Tang care DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Amendment filed on 02/18/2026.
In the instant Amendment, claims 1, 3, 5-7, have been amended; and claims 1, 6, and 14 are independent claims. Claims 1-20 have been examined and are pending. This Action is made Final
Response to argument
In light of applicant Amendments, the Objection of claims 3 and 18 are withdrawn, the claim interpretation, the 112 (a) and (b) of claims 1-13, 15, and 17, the 101 rejection of claims 1-13 are withdrawn.
Applicant's arguments with respect to the 35 USC 101 rejection of claims 14-20 have been fully considered but they are not persuasive.
The limitations in the claims under its broadest reasonable interpretation covers performance of the limitations being an abstract idea directed to mental process and/or mathematical concepts. The steps can be performed by a human using pencil and paper but for the recitation of generic computing such as generic computer. The claims fail to integrate the abstract idea into a practical application or add significantly more. The claimed efficient computing by applying the abstract idea on a computer does not integrate the judicial exception into a practical application or provide inventive concepts (see MPEP 2106.05(f)). Please see MPEP 2106.05(a), which also recites “the judicial exception alone cannot provide the improvement” because the improvement is provided by one or more additional elements. Further, MPEP 2106.05(a) also recites that “a claim whose entire scope can be performed mentally, cannot be said to improved computer technology”. To show that the involvement of a computer assists in improving the technology, the claims must recite the details regarding how a computer aids the method, the extent to which the computer aids the method, or the significance of a computer to the performance of the method. Merely adding generic computer components to perform the method is not sufficient. The claims must include more than mere instructions to perform the method on a generic components to qualify as an improvement to an existing technology.
Applicants’ arguments filed on 02/18/2026 with respect to claims 1-13 have been considered but are moot in view of the new ground(s) of rejection, which were necessitated by amendment.
Applicant’s arguments are not persuasive as to independent claim 14 and claims 15–20 because those arguments are directed primarily to limitations added to amended claim 1, whereas claim 14 was not amended and remains broader. Under the broadest reasonable interpretation, claim 14 merely requires enabling selection of at least one non-contact input and at least one user location input for an authentication model, receiving those inputs, and training the authentication model based thereon. Gordon teaches an ML-based authentication framework using non-contact authentication inputs/factors, and Pirch teaches user-location input based on wireless localization/ranging. It would have been obvious to combine Pirch’s location-based input with Gordon’s ML-based authentication to improve authentication accuracy, contextual awareness, and spoof resistance. Applicant’s arguments do not persuasively address the actual scope of claim 14.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 14-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more.
Applying the subject Matter Eligibility Test for Products and Processes to claims 14-20:
Regarding claims 14-20:
Eligibility Step 1: The four categories of Statutory Subject Matter
Independents claim 14 recites a method which falls under one of the four Statutory categories.
Eligibility Step 2A: Is the claim directed to a law of nature, a natural phenomenon (product of nature), or an abstract idea?
Prong One:
However, the claim recites an abstract idea that is subjected to a judicial exception because the steps recited in the method and system claim can be considered a mental process defined as an abstract idea because the steps recited in the claims would be considered a “concept performed in the human mind”. Each limitation recited in the claim 14 (enabling selection of at least one non-contact input and at least one user location input for an authentication model for the user; receiving the at least one non-contact input and the at least one user location input; and training the authentication model based on the received at least one non-contact input and the received at least one user location input to generate a trained user authentication model) is considered a mental process abstract idea, nothing in the claim preclude it from practically being performed in the human mind . Because each limitation in said step can be performed in the mind, and therefore the claims would be considered a mental process abstract idea.
Prong Two:
The claim recites additional element: a computing system, an authentication model, and a Machin learning (ML) user authentication engine in claim 20. These elements are recited at a high level of generality, i.e., as a generic components performing a generic computer function of (detecting data, transmitting requests, and receiving response). The claims do not recite any technological improvement to computer functionality or ML model architecture. Instead, they merely apply authentication in the context of conventional hardware. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to the abstract idea.
Eligibility Step 2B: Does the claim recite additional elements that amount to significantly
more than the judicial exception?
As discussed with respect to Step 2A Prong Two, the additional element in the claim amounts to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in 2B, i.e., mere instructions to apply an exception using a generic computer component cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.
For this reason, the claim is not eligible subject matter under 35 U.S.C. 101.
