DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application 18/471,505 filed on 9/21/2023.
Claims 1-20 have been examined and are pending in this application.
The examiner notes the IDS(s) filed on 5/6/2024 and 11/21/2025 have been considered.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 8-11, 13-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ji et al. (US 11,216,799 B1) in view of Grim (US 10,212,588 B1) and Aabye et al. (US 2010/0211504 A1).
Regarding Claim 1;
Ji discloses a method, comprising:
storing, by a server, a passcode that is generated based on a cryptogram read from a contactless card, wherein the passcode is generated responsive to a device detecting the contactless card (FIG. 1a – depicts Account Application 118 on Computing Device 102 w/ TAP of Contactless card 136 w/Cryptogram 134 and OTP Generator 142 on Sever 104 and col. 4, lines 56-59 - ...the user may tap the contactless card... and col. 6, lines 25-28 - The account application 118 may then transmit the cryptogram 134 to the server 104 with a request to generate an OTP and col. 6, lines 25-27and col. 7, lines 53-57 - In another embodiment, the account application 118 may transmit the user input to the OTP generator 142, which performs the comparison. If the OTP generator 142 performs the comparison, the OTP generator 142 transmits a comparison result to the account application 118 and col. 8, lines 67-col. 9, line 5), and wherein the passcode is associated with an account and a validity criterion (col. 2, lines 11-45 - Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication... If the comparison results in a match, the account application may validate the OTP, and permit the requested operation, e.g., viewing account details, making a purchase, etc. If the comparison does not result in a match, the verification may fail, and the account application may reject or otherwise restrict performance of the requested operation).
receiving one or more requests, each request specifying to perform a respective operation associated with the account (FIG. 3 and col. 2, lines 11-45 - Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication... If the comparison results in a match, the account application may validate the OTP, and permit the requested operation, e.g., viewing account details, making a purchase, etc. and col. 7, lines 53-57 and col. 8, lines 67-col. 9, line 5 and col. 9, lines 42-47 - In some embodiments, however, the account application 118 is executing in the foreground of the operating system 138 and need not be launched. In such embodiments, the user may request to perform an operation, such as viewing an account balance, transferring funds, etc. and col. 10, lines 10-14 ), each request further specifying a respective passcode ... (col. 2, lines 11-45 - Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication... If the comparison results in a match, the account application may validate the OTP, and permit the requested operation, e.g., viewing account details, making a purchase, etc. and col. 9, lines 42-47 - In some embodiments, however, the account application 118 is executing in the foreground of the operating system 138 and need not be launched. In such embodiments, the user may request to perform an operation, such as viewing an account balance, transferring funds, etc.); and
upon determining that the passcode specified by a first request of the one or more requests matches the passcode stored by the server and that the validity criterion remains satisfied, authorizing the operation specified by the first request to be performed (col. 2, lines 11-45 - Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication... If the comparison results in a match, the account application may validate the OTP, and permit the requested operation, e.g., viewing account details, making a purchase, etc. If the comparison does not result in a match, the verification may fail, and the account application may reject or otherwise restrict performance of the requested operation and col. 10, lines 10-14 - Additionally and/or alternatively, the account application 118 may authorize performance of an operation requested by the user based on the determination that the comparison results in a match and the decryption result 148).
Ji fails to explicitly disclose:
...each request further specifying a respective ... generated prior to the respective operation being specified; [and]
....wherein the operation is authorized without requiring the device to redetect the contactless card
However, in an analogous art, Grim teaches each request further specifying a respective [preemptive authorization response] generated prior to the respective operation being specified (col. 9, lines 46-col. 10, lines 10 - Pre-seeding as described above allows, in some embodiments, the mobile authentication device 208 to send a preemptive authorization response to the authentication service 206 which pre-authorizes certain types of actions... In response to preemptive authorization, the authentication service 206 is configured to respond to permission requests from authenticating service 204 without communicating with the mobile authentication device 208. Thus, when preemptive authorization for an action is indicated, there is no need for authentication service 206 to send a message to mobile authentication device 208 to determine whether the user of device 208 or software running on device 208 wishes to authorize that action).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Grim to the passcode of Ji to include ...each request further specifying a respective [preemptive authorization response] generated prior to the respective operation being specified, (i.e., applying such a teaching to the passcode).
