Prosecution Insights
Last updated: July 17, 2026
Application No. 18/550,246

MULTI-FACTOR AUTHENTICATION SYSTEM AND METHOD

Non-Final OA §103
Filed
Sep 12, 2023
Priority
May 13, 2021 — provisional 63/188,356 +1 more
Examiner
AVERY, BRIAN WILLIAM
Art Unit
2495
Tech Center
2400 — Computer Networks
Assignee
Visa International Service Association
OA Round
3 (Non-Final)
60%
Grant Probability
Moderate
3-4
OA Rounds
3m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 60% of resolved cases
60%
Career Allowance Rate
52 granted / 86 resolved
+2.5% vs TC avg
Strong +54% interview lift
Without
With
+53.9%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
14 currently pending
Career history
118
Total Applications
across all art units

Statute-Specific Performance

§103
94.8%
+54.8% vs TC avg
§102
2.3%
-37.7% vs TC avg
§112
2.6%
-37.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 86 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the amendment filed on 02/02/2026 and RCE filed on 03/02/2026. Claims 1-2, 4-10, 12-19, and 21 are currently pending in the filing of 02/02/2026, claims 1-10 and 12-19 were pending in the previous filing of 9/15/2025. Claims 11 and 20 were previously cancelled. Claim 3 is presently cancelled and claim 21 is newly added in the amendment filed on 02/02/2026. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/02/2026 has been entered. Response to Applicant’s Amendments / Arguments Regarding 35 U.S.C. § 103 The applicant’s remarks, on pages 8-10 of the response / amendment, the applicant argues the features which allegedly distinguish over the previously cited references cited in the 35 U.S.C. § 103 rejections. Applicant’s arguments have been considered but are moot in view of the new ground(s) of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 5-10, 12, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over US 20190164156 to Lindemann al. (hereinafter Lindemann), in view of US 20160125416 to Spencer et al. (hereinafter Spencer), in view of US 10867057 to Knas et al. (hereinafter Knas), in view of US 20200026917 to Qin et al. (hereinafter Qin). Regarding claim 1, Lindemann teaches, A method comprising: receiving, by a client computer from a server computer, a challenge, ([0401] teaches random challenge provided from the relying party to client device, where client signs transaction details and nonce / challenge to prove details have not been modified (intercepted). See also [0170].) displaying, by the client computer, objects from the object list to a user; ([0306] teaches displaying screen layouts mixing text, empty regions, images and video clips … to non-intrusively induce user’s eye movement.) determining, by the client computer, that the user has visually selected an object from the object list; ([0306] teaches eye-tracking techniques are used to verify that the eyes are reacting to the screen layout in an expected manner. This information is combined with facial biometrics and other authentication techniques to arrive at a level of assurance.) moving, by the client computer, the selected object on a display of the client computer according to the target screen coordinates; ([0306] teaches displaying video clips, which move objects on a screen, and also teaches mixing the objects, such as texts.) capturing, by the client computer, a biometric of the user; (fig. 1 and [0002] teach a client 120 that captures user biometric input with sensor 102.) comparing, by the client computer the biometric to another biometric stored in the client computer to provide a first comparison output; (fig. 1 and [0002] teach matcher module 104 that compares extracted features from sensor 102 with stored biometric reference data 110, all of which are performed in client 120.) comparing, by the client computer, a ([0306] teaches eye-tracking techniques are used to verify that the eyes are reacting to the screen layout in an expected manner. This information is combined with facial biometrics and other authentication techniques to arrive at a level of assurance.) (applicant’s printed publication at [0055] describes derivatives as encryptions of the selected object.) signing, by the client computer, the challenge with a private key; and ([0401] teaches random challenge provided from the relying party to client device, where client signs transaction details and nonce / challenge to prove details have not been modified (intercepted). See also [0170]) sending, by the client computer to the server computer, the signed challenge, (See [0401] below.) an indication of the first comparison output, an indication of the second comparison output, (See [0243-245] below) (Regarding signed challenge, [0401] teaches random challenge provided from the relying party to client device, where client signs transaction details and nonce / challenge to prove details have not been modified (intercepted). The transaction is verified by the signed token including transaction details and nonce (challenge). See also [0170]. Additionally, regarding first and “second comparison output”, [0243] teaches TPM based authentication inside the client. Fig. 23 & [0245] teaches providing authentication results to relying party 1750. fig. 32 & [0398] teaches multi-factor authentication \ multiple results.) Lindemann fails to teach comparing a derivative (encrypted object) of the selected object to an object stored in memory, However, Spencer teaches, comparing, by the client computer, a derivative of the (Claim 22 teaches a hashed object of user data that is matched with stored hashed user data.) (applicant’s printed publication at [0055] describes derivatives as encryptions of the selected object.