Claim 15 recites: The method of claim 15, “interacting with the trained user authentication model to authenticate the user; and providing access to a secure account by the user based on the authenticating”. The limitation is regarding a process direct to a mental process and mathematical concept (Subject Matter Edibility Test, Steps 1 and 2A Prong 1 – see more detailed analysis for claim 1 above that also applies to this claim), which is further analyzed under Step 2A, Prong 2 and step 2B.
Because the limitation(s) do(es) not add any significant element, the claim(s) do(es) not
integrate the judicial exception into a practical application (Step 2A Prong 2). Likewise, for the
same rational, the claim(s) also therefore do(es) not recite additional elements that amount to
significantly more than the judicial exception. Thus, the claim is not eligible under 35 U.S.C.
101.
Claim 16 recites: The method of claim 16, “wherein the at least one non-contact input comprises at least one of a biometric input, a gesture input, or a movement pattern input”. The limitation is regarding a process direct to a mental process and mathematical concept (Subject Matter Edibility Test, Steps 1 and 2A Prong 1 – see more detailed analysis for claim 1 above that also applies to this claim), which is further analyzed under Step 2A, Prong 2 and step 2B.
Because the limitation(s) do(es) not add any significant element, the claim(s) do(es) not
integrate the judicial exception into a practical application (Step 2A Prong 2). Likewise, for the
same rational, the claim(s) also therefore do(es) not recite additional elements that amount to
significantly more than the judicial exception. Thus, the claim is not eligible under 35 U.S.C.
101.
Claim 17 recites: The method of claim 17, “signing the trained user authentication model with a model authentication key to generate a trained secure user authentication model”. The limitation is regarding a process direct to a mental process and mathematical concept (Subject Matter Edibility Test, Steps 1 and 2A Prong 1 – see more detailed analysis for claim 1 above that also applies to this claim), which is further analyzed under Step 2A, Prong 2 and step 2B.
Because the limitation(s) do(es) not add any significant element, the claim(s) do(es) not
integrate the judicial exception into a practical application (Step 2A Prong 2). Likewise, for the
same rational, the claim(s) also therefore do(es) not recite additional elements that amount to
significantly more than the judicial exception. Thus, the claim is not eligible under 35 U.S.C.
101.
Claim 18 recites: The method of claim 18, “wherein the at least one non-contact input comprises at least one of a public key, a private key, a cloud key, or an SSH key”. The limitation is regarding a process direct to a mental process and mathematical concept (Subject Matter Edibility Test, Steps 1 and 2A Prong 1 – see more detailed analysis for claim 1 above that also applies to this claim), which is further analyzed under Step 2A, Prong 2 and step 2B.
Because the limitation(s) do(es) not add any significant element, the claim(s) do(es) not
integrate the judicial exception into a practical application (Step 2A Prong 2). Likewise, for the
same rational, the claim(s) also therefore do(es) not recite additional elements that amount to
significantly more than the judicial exception. Thus, the claim is not eligible under 35 U.S.C.
101.
Claim 19 recites: The method of claim 19, “wherein the at least one user location input is generated by an ultra-wideband (UWB) enabled device”. The limitation is regarding a process direct to a mental process and mathematical concept (Subject Matter Edibility Test, Steps 1 and 2A Prong 1 – see more detailed analysis for claim 1 above that also applies to this claim), which is further analyzed under Step 2A, Prong 2 and step 2B.
Because the limitation(s) do(es) not add any significant element, the claim(s) do(es) not
integrate the judicial exception into a practical application (Step 2A Prong 2). Likewise, for the
same rational, the claim(s) also therefore do(es) not recite additional elements that amount to
significantly more than the judicial exception. Thus, the claim is not eligible under 35 U.S.C.
101.
Claim 20 recites: The method of claim 20, “selecting the trained user authentication model from a plurality of trained user authentication models for deployment in a machine-learning (ML) user authorization engine”. The limitation is regarding a process direct to a mental process and mathematical concept (Subject Matter Edibility Test, Steps 1 and 2A Prong 1 – see more detailed analysis for claim 1 above that also applies to this claim), which is further analyzed under Step 2A, Prong 2 and step 2B.
Because the limitation(s) do(es) not add any significant element, the claim(s) do(es) not
integrate the judicial exception into a practical application (Step 2A Prong 2). Likewise, for the
same rational, the claim(s) also therefore do(es) not recite additional elements that amount to
significantly more than the judicial exception. Thus, the claim is not eligible under 35 U.S.C.
