DETAILED ACTION
This communication responsive to the Application No. 18/555,133 filed on October 12, 2023. A preliminary amendment was filed on 10/12/2023 in which claims 6-11 and 18-23 have been amended. Claims 1-23 are pending and are directed towards METHOD AND SYSTEM FOR OPTIMISING OTP CHANNELS IN DIGITAL VERIFICATION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/12/2023 was Acknowledge. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims 10 and 22 objected to because of the following informalities:
In Claims 10 and 22, Acronym “SMS” should be defined.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 4, 11-12 and 16 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 4 and 16 recite the limitation “ascertaining an OTP entry of the failed validation is similar to the first OTP” which is vague and not clear. it is not understood how failed validation results from similar OTP.
Claim 11 recites the limitation “wherein the first OTP is a missed call, the method further comprising: automatically providing at least a part of a caller number of the missed call as the first OTP entry” which is vague and not clear. it is not understood how “the first OTP is a missed call” then part of a caller number of the missed call becomes the first OTP entry.
Claim 12 rejected by dependency.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-23 are rejected under 35 U.S.C. 103 as being unpatentable over Everson et al. US 2020/0044851 A1 (hereinafter “Everson”) in view of Bagley US 2006/0080545 A1 (hereinafter “Bagley”).
As per claim 1, Everson teaches a method for one time password (OTP) channel optimization (the present invention may select an optimal delivery channel from multiple possible channels. Delivery channels may include email communication, text, in-app message, a call center communication and/or other modes of secure communication. For an in-app message, the customer may access an app on the customer's smart device to perform multi-factor authentication to access an OTP. Everson, para [0016]), the method comprising:
for each of a plurality of optimization criteria, and based on at least one attribute of a plurality of OTP channels, ascertaining a recommendation of the OTP channels, thereby ascertaining a plurality of recommendations for the plurality of optimization criteria respectively; (System 130 may include a Risk Decision Engine 140 and a Dynamic Channel Interface 144. Risk Decision Engine 140 may apply a risk algorithm to generate a risk determination based on various factors, including device data, account data and fraud data for a given customer contact or request. Dynamic Channel Interface 144 may apply an optimal communication channel for the OTP based on the risk determination made by Risk Decision Engine 140. Everson, para [0021])
in response to a verification request comprising an end user identifier, and based on at least one attribute of the end user identifier, selectively providing a first recommendation having at least some of the OTP channels, wherein the recommendations include the first recommendation (a customer contact may be received. At step 212, based on the customer contact, a corresponding device and customer identifier may be identified. At step 214, a corresponding customer profile may be retrieved. At step 216, an algorithm may be applied to generate a risk score. At step 218, based on the risk score, an optimal channel may be determined. Everson, para [0030])( based on the customer contact, a corresponding device and customer identifier may be identified. For example, the customer may make the request from a mobile phone. In addition, based on the customer identifier, the system may identify one or more additional devices and other customer information, which may include additional smart devices, IoT devices, email addresses, phone numbers. Everson, para [0032]);
in response to an end user selected first OTP channel which is included in the at least some of the OTP channels of the first recommendation, instructing for a first OTP to be provided via the first OTP channel to a first device associated with the end user identifier wherein the OTP channels include the first OTP channel (Based on the risk determination, Dynamic OTP Channel 330 may select an optimal channel to convey the OTP back to the user. In addition, the optimal channel may be used to perform additional authentication. Based on the level of risk, other forms of authentication may be implemented. Everson, para [0042]) (the user interface may be any system that provides communication between a user and a processor. The information provided by the user to the processor through the user interface may be in the form of a command, a selection of data, or some other input, for example. Everson, para [0049]); and
Everson does not explicitly teach validating a first OTP entry against the first OTP.
However, Bagley teaches validating a first OTP entry against the first OTP (The authentication service matches (328) the one-time password received from the service provider to one-time passwords that the authentication service considers valid. Bagley, para [0085]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Everson in view of Bagley. One would be motivated to do so, for the obvious reason of verifying the OTP.