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann with the added ability to store derivative data (e.g., hashed data) and perform comparisons to other derivative data, as taught by Spencer, for the purpose of increasing security by not storing the original data in an unsecure format. Lindemann and Spencer fail to explicitly teach the use of random locations / random vectors for locations that the user’s eyes are to travel when performing eye tracking authentication, However, Knas teaches, determining, by the client computer, screen coordinates corresponding to eye movements of the user as the user's eyes follow the selected object as the selected object moves according to the screen coordinates; (Col. 20, lines 11-30 (75) teaches server receiving eye tracking information from user eye-tracking device, and authenticating the user, where the locations that the user is told to view are random due to being pre-determined / dynamic, as discussed in Col. 18, lines 22-30. Col. 19, lines 35-65 (73) teaching a server that uses eye tracking from another device.) sending, by the client computer to the server computer, coordinates or a derivative thereof, (Col. 20, lines 11-30 (75) teaches server receiving eye tracking information from user eye-tracking device.) wherein the server computer then determines that a determined vector from the determined screen coordinates matches a random vector useable to generate to the screen coordinates, . (Col. 19, lines 35-65 (73) teaching a server that uses eye tracking from another device. Col. 18, lines 22-36 (68) teaches random choosing of authentication methods, preferences, where pre-determined methods are dynamic. See also Col. 20, lines 11-30, discussed above.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann and Spencer with the added ability to have a server analyze eye tracking data for the purpose of authentication and providing random / dynamic locations for the user to look at or gaze as part of the authentication, as taught by Knas, for the purpose of increasing security by having a server perform the authentication of eye tracking data and providing random locations so that the eye tracking data changes with each authentication. Lindemann, Spencer, and Knas fail to explicitly teach a server providing the screen coordinates and the object list, However, Qin teaches, receiving, by a client computer from a server computer, (Qin, [0133] teaches where one piece of target point information may be sent by the server to the terminal, or two or more pieces of target point information may be successively sent by the server to the terminal in chronological order. [0134-136] teaches target point information includes coordinates of target point on screen / “target screen coordinates” and displaying the target point, which may be point, number, or a geometric figure / "object list". See also [0146-147].) (Lindemann, [0306] teaches screen layouts \ “target screen coordinates” including mixing text and images “object list”, which are not explicitly taught as being provided by a server / external computer.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30), with Qin, which also teaches eye information that tracks eye gaze for authentication (Abstract), and additionally teaches target point information includes coordinates of target point on screen and displaying the target point, which may be point, number, or a geometric figure ([0134-136]). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann, Spencer, and Knas with the added ability to have a server provide target coordinates and objects, as taught by Qin, for the purpose of increasing security by having an external server provide the eye movement target information used for authentication. Regarding claim 5, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein determining, by the client computer, that the user has visually selected the object from the object list comprises detecting eye movement of the user and determining by an eye tracking module in the client computer that the user has visually selected the object. (Lindemann, [0306] teaches eye-tracking techniques are used to verify that the eyes are reacting to the screen layout in an expected manner.) Regarding claim 6, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein the biometric is a retinal scan of the user. (Lindemann, [0095] teaches a retina scan of user for biometric authentication.) Regarding claim 7, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein capturing the biometric of the user occurs before the user visually selects the object. (Lindemann, [0240] teaches after biometric authentication, other methods of authentication may then be used, such as eye tracking as taught in [0306].) Regarding claim 8, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein the challenge is a random number. (Lindemann, [0112] teaches the use of a random / nonce in the challenge.) Regarding claim 9, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein the first comparison output comprises a likelihood indicator. (Lindemann, [0002] teaches biometric authentication above a