101.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1, claim 1 recites the elements “user location credential”, “non-location credential of a user”. The claim further recite “trained on both user location information specific to the user and non-location information specific to the user”, it is unclear whether the “information specific to the user” and “non-location information specific to the user” is the same as the “credential” and “non-location credential” of the user or if it is different. For purposes of examination, the limitation will be interpreted as it is the same.
Claim 6, claim 6 recites the elements “biometric information of a user”, “non-biometric information of a user”. The claim further recite “trained on both user location information specific to the user and non-location information specific to the user”, it is unclear whether the “information specific to the user” and “non-location information specific to the user” is the same as the “biometric” and “non-biometric” of the user or if it is different. For purposes of examination, the limitation will be interpreted as it is the same.
Regarding claims 2-4, 7-13, claims 2-4, 7-13 are rejected due to their dependency of claims 1 and 6.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 6, 9-10, are rejected under 35 U.S.C. 103 as being unpatentable over Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”) in view of Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”).
As per claims 1 and 6, Foster teaches a system, comprising (Gordon: fig. 1-2, para[33-36], “System challenges for MFA”):
a biometric sensor input device that wirelessly detects at least one non-location credential of a user (Gordon: para [48-49], “Google Authenticator App. Then at login, prompt the user to enter a code generated by the mobile app, and validate it with the above library, before allowing them to proceed. Together these steps represent first (password) and second (device) factors, which combine to create multi-factor authentication C5 150.”, para [55], [67-68], “The multi-factor authentication may consist of the shared secret plus two-factor authentication implementation described but may also be a hardware/software biometric.”);
a processor, and a memory device that stores program code structured to cause the processor to (Gordon: para [28], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute”):
generate a request to at least one machine learning (ML) model configured to perform a user authentication analysis (Gordon: para [29], [33-43], “Learning component determines if the observed and modeled phenomena appears authorized or unauthorized; Step 3 230—System challenges for MFA”, para[53], “The MLBA may be in the app backend, in the app front-end, or separate system with its own agent on devices C1 110, C2 120 and/or others, or part of the OS or another agent of the devices or cloud infrastructure.”),
wherein the request includes the (Gordon: para[33-43], “Step 3 230—System challenges for MFA” para[58], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute”);
receive at least one user authentication response from the at least one ML model (Gordon: see fig. 2, para [33-43], [72-76], ““Whenever C6 160 observes phenomena that results in a negative authentication result, it pings C5 150 to execute a manual (meaning user-in-the-loop) MFA challenge. The results, or outcome, of that MFA challenge are then communicated to the labeler 180, which then annotates the observations where they are recorded in the data lake, usually with 0 or ‘False’ for failed, 1 or ‘True’ for success.”, “The labeler 180 may label further types of labels beyond authorized and unauthorized, such as attacker, guest, new user, credential change, or locality information, device ID, MFA meta information, level of attack sophistication, etc.); and
authenticate the user based on the at least one user authentication response from the at least one ML model (Gordon: see fig. 2, para [31-43], para[82-86], “The labeler 180 may not be integrated into MFA, but only be integrated into the application or the device and combine knowledge of the MLBA's negative output with successful application or device sign-in to infer successful MFA for labeling…The labeled data and MLBA outputs may be used to judge organizational and individual threat and risk levels”).
Although, Gordon teaches detecting the authorized user's device for proximity as a second factor, Gordon does not clearly teach a poisoning receiver that wirelessly detects at least one user location credential, the at least one ML model trained on both user location information specific to the user and non-location information specific to the user.
However, in the related art, Foster teaches a positioning receiver that wirelessly detects at least one user location credential (Foster: fig. 1-2, para [26-29], “The server machine 110 is shown as including a face analyzer 210, a device analyzer 220, a location analyzer 230, an authenticator 240, an artificial intelligence engine trainer 250, and authentication server 260, all configured to communicate with each other (e.g., via a bus, shared memory, or a switch).”, para[35-38], “In operation 520, the authentication client 310 accesses geolocation data (e.g., GPS data or IP address data) that represents a geolocation at which the device 130 was located during capture of the image (e.g., face image) accessed in operation 510”);
the at least one ML model trained on both user location information specific to the user and non-location information specific to the user (Foster: para[35-40], “In operation 530, the authentication client 310 inputs the accessed image (e.g., face image) and the accessed geolocation data into the artificial intelligence engine 270 (e.g., a neural network). The artificial intelligence engine 270 is trained to generate an image score (e.g., a face score) based on the inputted image, generate a device score based on the characteristic noise pattern in the inputted image, and generate a location score based on the inputted geolocation data… the server machine 110 (e.g., via the artificial intelligence engine 280 and its included authenticator 240) generates the authentication score based on the provided image score (e.g., face score), the provided device score, and the provided location score. As a result, the authentication client 310 obtains the generated authentication score from the server machine 110.. In operation 550, the authentication client 310 presents an indication that the verification request is authentic”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as location analyzer of Foster, it will improve authentication robustness and resist remote spoofing adding more layer of protection from potential fraud and misuse (Foster: para [117]).