As per claim 2, Everson and Bagley teach the method of claim 1, further comprising:
in response to and based on a failed validation of the first OTP, selectively providing a second recommendation wherein the recommendations include the second recommendation (if it is determined that the customer's email account might be compromised, an embodiment of the present invention may select an alternative channel to send the OTP. For high risk requests and/or actions, additional authentication (e.g., biometric, passive authentication, etc.) and/or safeguards may be applied. For example, safeguards may include restrictions on how much the customer can send or spend. Other restrictions may be applied. Everson, para [0015]);
in response to a selected second OTP channel which is included in the second recommendation, instructing for a second OTP to be provided via the second OTP channel to the first device or a second device associated with the end user identifier wherein the OTP channels include the second OTP channel (Based on the risk determination, Dynamic OTP Channel 330 may select an optimal channel to convey the OTP back to the user. In addition, the optimal channel may be used to perform additional authentication. Based on the level of risk, other forms of authentication may be implemented. Everson, para [0042]) (the user interface may be any system that provides communication between a user and a processor. The information provided by the user to the processor through the user interface may be in the form of a command, a selection of data, or some other input, for example. Everson, para [0049]).
As per claim 3, Everson and Bagley teach the method of claim 2, further comprising:
based on a validation outcome of the first OTP and/or the second OTP, modifying the at least one attribute of the OTP channels (select and apply a multifactor authentication channel (e.g., email, SMS, etc.) dynamically based on multiple sources of risk scoring input data. The risk decision engine may determine an optimal lowest risk delivery channel for delivery of a one-time passcode. Based on a risk determination, the risk decision engine may also implement an additional/alternative mechanism for user authentication or verification. Everson, para [0014]).
As per claim 4, Everson and Bagley teach the method of claim 1. Everson does not explicitly teach the method further comprising: in response to and based on a failed validation of the first OTP, ascertaining an OTP entry of the failed validation is similar to the first OTP; instructing for another OTP to be provided via the first OTP channel to the first device associated with the end user identifier.
However, Bagley teaches in response to and based on a failed validation of the first OTP, ascertaining an OTP entry of the failed validation is similar to the first OTP (The authentication service matches (252) the one-time password received from the service provider to one-time passwords that the authentication service considers valid. If the authentication service determines (254) that the received one-time password is not valid, processing ends (256). Among other things, ending further processing helps guard against attacks, such as denial-of-service attacks that attempt to swamp the authentication service with bogus authentication requests or brute force attacks aimed at guessing one-time passwords. Bagley, para [0056]);
instructing for another OTP to be provided via the first OTP channel to the first device associated with the end user identifier (the client sends the one-time password, OTPW1, and the service provider identifier for the client, BrianB, to the service provider. The service provider verifies (244) that BrianB is a valid service provider identifier and sends the one-time password OTPW1 to the authentication service. The authentication service matches (252) the one-time password and sends (258) the authentication service identifier for the client, xy8923a, to the service provider. Bagley, para [0061]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Everson in view of Bagley. One would be motivated to do so, to enhance the security of the system.
As per claim 5, Everson and Bagley teach the method of claim 1, wherein instructing for a first OTP to be provided via the first OTP channel to a first device associated with the end user identifier includes instructing for the first OTP to be auto-populated as OTP entry (a customer contact may be received. The customer may request information and/or an action. In response to the request, the system may send a OTP to the customer for security and authentication. Everson, para [0031]).
As per claim 6, Everson and Bagley teach the method of claim 1, wherein the optimization criteria include at least two selected from the group of: security of OTP channel, accessibility of OTP channel, success rate of OTP channel, and usage cost of OTP channel (the risk score may be based on various metrics and data, including device data, account data, fraud data and other customer related data. For example, device data may include data relating to known fraud device; device type or name; device location (this may include historical location and current location); device phone number and number of registered devices. Account data may include account open date, related account data (other accounts associated with the customer or related accounts, such as household accounts); and recent and historical changes to an account (e.g., change of contact information; frequency of use; outlier purchases; etc.). Fraud data may include product velocity; fraud/suspicious account history; recent OTP channel changes; failed login history; and other external risk data. Other data may include cyber indicators in rendering a risk determination. For example, an embodiment of the present invention may consider an IP address that a customer request is initiating from. The system may also observe whether the client is exhibiting a signature that is indicative of suspicious and/or fraudulent behavior. Other risk data may include global data. For example, global risk data may indicate that a geographic region, such as a foreign country, is experiencing an usually high rate of fraud. This data may result in a higher risk score for customer contacts originated from this region. Everson, para [0035]) (See Also Risk Data 320, 322, 324 in Fig. 3 and related paragraphs).