threshold. [0240] teaches biometric authentication that has less than a 1 in 1000 false acceptance rate.) Regarding claim 10, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein the derivative of the selected object and the derivative of the object are hash values. (Spencer, Claim 22 teaches a hashed object of user data that is matched with stored hashed user data.) (applicant’s printed publication at [0055] describes derivatives as encryptions of the selected object.) Regarding claim 12, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein the client computer determines that the determined screen coordinates match the screen coordinates, or determines that a determined random vector from the determined screen coordinates corresponds to the random vector to produce a third comparison output, and wherein the client computer sends the third comparison output to the server computer. ([0306] teaches eye-tracking techniques are used to verify that the eyes are reacting to the screen layout in an expected manner, teaching the client determining screen coordinates.) (Knas, Col. 19, lines 30-50.) Regarding claim 14, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein the first (Knas, Col. 4, line 63 to Col. 5, line 15 teaches the server authenticating using biometrics. (12)) and second comparison outputs are verified by the server computer. (Col. 20, lines 11-30 (75) teaches server receiving eye tracking information from user eye-tracking device, and authenticating the user.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann and Spencer with the added ability to have a server analyze eye tracking data for the purpose of authentication and providing random / dynamic locations for the user to look at or gaze as part of the authentication, as taught by Knas, for the purpose of increasing security by having a server perform the authentication of eye tracking data and providing random locations so that the eye tracking data changes with each authentication. Regarding claim 15, Lindemann teaches, A client computer comprising: a processor; (fig. 31 and [0357] teaches a processor. Fig. 11 teaches protection logic 1110.) a display coupled to the processor; and (fig. 11 teaches secure display 1107.) a non-transitory computer readable medium comprising code, executable by the processor, for performing operations including: (Abstract teaches a machine readable medium.) Lindemann, Spencer, Knas, and Qin teach, receiving, from a server computer, a challenge, target screen coordinates, and an object list, displaying, on the display, objects from the object list to a user, determining that the user has visually selected an object from the object list, moving the selected object on the display of the client computer according to the target screen coordinates, determining screen coordinates corresponding to eye movements of the user as the user's eyes follow the selected object as the selected object moves according to the target screen coordinates; capturing a biometric of the user, comparing, the biometric to another biometric stored in the client computer to provide a first comparison output, comparing, a derivative of the selected object to a derivative of an object stored in the client computer to produce a second comparison output, signing the challenge with a private key, and sending, to the server computer, the signed challenge, an indication of the first comparison output, an indication of the second comparison output, and the determined screen coordinates or a determined random vector from the determined screen coordinates, wherein the server computer then determines that the determined vector from the determined screen coordinates matches a random vector useable to generate the screen coordinates, verifies the signed challenge with a public key corresponding to the private key, and provides access to a resource after the signed challenge is verified and the first and second comparison outputs are verified. Claim 15 is rejected using the same basis of arguments used to reject claim 1 above. Claims 2, 4, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Lindemann, in view of Spencer, in view of Knas, in view of Qin, in view of US 20180310171 to Whitaker et al. (hereinafter Whitaker). Regarding claim 2, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, wherein other objects in the object list are also moved according to the screen coordinates, … (Lindemann, [0306] teaches displaying video clips, which move objects on a screen, and also teaches mixing the objects, such as texts.) before receiving the challenge ([0565] teaches the client provides authentication information, and then the challenge is generated after comparing the authentication data collected from the user.) Lindemann, Spencer, Knas, and Qin fail to explicitly teach including object lists and coordinates are included with a challenge, However, Whitaker teaches, ([0088] teaches a challenge made up of images of friends and random images of non-friends that the user must distinguish between friend and non-friend for authentication. [0088] further teaches a challenge made up of images of friends and random images of non-friends that the user must distinguish between friend and non-friend for authentication. [0086] teaches challenge data including coordinates of presented images. [0087] teaches user having to tap on a particular object in the image of fig. 10 (e.g., identifying a friend). [0005] also teaches randomizing location of a tap object on the mobile device.