One would have been motivated to combine the teachings Grim to Ji to do so as it provides / allows multi-factor authentication without significantly burdening the user while, at the same, time eliminating the need for complicated infrastructure implementations (Grim, col. 2, lines 34-38).
Further, in an analogous art, Aabye teaches ...wherein the operation is authorized without requiring the device to redetect the contactless card (FIG. 4 and [0056] - If interaction with the payment device is not required to proceed with a payment transaction, then the payment transaction may be performed; note that in some embodiments, the user may be asked to present the payment device in order to permit performance of the payment transaction, as the first presentment of the payment device (at stage 402) served to activate the payment application (as shown at stage 408) and [0069]).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Aabye to the operation of Ji in view of Grim to include ...wherein the operation is authorized without requiring the device to redetect the contactless card
One would have been motivated to combine the teachings Aabye to Ji in view of Grim to do so as it provides / allows a determination of whether consumer interaction is required before a transaction can be completed (Aabye, [0011]).
Regarding Claim 2;
Ji in view of Grim and Aabye disclose the method of claim 1.
Ji further discloses wherein the validity criterion comprises a validity period of time (col. 2, lines 11-45 - Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication...)
Regarding Claim 3;
Ji in view of Grim and Aabye disclose the method of claim 1.
Ji further discloses wherein the operation specified by the first request is further authorized based on verifying authentication credentials for the account (col. 4,lines 44-55 - In some embodiments, to secure the account application 118 and/or associated data, e.g., details of the user's account in the account database 130, the system 100 may provide for secure generation of OTPs using the contactless card 136. For example, a user may provide authentication credentials to the account application 118, such as a username/password that are validated by the account application 118 (e.g., using a local instance of the account database 130 and/or transmitting the credentials to the server 104 for validation). Once validated, the account application 118 may instruct the user to tap the contactless card 136 to the computing device 102).
Regarding Claim 4;
Ji in view of Grim and Aabye disclose the method of Claim 2;
Ji further discloses ...the passcode... for the validity period (col. 2, lines 11-45 - Embodiments disclosed herein provide techniques to securely generate a one-time passcode (OTP) that may be used as a second form of authentication...)
Grim further teaches wherein the [preemptive authorization response] is generated responsive to a request to preemptively generate the [preemptive authorization response] for the validity period, wherein the [preemptive authorization response] is not otherwise generated responsive to any requested operation associated with the account, and wherein responsive to the request to preemptively generate the [preemptive authorization response] (col. 9, lines 46-col. 10, lines 10 - Pre-seeding as described above allows, in some embodiments, the mobile authentication device 208 to send a preemptive authorization response to the authentication service 206 which pre-authorizes certain types of actions... In response to preemptive authorization, the authentication service 206 is configured to respond to permission requests from authenticating service 204 without communicating with the mobile authentication device 208. Thus, when preemptive authorization for an action is indicated, there is no need for authentication service 206 to send a message to mobile authentication device 208 to determine whether the user of device 208 or software running on device 208 wishes to authorize that action and col. 10, lines 21-34 - In some embodiments, mobile device 208 is configured to send periodic preemptive permission responses using a time period between responses known to or derivable by the authentication service 206).
Similar rationale and motivation is noted for the combination of Grim to Ji in view of Grim and Aabye, as per claim 1, above.
Regarding Claim 8;
Ji in view of Grim and Aabye disclose the method of Claim 2;
Ji further discloses wherein the passcode specified by the first request is provided based on input received via an input device selected from a microphone, a touchscreen, a touchpad, a keyboard, and a pointing device (FIG. 2C and col. 16, lines 49-63).
Regarding Claim 9;
Ji in view of Grim and Aabye disclose the method of Claim 8;
Ji further discloses wherein the passcode specified by the first request is provided via at least one of a call-center agent or a web browser application (col. 7, lines 49-67 - In some embodiments, the user may provide the input to another application, such as the web browser 140 that has loaded a page associated with the OTP generator 142).