As per claim 2, Gordon in view of Foster teaches the independent claim 1. Gordon teaches wherein the at least one non-location credential comprises at least one of a user biometric credential, a user gesture credential, or a user movement pattern credential (Gordon: para[28], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute.”).
As per claim 3, Gordon in view of Foster teaches the independent claim 1. Gordon teaches wherein the at least one non-location credential comprises at least one of a public key, a private key, a cloud key, or a secure shell SSH key (Gordon: para[28], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute.”).
As per claims 4 and 9, Gordon in view of Foster teaches the independent claim 1. Foster teaches wherein the at least one location credential indicates at least one of proximity, geolocation, three-dimensional (3D) position, or presence detection of the user or a user associated device (Foster: fig. 1-2, para [26-29], para[35-38], “In operation 520, the authentication client 310 accesses geolocation data (e.g., GPS data or IP address data) that represents a geolocation at which the device 130 was located during capture of the image (e.g., face image) accessed in operation 510”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as location analyzer of Foster, it will improve authentication robustness and resist remote spoofing adding more layer of protection from potential fraud and misuse (Foster: para [117]).
As per claim 10, Gordon in view of Foster teaches the dependent claim 9. Foster teaches determining the user proximity information based on a secure challenge to authenticate the biometric information (Foster: fig. 1-2, para [26-29], para[35-38], “In operation 510, the authentication client 310 accesses an image to be submitted in a request to verify a person (e.g., a request to verify the user 132). The image may be a face image that depicts the face of the user 132 and that was captured by the camera 330 of the device 130…..In operation 520, the authentication client 310 accesses geolocation data (e.g., GPS data or IP address data) that represents a geolocation at which the device 130 was located during capture of the image (e.g., face image) accessed in operation 510”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as location analyzer of Foster, it will improve authentication robustness and resist remote spoofing adding more layer of protection from potential fraud and misuse (Foster: para [117]).
Claims 5 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”) in view of Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”) and Fu et al. (U.S. Pub 20210398132 A1; Hereinafter “Fu”).
As per claims 5 and 7, Gordon in view of Foster teaches the independent claim 1.
Fu teaches wherein the authenticator is further configured to: vary selection of the at least one ML model, from a plurality of trained ML models, for the request based on at least one of the location credential or the non-location credential (Fu: para[36], [51-63], “In step S104, rule processing computer 140 can determine a machine learning model from a plurality of machine learning models by applying rules to the external data… In a log-in example, the prediction request may comprise an indicator that it is an authorization request, a user identifier, a device identifier, a password (or a derivative of the password), a location, and a time stamp. As an example, user device 110 may send an authorization request to data enrichment computer 120 for a transaction that a user is making while on vacation.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to modify Gordon MFA authentication as enhanced by Foster’s location credentials, to vary selection of one trained ML model from a plurality of trained model as taught by Fu, it will improve authentication accuracy, and increase spoof resistance (Fu: para [21]).
Claims 8, 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”) in view of Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”) and Pirch et al. (U.S. Pub 20200314651 A1; Hereinafter “Pirch”).
As per claim 8, Gordon in view of Foster teaches the independent claim 6.
Pirch teaches varying selection of at least one of the biometric information from a plurality of biometric information or the non-biometric information from a plurality of non-biometric information based on at least one parameter (Pirch: para[116-117], “The trained machine learning model is trained with data sets collected from a plurality of users. The data sets may include movement data for the plurality of users within a range of the asset. The data sets may include movement data from the plurality of users. The information received from the wireless key device may include movement data of the user collected from an accelerometer of the wireless key device.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as UWB/BLE proximity of Pirch, it will improve authentication robustness and resist remote spoofing with because it will add more layer of protection from potential fraud and misuse (Pirch: para [55]).