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30), with Qin, which also teaches eye information that tracks eye gaze for authentication (Abstract), and additionally teaches target point information includes coordinates of target point on screen and displaying the target point, which may be point, number, or a geometric figure ([0134-136]), with Whitaker, which also teaches challenge-response (fig. 10 & [0086-87]), and additionally teaches the generation of complicated challenges using location data and the random selection of images to be chosen by the user ([0088]). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann, Spencer, Knas, and Qin with the added ability to generate challenges based on user known data that is confirmed by the user, as taught by Whitaker, for the purpose of increasing security by testing the user’s knowledge of friends / associates based on social media accounts. Regarding claim 4, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, Lindemann, Spencer, Knas, and Qin teach fail to teach including object lists in an array, However, Whitaker teaches, wherein the objects in the object list are displayed on the display of the client computer in a one or two-dimensional array. (fig. 6 and [0075] teach displaying the challenge in an array. See also, fig. 11, where images are provided in a one dimensional array) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30), with Qin, which also teaches eye information that tracks eye gaze for authentication (Abstract), and additionally teaches target point information includes coordinates of target point on screen and displaying the target point, which may be point, number, or a geometric figure ([0134-136]), with Whitaker, which also teaches challenge-response, and additionally teaches the generation of complicated challenges using location data and the random selection of images to be chosen by the user. One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann, Spencer, Knas, and Qin with the added ability to generate challenges based on user known data that is confirmed by the user, as taught by Whitaker, for the purpose of increasing security by testing the user’s knowledge of friends / associates based on social media accounts. Regarding claim 16, Lindemann, Spencer, Knas, Qin, and Whitaker teach, A method comprising: transmitting, by a server computer to a client computer, a challenge, an object list, and a random vector, (Whitaker, [0088] teaches a challenge made up of images of friends and random images of non-friends that the user must distinguish between friend and non-friend for authentication. [0086] teaches challenge data including coordinates of presented images. [0005] also teaches randomizing location of a tap object on the mobile device. These features teach receiving a challenge, object lists and coordinates / random vector together and are similar to the previous rejection of claim 3, which has been cancelled.) wherein the client computer is programmed to determine screen coordinates using the random vector, display objects from an object list to a user, determine that the user has visually selected an object from the object list, move the selected object on a display of the client computer according to the screen coordinates, determine screen coordinates corresponding to eye movements of the user as the user's eyes follow the selected object moves according to the screen coordinates, capture a biometric of the user, compare the biometric to another biometric stored in the client computer to provide a first comparison output, compare a derivative of the selected object to a derivative of an object stored in the client computer to produce a second comparison output, and sign the challenge with a private key; … corresponding to the determined screen coordinates; determining, by the server computer that the determined screen coordinates match the previously sent screen coordinates or that a determined vector from the determined screen coordinates matches the random vector; and Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30), with Qin, which also teaches eye information that tracks eye gaze for authentication (Abstract), and additionally teaches target point information includes coordinates of target point on screen and displaying the target point, which may be point, number, or a geometric figure ([0134-136]), with Whitaker, which also teaches challenge-response (fig. 10 & [0086-87]), and additionally teaches the generation of complicated challenges using location data and the random selection of images to be chosen by the user ([0088]). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann, Spencer, Knas, and Qin with the added ability to generate challenges based on user known data that is confirmed by the user, as taught by Whitaker, for the purpose of increasing security by testing the user’s knowledge of friends / associates based on social media accounts. The above portions of claim 16 are rejected using the same basis of arguments used to reject claim 1, and the additional feature of Whitaker, receiving, by the server computer the signed challenge (Lindemann, [0401] teaches random challenge provided from the relying party to client device, where client signs transaction details and nonce / challenge to prove details have not been modified (intercepted). See also [0170]) an indication of the first comparison output, and an indication of the second comparison output; (Lindemann, [0243] teaches TPM based authentication inside the client. Fig. 23 & [0245] teaches providing authentication results to relying party 1750. fig. 32 & [0398] teaches multi-factor authentication \ multiple results.) verifying, by the server computer the signed challenge with a public key corresponding to the private key; and (Lindemann, [0401] teaches the relying party verifying the signed token.) … providing access to a resource after the signed challenge is verified and the first and second comparison outputs are verified. (Lindemann, [0401] teaches if verification succeeds. [0306] teaches eye-tracking techniques are used to verify that the eyes are reacting to the screen layout in an expected manner. This information is combined with facial biometrics and other authentication techniques to arrive at a level of assurance.) (see also rejection of claim 1 above, including the same cited portions of Lindemann.) Regarding claim 17, Lindemann, Spencer, Knas, Qin, and Whitaker teach, The method of claim 16, wherein the resource comprises data, access to a host site, or a credential. (Lindemann, [0018] teaches that the authentication in Lindemann may be used to access restricted data.) Regarding claim 18, Lindemann, Spencer, Knas, Qin, and Whitaker teach, The method of claim 16, further comprising: before transmitting the challenge, receiving, by the server computer from the client computer, a client ID and an authenticator, wherein the server computer thereafter generates the challenge, the object list, and the screen coordinates based upon a random vector, and wherein the screen coordinates and the object list are sent by the server computer to the client computer. Claim 18 is rejected using essentially the same basis of arguments used to reject claim 2 above. Regarding claim 19, Lindemann, Spencer, Knas, Qin, and Whitaker teach, The method of claim 16, wherein the biometric and the biometric are retinal scans. Claim 19 is rejected using the same basis of arguments used to reject claim 6 above. Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Lindemann, in view of Spencer, in view of Knas, in view of Qin, in view of US 20200304488 to Mimis (hereinafter Mimis). Regarding claim 13, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, Lindemann, Spencer, Knas, and Qin fail to explicitly teach randomness information and a list being sent along with the challenge, However, Mimis teaches, wherein a random vector and the object list are received by the client computer from the server computer along with the challenge, and wherein the screen coordinates are based on the random vector, and wherein the method further comprises: ([0049-50] teaches a challenge with initial random character positions and mapping of a list of characters. [0051-53] structuring the challenge based on the random character positions and mapping of the list of characters. fig. 5, show list of characters, fig. 6 shows character position information, fig. 7 shows result of character position information that is used to structure the challenge.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30), with Qin, which also teaches eye information that tracks eye gaze for authentication (Abstract), and additionally teaches target point information includes coordinates of target point on screen and displaying the target point, which may be point, number, or a geometric figure ([0134-136]), with Mimis, which also teaches challenge-response for authentication using objects / lists, and additionally teaches the use of a randomizing information along with a list of objects, where the list of objects may be mixed using the randomization information to create a challenge. One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann, Spencer, Knas, and Qin with the added ability to use a list of objects (characters) and a randomization mapping to mix the characters when creating a challenge, as taught by Mimis, for the purpose increasing efficiency in communications by specifying the randomization separately from the raw data, and to increase security by utilizing randomized challenge objects. Lindemann teaches, determining, by the client computer, screen coordinates corresponding to eye movements of the user as the user's eyes follow the selected object as the selected object moves according to the determined screen coordinates, … (Lindemann, [0306] teaches eye-tracking techniques are used to verify that the eyes are reacting to the screen layout in an expected manner.) (see also Knas, further discussed below.) Lindemann and Spencer and Mimis fail to teach sending the screen coordinates of the eye movements to a server, where the server determines if there is a match, However, Knas teaches, … and wherein the client computer sends the determined screen coordinates or a determined random vector corresponding to the determined screen coordinates to the server computer, and (Col. 20, lines 11-30 (75) teaches server receiving eye tracking information from user eye-tracking device, and authenticating the user.) wherein the server computer determines that the determined screen coordinates match the previously sent screen coordinates or determines that a determined vector from the determined screen coordinates corresponds to the random vector. (Col. 19, lines 35-65 (73) teaching a server that uses eye tracking. Col. 18, lines 22-36 (68) teaches random choosing of authentication methods, preferences.) (Additionally, Lindemann, [0306] teaches displaying video clips, which move objects on a screen, and also teaches mixing the objects, such as texts or images.