Regarding Claim 10;
Ji in view of Grim and Aabye disclose the method of Claim 8;
Ji further discloses further comprising: receiving a request to retrieve the passcode stored by the server (FIG. 1C – OTP (150) and FIG. 2C and col. 8, lines 51-54 - FIG. 2C is a schematic 200c illustrating an embodiment where the OTP 150 is sent to the computing device 102 as a push notification 202); and sending the passcode stored by the server to an application on the device, wherein the application outputs the passcode, wherein the passcode specified by the first request is provided based on the outputted passcode (FIG. 2B-2C and col. 8, lines 51-54 - FIG. 2C is a schematic 200c illustrating an embodiment where the OTP 150 is sent to the computing device 102 as a push notification 202).
Regarding Claim 11;
Ji in view of Grim and Aabye disclose the method of Claim 8;
Ji further discloses wherein the input device is operatively connected to (i) a first device comprising the device or (ii) a second device other than the device (FIG. 2C and col. 16, lines 49-63).
Regarding Claim 13;
Ji in view of Grim and Aabye disclose the method of Claim 1.
Ji further discloses wherein the cryptogram and a uniform resource locator (URL) are readable from the contactless card based on near field communication (NFC) (col. 2, lines 11-29 - In response to coming into communications range with the device, the contactless card may generate a data package comprising a cryptogram and a uniform resource locator (URL). An operating system of the device may read the data package and/or the URL and launch an account application on the device that is associated with the URL).
Regarding Claim 14;
Ji in view of Grim and Aabye disclose the method of Claim 13;
Ji further discloses wherein the server comprises an authentication server configured to: receive the cryptogram from the device (FIG. 3 and col. 9, lines 48-50 - In block 306, routine 300 transmits, by the account application 118, the cryptogram 134 to an authentication server 104.); transmit, to the device, a decryption result indicating that the authentication server has decrypted the cryptogram (FIG. 3 and col. 9, lines 53-55 - In block 308, routine 300 receives, by the account application 118, a decryption result 148 from the server 104 indicating the authentication server 104 decrypted the cryptogram 134); receive, from the device, a request for the passcode, the request comprising an identifier based on at least one of a customer identifier, an account identifier, a device identifier, or a card identifier (FIG. 3 and col. 9, lines 56-61 - n block 310, routine 300 transmits, by the account application 118 based on the decryption result, a request for a one-time passcode (OTP) comprising an identifier to the server 104. The identifier may be the unencrypted customer ID 116, the device identifier, and/or an identifier of the contactless card 136.); generate the passcode using a component of the authentication server, the component comprising a password generator that is accessible via the URL (FIG. 3 and col. 2, lines 26-27 - The account application may transmit an OTP request to an OTP generator at the URL and col. 9, lines 36-39 - and col. 9, lines 65-67 - In block 314, routine 300 receives, by the computing device 102 at the determined contact information, the OTP 150 from the OTP generator 142); and transmit the passcode to the device FIG. 3 and col. 9, lines 65-67 - In block 314, routine 300 receives, by the computing device 102 at the determined contact information, the OTP 150 from the OTP generator 142).
Regarding Claim(s) 15-17; claim(s) 15-17 is/are directed to a/an medium associated with the method claimed in claim(s) 1-3. Claim(s) 15-17 is/are similar in scope to claim(s) 1-3, and is/are therefore rejected under similar rationale.
Regarding Claim(s) 18-20; claim(s) 18-20 is/are directed to a/an system associated with the method claimed in claim(s) 1-3. Claim(s) 18-20 is/are similar in scope to claim(s) 1-3, and is/are therefore rejected under similar rationale.
Claim(s) 5-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ji et al. (US 11,216,799 B1) in view of Grim (US 10,212,588 B1) and Aabye et al. (US 2010/0211504 A1), and further in view of Harrison et al. (US 2005/0268345 A1).
