Office Action Predictor
Last updated: April 15, 2026
Application No. 18/554,137

METHOD FOR CONTROLLING ACCESS TO A GOOD OR SERVICE DISTRIBUTED BY A DATA COMMUNICATION NETWORK

Final Rejection §103
Filed
Oct 05, 2023
Examiner
LYNCH, SHARON S
Art Unit
2438
Tech Center
2400 — Computer Networks
Assignee
Hiasecure
OA Round
2 (Final)
76%
Grant Probability
Favorable
3-4
OA Rounds
2y 6m
To Grant
99%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allow Rate
317 granted / 419 resolved
+17.7% vs TC avg
Strong +50% interview lift
Without
With
+50.4%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
22 currently pending
Career history
441
Total Applications
across all art units

Statute-Specific Performance

§101
18.5%
-21.5% vs TC avg
§103
50.9%
+10.9% vs TC avg
§102
1.2%
-38.8% vs TC avg
§112
20.3%
-19.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 419 resolved cases

Office Action

§103
DETAILED ACTION This final office action has been issued in response to communications received on 10/07/2025. Claims 1, 4, 7 and 12-21 were amended. Claim 11 was previously cancelled. Claims 1-10 and 12-21 are presented for examination. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s amendments to claims 7 and 18, filed 10/07/2025, are sufficient to clarify which terminal is being referenced. Accordingly, the objection to claims 7 and 18 is withdrawn. Applicant’s amendments to claims 12-21 making claim 12 an independent claim with claims 13-21 dependent claims of claim 12 is sufficient to overcome the objection to the claims as being of a different statutory class from which it depended. Accordingly, the objection to claims 12-21 is withdrawn. Applicant’s amendments to claims 4 and 15, filed 10/07/2025, specifying that the photographic capture of the token “displayed on the access terminal by” the authentication terminal is sufficient to clarify that the limitation does not contradict the claims from which 4/15 depend. Accordingly, the rejection of claims 4 and 15 under 35 USC 112(b) is withdrawn. Applicant’s amendments to claims 1 and 12, filed 10/07/2025, clarifying the step of transmitting information for identifying the authenticated identity of the user from the authentication server to the platform is sufficient to overcome the indefiniteness of claims 10 and 21. Accordingly, the rejection of claims 10 and 21 under 35 USC 112(b) is withdrawn. Applicant’s remarks regarding the rejection of the claims under 103 have been considered, but are found unpersuasive. Applicant argues on pages 13-14 of the Remarks that Eisen does not teach the claim limitation “a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user”, however the Examine respectfully disagrees. Eisen teaches an identity authentication service provides different levels of authentication including authenticating user biometric data input and answers/responses to security challenge questions provided by a user (paras. [0034], [0063], [0067], [0144], [0148]). Applicant’s remaining arguments in the Remarks, filed 10/07/2025, with respect to the claims rejected under 103 have been fully considered but are considered moot because newly added limitations to the claims disclosing “a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user” require a new ground of rejection necessitated by amendments. The remaining arguments fail to comply with 37 C.F.R. § 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Accordingly, the rejection of the claims under 35 USC 103 is sustained. Objections Claims 1 and 12 are objected to for the following informalities: there is insufficient antecedent basis for “the challenge response type” and it is unclear how the new amendment “a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user” relates to the rest of the limitations preceding it. The majority of claims 1/12 and the dependent claims are directed to a token, which is transmitted from the authentication terminal to an authentication server immediately before the step of authentication in claims 1/12. However, the actual step of authentication does not mention the token? Is the token part of the challenge-response? The Examiner also recommends amending “the challenge response type” to “a challenge response type” to provide antecedent basis. Appropriate clarification/correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-10 and 12-21 are rejected under 35 U.S.C. 103 as being unpatentable over Sabin (US 2017/0223002) in view of Eisen (US 2020/0092272). Regarding claim 1, Sabin discloses the limitations of claim 1 substantially as follows: A method for controlling access to a good or service offered by a platform from an access terminal, the method comprising: - a step of transmitting an access request from the access terminal to the platform (Sabin, paras. [0035]-[0037], [0044]: user accesses login page of website for accessing resource/service of a website/proxy (i.e. requesting access to platform) using different device than mobile device such as laptop (i.e. access terminal)); - a step of transmitting, from the platform to the access terminal, a token comprising information allowing identification by the platform of the access request (Sabin, paras. [0035]-[0037]: website/proxy transmits QR code to the laptop for display, where the QR code comprises a random unique number generated by/identifying the session with the website (i.e. allowing identification of platform); - a step of transmitting the token from the access terminal to an authentication terminal (Sabin, paras. [0037]: mobile device (i.e. authentication terminal) captures QR code from the different device (i.e. access terminal)); - a step of transmitting the token and an identifier of the user from the authentication terminal to an authentication server (Sabin, paras. [0038], [0040]-[0042]: mobile terminal sends/transmits the QR code and GPS location and specific time (i.e. identifiers of user) from the mobile device to Identity Service/Federation Service (i.e. authentication server)); - a step of authenticating the user (Sabin, paras. [0040]-[0042], [0047]: authenticating the user); - in the