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann and Spencer with the added ability to have a server analyze eye tracking data for the purpose of authentication and providing random / dynamic locations for the user to look at or gaze as part of the authentication, as taught by Knas, for the purpose of increasing security by having a server perform the authentication of eye tracking data and providing random locations so that the eye tracking data changes with each authentication. Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Lindemann, in view of Spencer, in view of Knas, in view of Qin, in view of US 20190098003 to Ota (hereinafter Ota). Regarding claim 21, Lindemann, Spencer, Knas, and Qin teach, The method of claim 1, further comprising: . (Lindemann, [0243] teaches TPM based authentication using biometrics. [0161] teaches biometric authentication and attestation using TEEs, where [0339] teaches attestation by the TEE using signatures and an attestation key / “private key”.) Lindemann, Spencer, Knas, and Qin fail to explicitly teach transferring the private key and biometric to SE/TEE. However, Ota teaches, transferring the biometric of the user and the private key to a SE/TEE (secure element/trusted execution environment) in the client computer. (Ota, [0033] teaches storing biometric and private key in TPM. [0048] & [0060] teaches key creation unit creating public/private key and storing private key in TPM. [0029] & fig. 2c teaches sensor 257 that acquires biometric information external to TPM 255.) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of Lindemann, which teaches using eye tracking (visual selection) as a factor in authentication ([0306]), and teaches challenge response authentication as another factor, and teaches biometric retina authentication as another factor (fig. 1 & [0002]) and Trusted Platform Modules (TPMs) used in authentication ([0095]), with Spencer, which also teaches biometric authentication including retina authentication ([0058]), and additionally teaches comparing derivate object data (e.g., hashed or encrypted object data) with other derivative object data for authentication matching (claim 22), with Knas, which also teaches biometric authorization and the use of eye tracking for authentication (Col. 19, lines 35-65 and Col. 20, lines 11-30), and additionally teaches providing user eye tracking movements to a server for analysis and matching and also teaches providing the user with dynamic / random locations to look at for authentication (Col. 18, lines 22-36 and Col. 20, lines 11-30), with Qin, which also teaches eye information that tracks eye gaze for authentication (Abstract), and additionally teaches target point information includes coordinates of target point on screen and displaying the target point, which may be point, number, or a geometric figure ([0134-136]), with Ota, which also teaches Trusted Platform modules used in authentication (Abstract & [0033]), and additionally teaches transferring private keys and biometrics to the TPM for storage ([0033]). One of ordinary skill in the art would have been motivated to perform such an addition to provide Lindemann, Spencer, Knas, and Qin with the added ability to provide private keys externally to a TPM, as taught by Ota, for the purpose of increasing security by using stored private keys and increasing computational efficiency by allowing private key generation external to the TPM which has limited processing power. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRIAN WILLIAM AVERY whose telephone number is (571) 272-3942. The examiner can normally be reached on 9AM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /B.W.A./ /JASON K GEE/Primary Examiner, Art Unit 2495
Read full office action

Prosecution Timeline

Show 6 earlier events
Dec 02, 2025
Final Rejection mailed — §103
Dec 31, 2025
Interview Requested
Jan 14, 2026
Applicant Interview (Telephonic)
Jan 23, 2026
Examiner Interview Summary
Feb 02, 2026
Response after Non-Final Action
Mar 02, 2026
Request for Continued Examination
Mar 15, 2026
Response after Non-Final Action
Jun 05, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676839
Digital Rights Management DRM Method, Apparatus, and System
3y 10m to grant Granted Jul 07, 2026
Patent 12665773
SYSTEM AND METHOD FOR AUTHENTICATION IN A CLIENT-SERVER CONNECTION USING CHALLENGE APPLIED TO A SECRET KEY
3y 2m to grant Granted Jun 23, 2026
Patent 12619703
AUTHORIZED REMOTE MOBILE DEVICE MANAGEMENT OF A TARGETED MANAGED DEVICE
3y 8m to grant Granted May 05, 2026
Patent 12609925
SYSTEMS AND METHODS FOR MONITORING DECENTRALIZED DATA STORAGE
4y 1m to grant Granted Apr 21, 2026
Patent 12587381
METHOD AND SYSTEM FOR MONITORING AND CONTROLLING HIGH RISK SUBSTANCES
4y 7m to grant Granted Mar 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
60%
Grant Probability
99%
With Interview (+53.9%)
3y 1m (~3m remaining)
Median Time to Grant
High
PTA Risk
Based on 86 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month