Regarding Claim 5;
Ji in view of Grim and Aabye disclose the method of Claim 2;
Aabye further teaches concepts of ...the device to redetect the contactless card, before authorizing the operation specified by the second request to be performed (FIG. 4 - 406 and FIG. 5 and [0059] - As noted, if interaction with the consumer's payment device is required prior to conducting a payment transaction, then the interaction is performed prior to performing the payment transaction... [0060]-[0061] - As shown in FIG. 5, the determination of whether interaction with the consumer's payment device is required is made by considering whether at least one of the payment application (or the payment device), the Issuer, or the device reader (or point of sale terminal) has requested or required that the payment device be presented for performing some type of interaction prior to conducting a payment transaction.. For example, at stage 502 the exemplary process determines if the payment application or payment device has requested a consumer action prior to execution of a payment transaction. Such an action might be requested to provide consumer data such as a consumer input, permit configuration or re-configuration of an application or device function or operation; for example, enabling or disabling a function, transferring data to an Issuer or payment processor, etc.).
Similar rationale and motivation is noted for the combination of Aabye to Ji in view of Grim and Aabye, as per claim 1, above.
Ji in view of Grim and Aabye fail to explicitly disclose further comprising: upon determining that the passcode specified by a second request of the one or more requests does not match the passcode stored by the server and that the validity period has not elapsed, requiring (i) a matching passcode to be provided....
However, in an analogous art, Harrison teaches further comprising: upon determining that the passcode specified by a second request of the one or more requests does not match the passcode stored by the server and that the validity period has not elapsed, requiring (i) a matching passcode to be provided... (FIG. 2 and [0023] and [0044] and [0067] - If the provider password checker 136 determines that the provider password 172 matches the user password 142, and if user password timer 134 determines that the user password 142 is valid, then the support service provider will be allowed access to the resources of network device 130 over communications link 182. However, if either provider password 172 does not match user password 142 or if the user password 142 has expired (i.e., the user password is not valid), then the support service provider will not be allowed to access to the resources of network device 130. After the determination of step 250 is performed, processing proceeds to step 260). As reasonably construed FIG. 2 can be repeated.
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Harrison to the passcode/validity period of Ji in view of Grim and Aabye to include further comprising: upon determining that the passcode specified by a second request of the one or more requests does not match the passcode stored by the server and that the validity period has not elapsed, requiring (i) a matching passcode to be provided....
One would have been motivated to combine the teachings Harrison to Ji in view of Grim and Aabye to do so as it provides / allows to enable ... control when [a] provider may access the network device (Harrison, [0011]).
Regarding Claim 6;
Ji in view of Grim and Aabye disclose the method of Claim 2;
Aabye further teaches concepts of ...requiring the device to redetect the contactless card before authorizing the operation specified by the third request to be performed (FIG. 4 - 406 and FIG. 5 and [0059] - As noted, if interaction with the consumer's payment device is required prior to conducting a payment transaction, then the interaction is performed prior to performing the payment transaction... [0060]-[0061] - As shown in FIG. 5, the determination of whether interaction with the consumer's payment device is required is made by considering whether at least one of the payment application (or the payment device), the Issuer, or the device reader (or point of sale terminal) has requested or required that the payment device be presented for performing some type of interaction prior to conducting a payment transaction.. For example, at stage 502 the exemplary process determines if the payment application or payment device has requested a consumer action prior to execution of a payment transaction. Such an action might be requested to provide consumer data such as a consumer input, permit configuration or re-configuration of an application or device function or operation; for example, enabling or disabling a function, transferring data to an Issuer or payment processor, etc.).
Similar rationale and motivation is noted for the combination of Aabye to Ji in view of Grim and Aabye, as per claim 1, above.
Ji in view of Grim and Aabye fail to explicitly disclose further comprising: upon determining that the passcode specified by a third request of the one or more requests matches the passcode stored by the server and that the validity period has elapsed....
However, in an analogous art, Harrison teaches further comprising: upon determining that the passcode specified by a third request of the one or more requests matches the passcode stored by the server and that the validity period has elapsed... (FIG. 2 and [0023] and [0044] and [0067] - If the provider password checker 136 determines that the provider password 172 matches the user password 142, and if user password timer 134 determines that the user password 142 is valid, then the support service provider will be allowed access to the resources of network device 130 over communications link 182. However, if either provider password 172 does not match user password 142 or if the user password 142 has expired (i.e., the user password is not valid), then the support service provider will not be allowed to access to the resources of network device 130. After the determination of step 250 is performed, processing proceeds to step 260).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Harrison to the passcode/validity period of Ji in view of Grim and Aabye to include further comprising: upon determining that the passcode specified by a third request of the one or more requests matches the passcode stored by the server and that the validity period has elapsed....
