmit a digital signature value including a pre-registered public key and ensuring validity of the biometric information to an authentication server (e.g., the authentication server 225 of FIG. 6) to perform the FIDO-based authentication protocol. ], and in response, grant the second user device access to the user account at the FIDO server [Kwon, paragraph: 0131, According to an embodiment, the second electronic device 501 may perform identity authentication for the transmission of the identification information before performing operation 705. For example, the second electronic device 501 may receive a user input of requesting registration of the identification information, and perform the identity authentication for a user (e.g., the user 205 of FIG. 6) in response to the received user input. According to an embodiment, the second electronic device 501 performs the identity authentication using at least one of a SMS, a video call, and biometric information to identity that the owner of the first electronic device 201 and the owner of the second electronic device 501 are the same person]. As per claim 5. Nambula as modified does teach the FIDO server of claim 1, wherein the processor is configured to generate an authorization challenge message and transmit the authorization challenge message to the first user device [Kwon, paragraph: 0113, lines 8 – 10, When the biometric information of the user 205 is valid, the second region 544 may generate a digital signature value by signing a random value received from the authentication server 225 using a private key of the key pair]. As per claim 6. Nambula as modified does teach the FIDO server of claim 5, wherein the processor is configured to receive an input from the first user device [Kwon, paragraph: 0113, lines 8 – 14, and transmit the digital signature value including a public key (e.g., a public key of the same type as the public key of FIG. 2) of the key pair to the authentication server 225. According to an embodiment, the second region 544 may transmit a UVI indicating information related to biometric authentication to the authentication server 225 together with the digital signature value], determine that the authorization challenge message is successful based on the received input [Kwon, paragraph: 0142, lines 4 – 16, For example, the first electronic device 201 may perform the user authentication by performing a FIDO-based authentication protocol. The first electronic device 201 may receive a user input of biometric information from a user (e.g., the user 205 of FIG. 6), and transmit a digital signature value including a pre-registered public key and ensuring validity of the biometric information to an authentication server (e.g., the authentication server 225 of FIG. 6) to perform the FIDO-based authentication protocol. ], and register the second user device as the secondary user device of the user account at the FIDO server based on the successful authorization challenge [Kwon, paragraph: 0137, One embodiment of establishing a secure channel may refer to the operational flowchart 400 of FIG. 4. According to an embodiment, the second electronic device 501 may establish a first secure channel (e.g., the first secure channel of FIG. 6) with the server……..After the registration protocol is performed, the second electronic device 501 may request the server to establish a second secure channel (e.g., the second secure channel of FIG. 6) through the first secure channel The second electronic device 501 may perform an authentication protocol to establish the second secure channel]. As per claim 7. Nambula as modified does teach the FIDO server of claim 1, wherein the device public key of the second user device is part of a passkey that includes a corresponding device private key held by the second user device [Kwon, paragraph: 0113, According to an embodiment, in operation 660-5, the second electronic device 501 may perform a FIDO-based registration protocol with the authentication server 225 through the second region 544 to simplify authentication for using the identification information of the user 205 in the electronic device 101. For example, the second region 544 may generate a key pair (e.g., a key pair of the same type as the first key pair of FIG. 2). When the biometric information of the user 205 is valid, the second region 544 may generate a digital signature value by signing a random value received from the authentication server 225 using a private key of the key pair, and transmit the digital signature value including a public key (e.g., a public key of the same type as the public key of FIG. 2) of the key pair to the authentication server 225. According to an embodiment, the second region 544 may transmit a UVI indicating information related to biometric authentication to the authentication server 225 together with the digital signature value.]. As per claim 8. Nambula as modified does teach the FIDO server of claim 1, wherein the processor is configured to establish a channel between the FIDO server and the first user device and simultaneously establish a channel between the FIDO server and the second user device [Kwon, paragraph: 0137, One embodiment of establishing a secure channel may refer to the operational flowchart 400 of FIG. 4. According to an embodiment, the second electronic device 501 may establish a first secure channel (e.g., the first secure channel of FIG. 6) with the server……..After the registration protocol is performed, the second electronic device 501 may request the server to establish a second secure channel (e.g., the second secure channel of FIG. 6) through the first secure channel The second electronic device 501 may perform an authentication protocol to establish the second secure channel]. As per method claim 9, that includes the same or similar claim limitations as server claim # 1, and is similarly rejected. As per method claim 12, that includes the same or similar claim limitations as server claim # 4, and is similarly rejected. As per method claim 13, that includes the same or similar claim limitations as server claim # 5, and is similarly rejected. As per method claim 14, that includes the same or similar claim limitations as server claim # 6, and is similarly rejected. As per method claim 15, that includes the same or similar claim limitations as server claim # 7, and is similarly rejected. As per method claim 16, that includes the same or similar claim limitations as server claim # 8, and is similarly rejected. As per user device claim 17 that includes the same or similar claim limitations as server claim 1, and is similarly rejected. As per claim 18. Nambula as modified does teach the user device of claim 17, wherein the processor is configured to generate the asymmetric key pair via an instance of a mobile application installed on the user device [Kwon, paragraph: 0109, According to an embodiment, in operation 660-1, the client 530 may receive a user input of requesting registration (or storage) of the identification information. When an application or a web browser requires registration of a user account to store the identification information, the client 530 may receive the user input of requesting the registration of the user account through the application or the web browser. Then further of Kwon, at Figure # 5, and paragraph: 0113, According to an embodiment, in operation 660-5, the second electronic