As per claim 11, Gordon in view of Foster teaches the independent claim 6.
Pirch teaches wherein the user associated device comprises an ultra-wideband (UWB) enabled device (Pirch: para[21], [46], “In FIG. 2D, key device A 230 and key device C 240 continue to move and the location information of their respective movement is provided to the reader 210 through the UWB communication.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as UWB/BLE proximity of Pirch, it will improve authentication robustness and resist remote spoofing with because it will add more layer of protection from potential fraud and misuse (Pirch: para [55]).
As per claim 12, Gordon in view of Foster and Pirch teaches the dependent claim 11. Pirch teaches wherein the determination of the user proximity information is based on at least one of a time of flight or an angle of arrival for a communication from the user associated device (Pirch: para[51], “Identifying the location of the person 335 and performing continuous localization of the person 335 (through their key device), may provide a direction the person 335 is moving. Using the determined direction, the readers may identify an angle of arrival 340. The angle of arrival 340 may be used to determine which doorway of multiple doorways that the person 335 is intending to enter.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as UWB/BLE proximity of Pirch, it will improve authentication robustness and resist remote spoofing with because it will add more layer of protection from potential fraud and misuse (Pirch: para [55]).
As per claim 13, Gordon in view of Foster teaches the dependent claim 9. Pirch teaches wherein the determination whether to authenticate the user is based, at least in part, on an indication by the user proximity information that the user is located within a geo-fence position threshold (Pirch: para[39], “The PACS may use the data received from the reader 110 using the second wireless communication 125 to determine the likelihood or probability the user 115 is intending to pass through the doorway 105. The determination may be a calculation using the received data or the received data may be provided to a fixed or evolutive model. If the determined probability of intent exceeds a predetermined threshold, then the PACS may unlock the door such that the user 115 may seamlessly enter the doorway 105.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as UWB/BLE proximity of Pirch, it will improve authentication robustness and resist remote spoofing with because it will add more layer of protection from potential fraud and misuse (Pirch: para [55]).
Claims 14-16, 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Foster et al. (U.S. Pub 2019/0392122 A1; Hereinafter “Foster”) in view of Pirch et al. (U.S. Pub 20200314651 A1; Hereinafter “Pirch”).
As per claim 14, Gordon teaches a method, comprising: enabling selection of at least one non-contact input and at least one (Gordon: para [28], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute”);
receiving the at least one non-contact input and (Gordon: para [48-49], “Google Authenticator App. Then at login, prompt the user to enter a code generated by the mobile app, and validate it with the above library, before allowing them to proceed. Together these steps represent first (password) and second (device) factors, which combine to create multi-factor authentication C5 150.”, para [55], [67-68], “The multi-factor authentication may consist of the shared secret plus two-factor authentication implementation described but may also be a hardware/software biometric.”); and
training the authentication model based on the received at least one non-contact input and the received at least one user location input to generate a trained user authentication model (Gordon: para [29], [33-43], “Learning component determines if the observed and modeled phenomena appears authorized or unauthorized; Step 3 230—System challenges for MFA”, para[53], “The MLBA may be in the app backend, in the app front-end, or separate system with its own agent on devices C1 110, C2 120 and/or others, or part of the OS or another agent of the devices or cloud infrastructure.”).
Although, Gordon teaches detecting the authorized user's device for proximity as a second factor, Gordon does not clearly teach a user location input.
However, in the related art, Pirch teaches user location input (Pirch: para[38-39], “As the user 115 continues to approach the doorway 105 and reader 110, a second wireless communication 125 begins communicating with the key device of the user 115. The second wireless communication 125 may be a higher power and advanced communication, such as UWB. The second wireless communication 125 may include localization and ranging to track the movement of the user 115. The second wireless communication 125 may track the user 115 and use factors such as the speed the user 115 is moving to determine if the intent of the user 115 is to enter the doorway 105. F”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as UWB/BLE proximity of Pirch, it will improve authentication robustness and resist remote spoofing with because it will add more layer of protection from potential fraud and misuse (Pirch: para [55]).