One would have been motivated to combine the teachings Harrison to Ji in view of Grim and Aabye to do so as it provides / allows to enable ... control when [a] provider may access the network device (Harrison, [0011]).
Regarding Claim 7;
Ji in view of Grim and Aabye disclose the method of Claim 2;
Aabye further teaches concepts of ...requiring the device to redetect the contactless card before authorizing the operation specified by the third request to be performed (FIG. 4 - 406 and FIG. 5 and [0059] - As noted, if interaction with the consumer's payment device is required prior to conducting a payment transaction, then the interaction is performed prior to performing the payment transaction... [0060]-[0061] - As shown in FIG. 5, the determination of whether interaction with the consumer's payment device is required is made by considering whether at least one of the payment application (or the payment device), the Issuer, or the device reader (or point of sale terminal) has requested or required that the payment device be presented for performing some type of interaction prior to conducting a payment transaction.. For example, at stage 502 the exemplary process determines if the payment application or payment device has requested a consumer action prior to execution of a payment transaction. Such an action might be requested to provide consumer data such as a consumer input, permit configuration or re-configuration of an application or device function or operation; for example, enabling or disabling a function, transferring data to an Issuer or payment processor, etc.).
Similar rationale and motivation is noted for the combination of Aabye to Ji in view of Grim and Aabye, as per claim 1, above.
Ji in view of Grim and Aabye fail to explicitly disclose upon determining that the passcode specified by a fourth request of the one or more requests does not match the passcode stored by the server and that the validity period has elapsed....
However, in an analogous art, Harrison teaches upon determining that the passcode specified by a fourth request of the one or more requests does not match the passcode stored by the server and that the validity period has elapsed.... (FIG. 2 and [0023] and [0044] and [0067] - If the provider password checker 136 determines that the provider password 172 matches the user password 142, and if user password timer 134 determines that the user password 142 is valid, then the support service provider will be allowed access to the resources of network device 130 over communications link 182. However, if either provider password 172 does not match user password 142 or if the user password 142 has expired (i.e., the user password is not valid), then the support service provider will not be allowed to access to the resources of network device 130. After the determination of step 250 is performed, processing proceeds to step 260).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Harrison to the passcode/validity period of Ji in view of Grim and Aabye to include upon determining that the passcode specified by a fourth request of the one or more requests does not match the passcode stored by the server and that the validity period has elapsed....
One would have been motivated to combine the teachings Harrison to Ji in view of Grim and Aabye to do so as it provides / allows to enable ... control when [a] provider may access the network device (Harrison, [0011]).
Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ji et al. (US 11,216,799 B1) in view of Grim (US 10,212,588 B1) and Aabye et al. (US 2010/0211504 A1), and further in view of Fiske (US 2006/0107063 A1).
Regarding Claim 12;
Ji in view of Grim and Aabye disclose the method of Claim 1;
Ji in view of Grim and Aabye fail to explicitly disclose wherein the one or more requests comprise a plurality of requests, and wherein the respective operation of each of the plurality of requests is authorized based on a same passcode stored by the server. However, in an analogous art, Fiske teaches wherein the one or more requests comprise a plurality of requests, and wherein the respective operation of each of the plurality of requests is authorized based on a same passcode stored by the server ([0028] - System 100 is an example of a system in which the security of a secure entity is kept by requiring a user to submit a passcode (e.g., a password) in order to gain access to the secure entity and [0031] - In an alternative embodiment, the passcode may be used multiple times prior to being discarded).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Fiske to the passcode of Ji in view of Grim and Aabye to include wherein the one or more requests comprise a plurality of requests, and wherein the respective operation of each of the plurality of requests is authorized based on a same passcode stored by the server.
One would have been motivated to combine the teachings Fiske to Ji in view of Grim and Aabye to do so as it provides / allows to prevent access to an entity by unauthorized entities (Fiske, [0002]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439