device 501 may perform a FIDO-based registration protocol with the authentication server 225 through the second region 544 to simplify authentication for using the identification information of the user 205 in the electronic device 101. For example, the second region 544 may generate a key pair (e.g., a key pair of the same type as the first key pair of FIG. 2). When the biometric information of the user 205 is valid, the second region 544 may generate a digital signature value by signing a random value received from the authentication server 225 using a private key of the key pair, and transmit the digital signature value including a public key (e.g., a public key of the same type as the public key of FIG. 2) of the key pair to the authentication server 225. According to an embodiment, the second region 544 may transmit a UVI indicating information related to biometric authentication to the authentication server 225 together with the digital signature value.], and receive the message from a second instance of the mobile application installed on the second user device [Kwon, paragraph: 0123, lines 4 – 8, When the owner of the first electronic device 201 and the owner of the second electronic device 501 are the same person, the server 220 may transmit the identification information read from the secure element 240 of the first electronic device 201 to the first region 542 of the second electronic device 501 through the second secure channel.]. As per claim 19. Nambula as modified does teach the user device of claim 17, wherein the processor is configured to synchronize credentials between the user device and the second user device via a host platform that is network-connected to the user device and the second user device and which wirelessly synchronizes credentials stored at the user device and the second user device over a computer network [Kwon, paragraph: 0123, According to an embodiment, the server 220 may identify that the owner of the first electronic device 201 and the owner of the second electronic device 501 are the same person. When the owner of the first electronic device 201 and the owner of the second electronic device 501 are the same person, the server 220 may transmit the identification information read from the secure element 240 of the first electronic device 201 to the first region 542 of the second electronic device 501 through the second secure channel]. As per claim 20. Nambula as modified does teach the user device of claim 17, wherein the processor is configured to input a biometric credential via the user device, and transmit a signed challenge to the FIDO server with the signed device public key [Kwon, paragraph: 0142, According to an embodiment, the first electronic device 201 may perform user authentication to move the identification information before performing operation 805. For example, the first electronic device 201 may perform the user authentication by performing a FIDO-based authentication protocol. The first electronic device 201 may receive a user input of biometric information from a user (e.g., the user 205 of FIG. 6), and transmit a digital signature value including a pre-registered public key and ensuring validity of the biometric information to an authentication server (e.g., the authentication server 225 of FIG. 6) to perform the FIDO-based authentication protocol.]. Claim(s) 2, 3, 10, 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nambula et al. [US PGPUB # 2023/0318855] in view of Kwon et al. [US PGPUB # 2020/0275274] and Hui et al. [US PGPUB # 2015/0365238] as applied to claim[s] 1 above, and further in view of Vogel [US PGPUB # 20120109830] As per claim 2. Nambula and Kwon and Hui do teach what is taught in the rejection of clam 1 above. Nambula and Kwon and Hui do not clearly teach the FIDO server of claim 1, wherein the processor is further configured to generate a mapping between an identifier of the user, an identifier of the first user device, and the public key generated by the first user device, and storing the mapping within a mapping table of the storage device. However, Vogel does teach the FIDO server of claim 1, wherein the processor is further configured to generate a mapping between an identifier of the user, an identifier of the first user device, and the public key generated by the first user device, and storing the mapping within a mapping table of the storage device [paragraph: 0039, According to another embodiment, a three party social network arrangement comprises three relationship identifiers including a first user and a second user that share a private key-public key pair in a friend relationship and relate generally to a third party that does not share the public key-private key pair and is therefore not known to the first and second user and wherein the first and second user root level objects include a friends list and wherein propagating and replicating the three party social network comprises performing a query to search for common public keys using a party's device information in a first party and second user relationship.]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nambula as modified and Vogel in order for the sharing of data between users of a first and second managed devices in an unsecure network of Nambula as modified to include encrypting operations of Vogel. This would allow for the data transiting between the first and second managed devices to be secure in encrypted form. See paragraph: 0015 of Vogel. As per claim 3. Nambula as modified does teach the FIDO server of claim 2, wherein the processor is further configured to generate a second mapping between an identifier of the user, an identifier of the second user device, and the device public key of the second user device, and store the second mapping in association with the first mapping in the mapping table of the storage device [Vogel, paragraph: 0039, According to another embodiment, a three party social network arrangement comprises three relationship identifiers including a first user and a second user that share a private key-public key pair in a friend relationship and relate generally to a third party that does not share the public key-private key pair and is therefore not known to the first and second user and wherein the first and second user root level objects include a friends list and wherein propagating and replicating the three party social network comprises performing a query to search for common public keys using a party's device information in a first party and second user relationship. In other aspects the embodiment may variously include a query of device information data from one or more root level objects and associated nested friends lists in additional related level objects wherein the related objects create a third level list of contacts to invite as a new friend, a relationship identifier wherein a third party is unknown to the first and second user in the absence of a common public key and wherein a third party may not access or identify an individual in the social network.]. As per method claim 10, that includes the same or similar claim limitations as server claim # 2, and is similarly rejected. As per method claim 11, that includes the same or similar claim limitations as server claim # 3, and is similarly rejected. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DANT B SHAIFER HARRIMAN/ Primary Examiner, Art Unit 2434