As per claim 7, Everson and Bagley teach the method of claim 1, wherein the at least one attribute of the plurality of OTP channels is selected from the group of: static OTP channel characteristic, real-time usage cost of OTP channel, delivery rate of OTP channel, validation success rate of OTP channel, and usability of OTP channel (Account data may include account open date, related account data (other accounts associated with the customer or related accounts, such as household accounts); and recent and historical changes to an account (e.g., change of contact information; frequency of use; outlier purchases; etc.). Fraud data may include product velocity; fraud/suspicious account history; recent OTP channel changes; failed login history; and other external risk data. Everson, para [0035]).
As per claim 8, Everson and Bagley teach the method of claim 1, wherein the at least one attribute of the end user identifier includes a count of OTP authentication attempts associated with the end user identifier over a predetermined time period (Account data may include account open date, related account data (other accounts associated with the customer or related accounts, such as household accounts); and recent and historical changes to an account (e.g., change of contact information; frequency of use; outlier purchases; etc.). Fraud data may include product velocity; fraud/suspicious account history; recent OTP channel changes; failed login history; and other external risk data. Everson, para [0035]).
As per claim 9, Everson and Bagley teach the method of any one of claim 1, further comprising:
validating the end user identifier against a database which includes a historical profile associated with the end user identifier (a customer profile may be retrieved. The customer profile may include customer account information. This may include recent changes as well as past historical changes and trend data. Everson, para [0033]);
based on the historical profile, prioritizing or de-prioritizing the end user identifier (the risk score may be based on various metrics and data, including device data, account data, fraud data and other customer related data. For example, device data may include data relating to known fraud device; device type or name; device location (this may include historical location and current location); device phone number and number of registered devices. Account data may include account open date, related account data (other accounts associated with the customer or related accounts, such as household accounts); and recent and historical changes to an account (e.g., change of contact information; frequency of use; outlier purchases; etc.). Fraud data may include product velocity; fraud/suspicious account history; recent OTP channel changes; failed login history; and other external risk data. Other data may include cyber indicators in rendering a risk determination. Everson, para [0035]).
As per claim 10, Everson and Bagley teach the method of claim 1, wherein the OTP channels include at least two selected from the group of: SMS, voice call, missed call, messaging application, authenticator application, electronic mail (Delivery channels may include email communication, text, in-app message, a call center communication and/or other modes of secure communication. Everson, para [0016] and Fig. 3 element 330).
As per claim 11, Everson and Bagley teach the method of claim 1, wherein the first OTP is a missed call, the method further comprising: automatically providing at least a part of a caller number of the missed call as the first OTP entry, wherein the missed call is received within a predetermined duration or count (based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated. Everson, para [0038])( The mode of communication may be provided via various channels, including email communication, text message, in-app message, call center, etc. Everson, para [0020]).
As per claim 12, Everson and Bagley teach the method of claim 11. Everson does not explicitly teach the method further comprising: optimizing a success rate of missed call OTP by performing at least one of the following: monitoring a delivery status of the first OTP, detecting a dial tone, a busy tone or a voice, and ascertaining a duration of the missed call.
However, Bagley teaches optimizing a success rate of missed call OTP by performing at least one of the following: monitoring a delivery status of the first OTP, detecting a dial tone, a busy tone or a voice, and ascertaining a duration of the missed call (The authentication service generates (226) a one-time password for the client. One-time password generation may take a variety of forms. For example, the one-time password may be generated by selecting a random number from a list of random numbers. Such random number lists can be generated by digitizing output from a random source, such as background electrical or audio signals (noise) from space, a power transformer, and so forth. Alternatively, the one-time password may be generated using a random number generator that is based on an algorithm. Bagley, para [0052]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Everson in view of Bagley. One would be motivated to do so, to enhance the security of the system by generating OTP from different sources and methods.
Claims 13-23 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons (of anticipation\ and rationales) as used above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A. Villavicencio et al. US 10,623,402 B2 directed to enhanced security authentication system.
B. Mizrah US 2008/0098464 A1 directed to two-channel challenge-response authentication method.
C. Krishnamoorthy et al. US 2020/0042723 A1 directed to identity fraud risk engine platform.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached at (571)272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Respectfully Submitted
/KHALID M ALMAGHAYREH/ Primary Examiner, Art Unit 2492