As per claim 15, Gordon in view of Pirch teaches the independent claim 14. Gordon teaches interacting with the trained user authentication model to authenticate the user; and providing access to a secure account by the user based on the authenticating (Gordon: para[31-43], step 1-6, fig. 2, “user attempts to log in, or execute a task on device Cl using app…Learning component determines if the observed and modeled phenomena appears authorized or unauthorized; Step 3 230—System challenges for MFA; Step 4 240—If MFA fails a negative label is created for phenomena; Step 5 250—if MFA succeeds the labeler 180 labels the data that prompted S3 230 to provide a negative result with a positive label in the data lake C7; and Step 6 260—user allowed to log in or execute task. If S2 220 is successful, the user may progress to S6 260. If S3 230 fails, the behavior receives a negative label.”).
As per claim 16, Gordon in view of Pirch teaches the independent claim 14. Gordon teaches wherein the at least one non-contact input comprises at least one of a biometric input, a gesture input, or a movement pattern input (Gordon: para[28], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute.”); and the at least one user location input indicates at least one of proximity, geolocation, three-dimensional (3D) position, or presence detection (Gordon: para [68], “The second factor may be frictionless, such as turning on a camera for facial recognition (third factor) or detecting the authorized user's device for proximity as a second factor.”).
As per claim 18, Gordon in view of Pirch teaches the independent claim 1. Gordon teaches wherein the at least one non-location credential comprises at least one of a public key, a private key, a cloud key, or a secure shell SSH key (Gordon: para[28], “multi-factor authenticator 150—this is a piece of software and/or hardware that uses two of the following authentication methods to confirm user identity: a shared secret, a known device, or a biometric attribute.”).
As per claim 19, Gordon in view of Pirch teaches the independent claim 14. Pirch teaches wherein the at least one user location input is generated by an ultra-wideband (UWB) enabled device (Pirch: para[21], [46], “In FIG. 2D, key device A 230 and key device C 240 continue to move and the location information of their respective movement is provided to the reader 210 through the UWB communication.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update Gordon MFA authentication with user location such as UWB/BLE proximity of Pirch, it will improve authentication robustness and resist remote spoofing with because it will add more layer of protection from potential fraud and misuse (Pirch: para [55]).
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Gordon et al. (U.S. Pub 2022/0366026 A1; Hereinafter “Gordon”) in view of Pirch et al. (U.S. Pub 2020/0314651 A1; Hereinafter “Pirch”) and Cao et al. (C.N. 115442050 A; Hereinafter “Cao”).
As per claim 17, Gordon in view of Pirch teaches the independent claim 14.
Gordon in view of Pirch does not teach signing the trained user authentication model with a model authentication key to generate a trained secure user authentication model.
However, in the related art, Cao teaches signing the trained user authentication model with a model authentication key to generate a trained secure user authentication model (Cao: fig. 1, step 1-3, “in order to achieve the purpose of the above invention, the present invention adopts the following technical solution: by adding the evaluation server in the federal learning architecture, the training participant sends the model data for evaluating and verifying, eliminating virus data of malicious participants. and combining the SM9 encryption and signature algorithm to ensure the security of the user privacy in the whole federal learning communication process. the training participant encrypts the trained model M, and signing the model, the central server confirms the identity rationality of the training participant through the signature verification algorithm, then sends the model information to the evaluation server to decrypt, the evaluation server evaluates the data after decrypting the model data, returning back to the central server after reaching the standard model data aggregation”.
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update the modified Gordon MFA authentication and signed the trained model as discussed in Cao, it will ensure integrity and prevent tempering (Cao: page 3).
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Gordon et al. (U.S. Pub 2022/0366026 A1; Hereinafter “Gordon”) in view of Pirch et al. (U.S. Pub 2020/0314651 A1; Hereinafter “Pirch”) and Wang et al. (U.S. Pub 20230048386 A1; Hereinafter “Wang”).
As per claim 20, Gordon in view of Pirch teaches the independent claim 14.
Gordon in view of Pirch does not teach selecting the trained user authentication model from a plurality of trained user authentication models for deployment in a machine-learning (ML) user authorization engine.
However, in the related art, Wang teaches selecting the trained user authentication model from a plurality of trained user authentication models for deployment in a machine-learning (ML) user authorization engine (Wang: para[65-68], “determining, in response to a selection operation by the user for the at least two trained models, a model selected by the user as the target model.”.
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to have update the modified Gordon MFA authentication with Wang, it will improve the processing efficiency and accuracy. (Wang: para[192]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LYDIA L NOEL whose telephone number is (571)272-1628. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571)-270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/L.L.N./Examiner, Art Unit 2437
/MENG LI/Primary Examiner, Art Unit 2437