case of success of the authentication: o a step of transmitting information for identifying, by the platform, the access request and the authenticated identity of the user from the authentication server to the platform (Sabin, paras. [0040]-[0042], [0047]: transmitting credentials for the user, the signed QR code and the registered mobile device to the proxy service/website from the Identity Service/Federated service); o a step of release, by the platform, of the access, from the access terminal, to the good or service requested by the access request (Sabin, paras. [0047]: website/proxy permits user device to log into the website to access requested website services). Sabin does not explicitly disclose the remaining limitations of claim 1 as follows: - a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user; However, in the same field of endeavor Eisen discloses the limitations of claim 1 as follows: - a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user (Eisen, paras. [0034], [0063], [0067], [0144], [0148]: identity authentication service provides different levels of authentication including authenticating user biometric data input and answers/responses to security challenge questions provided by a user) Eisen is combinable with Sabin because both are from the same field of endeavor of performing authentication of a user using multiple user devices and QR codes. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate Eisen’s method of using multiple levels of authentication including challenge questions to authenticate a user with the system of Sabin in order to increase the security of the system and make it more difficult for attackers by requiring an attacker to uncover multiple credentials of the user including the responses to the challenge questions in order to spoof the user. Regarding claim 12, Sabin discloses the limitations substantially as follows: A non-transitory computer-readable medium on which are stored code instructions that, when executed by a computer or microprocessor, cause the computer or microprocessor to control access to a good or service offered by a platform (102) from an access terminal (100) to a user, executing each of: a step of transmitting an access request from the access terminal to the platform (Sabin, paras. [0035]-[0037], [0044]: user accesses login page of website for accessing resource/service of a website/proxy (i.e. requesting access to platform) using different device than mobile device such as laptop (i.e. access terminal)); a step of transmitting, from the platform to the access terminal, a token comprising information allowing identification by the platform of the access request (Sabin, paras. [0035]-[0037]: website/proxy transmits QR code to the laptop for display, where the QR code comprises a random unique number generated by/identifying the session with the website (i.e. allowing identification of platform); a step of transmitting the token from the access terminal to an authentication terminal (Sabin, paras. [0037]: mobile device (i.e. authentication terminal) captures QR code from the different device (i.e. access terminal)); a step of transmitting the token and an identifier of the user from the authentication terminal to an authentication server (Sabin, paras. [0038], [0040]-[0042]: mobile terminal sends/transmits the QR code and GPS location and specific time (i.e. identifiers of user) from the mobile device to Identity Service/Federation Service (i.e. authentication server)); a step of authenticating the user (Sabin, paras. [0040]-[0042], [0047]: authenticating the user); in the case of success of the authentication: a step of transmitting information for identifying, by the platform, the access request and the authenticated identity of the user from the authentication server to the platform (Sabin, paras. [0040]-[0042], [0047]: transmitting credentials for the user, the signed QR code and the registered mobile device to the proxy service/website from the Identity Service/Federated service); a step of release, by the platform, of the access, from the access terminal, to the good or service requested by the access request (Sabin, paras. [0047]: website/proxy permits user device to log into the website to access requested website services). Sabin does not explicitly disclose the remaining limitations of claim 12 as follows: a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user; However, in the same field of endeavor Eisen discloses the limitations of claim 12 as follows: a step of authenticating the user by the authentication terminal using at least one authentication method, the at least one authentication method comprising an authentication of the challenge response type, the response being produced by the user (Eisen, paras. [0034], [0063], [0067], [0144], [0148]: identity authentication service provides different levels of authentication including authenticating user biometric data input and answers/responses to security challenge questions provided by a user) Eisen is combinable with Sabin because both are from the same field of endeavor of performing authentication of a user using multiple user devices and QR codes. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate Eisen’s method of using multiple levels of authentication including challenge questions to authenticate a user with the system of Sabin in order to increase the security of the system and make it more difficult for attackers by requiring an attacker to uncover multiple credentials of the user including the responses to the challenge questions in order to spoof the user. Regarding claims 2 and 13, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 2 and 13 as follows: wherein the token is a QR code (Sabin, paras. [0037], [0039]: QR code). Regarding claims 3 and 14, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 3 and 14 as follows: wherein the token is a mark concealed in an image (Sabin, paras. [0037], [0039]: QR code comprises embedded image). Regarding claims 4 and 15, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 4 and 15 as follows: wherein the token is transmitted between the access terminal and the authentication terminal by photographic capture of the token displayed on the access terminal by the authentication terminal (Sabin, paras. [0037]: mobile device (i.e. authentication terminal) captures QR code that is displayed on the different device (i.e. access terminal)). Regarding claims 5 and 16, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 5 and 16 as follows: wherein the token furthermore comprises information identifying the platform (Sabin, paras. [0036]-[0037], [0040], [0063]: QR code is really a unique session-generated number generated for the website for identifying the session with the website/platform). Regarding claims 6 and 17, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 6 and 17 as follows: wherein the token furthermore comprises information relating to the access terminal (Sabin, paras. [0041]: token/QR code may also contain additional parameters including GPS location and specific time associated with different user device (i.e. access terminal) and mobile device). Regarding claims 7 and 18, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin and Eisen teaches the limitations of claims 7 and 18 as follows: wherein the authentication terminal is previously registered with the authentication server (Sabin, paras. [0031]: user mobile device registers with registration server), only one authentication terminal being able to be registered for a given user (Sabin, para. [0032]: only one user device of the user is registered with the unique public key pair enabling unique identification of the mobile device from other mobile devices) (see also Eisen, para. [0043]: only the user device may be registered with the authentication system). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate Eisen’s method of only registering one device per user with the system of Sabin in order to increase the security of the system by limiting the number of devices through which the system can be accessed. Regarding claims 8 and 19, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 8 and 19 as follows: wherein the authentication server furthermore proceeds with checks relating to the legitimacy of the request stored (Sabin, paras. [0040]-[0041]: Identity/Federation service checks whether user to is authorized to access website as requested). Regarding claims 9 and 20, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Eisen teaches the limitations of claims 9 and 20 as follows: wherein the step of authenticating the user includes the verification of a biometric characteristic of this user (Eisen, paras. [0144], [0169]: authenticating user biometric data received at the mobile terminal as a second level of assurance after scanning and verifying a barcode). The same motivation to combine utilized in claims 1 and 12 is equally applicable in the instant claims. Regarding claims 10 and 21, Sabin and Eisen disclose the limitations of the method of claim 1 and the non-transitory computer readable medium of claim 12. Sabin teaches the limitations of claims 10 and 21 as follows: wherein the token is transmitted with the authenticated identity of the user from the authentication server to the platform (Sabin, paras. [0040]-[0043], [0047]: token/QR code and user credentials (i.e. indicating user has been validated as authorized to make request) are transmitted from the Identity Service (i.e. authentication server) to the website/proxy). Prior art not relied upon but applied/considered includes: 1) Gadotti (US 2014/0317713) teaches a user requests access to protected third party application resources or protected user interfaces of central processing server (i.e. platform) (paras.[0031]-[0032]; the central server sends QR code (i.e. token) for display on first mobile communications device or first client computing device (i.e. access terminal), where the QR code comprises a random number as a session number for the user’s logon session with the central processing server (i.e. identifying the request by the platform (Paras. [0013], [0032]-[0033]); the first mobile/client computing device displays QR code and the second mobile communication device (i.e. authentication terminal) image-captures the QR code (i.e. the token is transmitted) (paras. [0013], [0035]); the second mobile communications device sends the decoded QR code to the central processing server (paras. [0013], [0038]); if the login page is served by the third party processing server, the third party processing server is notified of the successful association of the session number to the user account by way of the central processing server (Para. [0041]) and login page is re-rendered by the third party processing server with visual cue for the user to proceed to the next step of the user authentication (para. [0041]). Conclusion For the above reasons, claims 1-10 and 12-21 are rejected. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583. The examiner can normally be reached on 10AM-6PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHARON S LYNCH/Primary Examiner, Art Unit 2438
Read full office action

Prosecution Timeline

Oct 05, 2023
Application Filed
Jul 12, 2025
Non-Final Rejection — §103
Oct 07, 2025
Response Filed
Jan 09, 2026
Final Rejection — §103
Apr 07, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12592833
Method for Authentication and Related Devices
2y 5m to grant Granted Mar 31, 2026
Patent 12574405
METHOD AND APPARATUS FOR SOLVING DENIAL-OF-SERVICE ATTACK, DEVICE, MEDIUM, AND COMPUTER PROGRAM PRODUCT
2y 5m to grant Granted Mar 10, 2026
Patent 12562924
SYSTEMS AND METHODS FOR PROTECTING DATA
2y 5m to grant Granted Feb 24, 2026
Patent 12556560
ATTACK ANALYSIS DEVICE, ATTACK ANALYSIS METHOD, AND STORAGE MEDIUM
2y 5m to grant Granted Feb 17, 2026
Patent 12549365
APPARATUS, METHOD, AND COMPUTER PROGRAM
2y 5m to grant Granted Feb 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
76%
Grant Probability
99%
With Interview (+50.4%)
2y 6m
Median Time to Grant
Moderate
PTA Risk
Based on 419 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month