Prosecution Insights
Last updated: July 17, 2026
Application No. 18/633,103

PHISHING RESISTANT ENROLLMENT VIA AN OPERATING SYSTEM

Final Rejection §103
Filed
Apr 11, 2024
Examiner
DOAN, HUAN V
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
Okta Inc.
OA Round
2 (Final)
80%
Grant Probability
Favorable
3-4
OA Rounds
8m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 80% — above average
80%
Career Allowance Rate
229 granted / 285 resolved
+22.4% vs TC avg
Strong +42% interview lift
Without
With
+42.1%
Interview Lift
resolved cases with interview
Typical timeline
2y 12m
Avg Prosecution
7 currently pending
Career history
292
Total Applications
across all art units

Statute-Specific Performance

§101
2.0%
-38.0% vs TC avg
§103
90.7%
+50.7% vs TC avg
§102
4.7%
-35.3% vs TC avg
§112
1.9%
-38.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 285 resolved cases

Office Action

§103
DETAILED ACTION 1. This office action is in response to the communication filed on 04/13/2026. 2. Claims 1-20 are pending. Notice of Pre-AIA or AIA Status 3. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments 4. Applicant’s arguments filed on 04/13/2026 have been fully considered but they are not persuasive. Applicant’s argument: The cited references do not teach or suggest all of the features of independent claims 1, 8, and 15. Applicant’s support: The enrollment service in Smith is not the same as "an authentication service." An authentication request in Smith does not teach or suggest "an enrollment configuration request." Providing a token to an enrollment service in Smith does not teach or suggest "providing, to a first device associated with the user, a prompt to initiate enrollment in the authentication service, the enrollment being in accordance with the enrollment configuration request." The enrollment request in Smith is for enrollment into a setup phase of an operating system, which does not teach "enrollment in the authentication service." Examiner’s response: Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. In light of the case’s specification (e.g., paras. 22-23, “… accessing the applications or services, the user may enroll and register in a single sign-on (SSO) service that can authenticate the user, for various services, via a one or more credentials … users may enroll in a multi-factor authenticator (MFA) service … the operating system of a computing device may receive an enrollment configuration request … transmit a prompt to a first user of a first device (e.g., a computing device) running the operating system to initiate the enrollment in an authentication service”; see paras. 33-35, “the SSO service 155 of the identity management system 120, which may serve as the identity provider (IdP) … the IdP may leverage the MFA service … The IdP may verify the user's identity by comparing the credentials provided by the user … The IdP may generate a security token (such as a SAML token or Oath 2.0 token) containing information associated with the identity and/or authentication status of the user 185 based on successful authentication of the user's identity … forward the token to the SP. Accordingly, the SP may verify the authenticity of the token and determine whether the user 185 is authorized to access the requested applications …”), the claimed “an enrollment configuration request for an authentication service” is a request for a user to enroll/register, by providing user credentials, to be authenticated with an authentication service (e.g., SSO, MFA) to receive a security token used for accessing applications or services. The examiner directs applicant’s attention to see Smith, fig. 1 and paras. 58-59 where the UE receives, from a server, an authentication request to authenticate a user of the UE, via an authentication service, wherein the UE prompts the user to input credentials for authenticating, via the authentication service, to enroll to the device management service, wherein an authentication server, e.g., server 102N, authenticates the credentials provided by the user, and provides an authentication token to the UE when the credentials are valid (i.e., the UE transmits, to the authentication server associated with the authentication service, a message comprising credentials inputted by the UE’s user based on the prompt to initiate the enrollment to the device management service). Thus, Smith discloses a method/system in which a user device/equipment (UE) receives, from a server, an authentication request (i.e., enrollment configuration request) for a user to sign-on/sign-up, by inputting/providing credentials to be authenticated, with an authentication service, wherein an authentication service/server authenticates the credentials provided by the user, and provides an authentication token to the UE when the credentials are valid. Therefore, in light of the case’s specification, Smith’s authentication request for a user to sign-on/sign-up, by providing credentials to be authenticated, with an authentication service to receive an authentication token, is reasonable to equate the claimed “enrollment configuration request” for a user to enroll, by providing credentials to be authenticated, with an authentication service to receive a security token for accessing applications or services. (Note that, in Smith (e.g., paras.43, 58), an authentication token is provided for enrollment service that manages user access to applications and devices). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 5. Claim(s) 1-2, 4-9, 11-16, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 2024/0264855 A1, hereafter Smith) in view of Larson et al. (US 10693872 B1, hereafter Larson). Regarding claim(s) 1, 8 and 15: Smith discloses an apparatus for authentication service enrollment, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to (see fig. 1 and para. 34 where a user computing device (UE) includes a computer): receive, from a device management provider, an enrollment configuration request for an authentication service; provide, to a first device associated with a first user, a prompt to initiate enrollment in the authentication service, the enrollment being in accordance with the enrollment configuration request, wherein the first device is managed by a second user of an organization that is different from the first user and is associated with the device management provider; and transmit, to an authentication server associated with the authentication service, an enrollment request message comprising data associated with the first device, the enrollment request message requesting the enrollment of the first device in the authentication service, wherein the enrollment request message is transmitted based at least in part on the prompt to initiate the enrollment, and [wherein an attestation that the first device is associated with the organization is based at least in part on the enrollment request message] (see fig. 1 and paras. 58-59 where the UE receives, from a server, e.g., server 102A (i.e., device management provider) including a device management service, an authentication request (i.e., enrollment configuration request) to authenticate a user (i.e., first user) of the UE (i.e., first device) via an authentication service, wherein the user is associated with an organization/company, wherein the UE prompts the user to input credentials for authenticating, via the authentication service, to enroll to the device management service, wherein an authentication server, e.g., server 102N, authenticates the credentials provided by the user (i.e., the UE transmits, to the authentication server associated with the authentication service, a message comprising credentials inputted by the UE’s user based on the prompt to initiate the enrollment to the device management service); see paras. 28, 35, 40 where an admin user (i.e., second user) of an enterprise/company (i.e., organization) performs administrative operations to the UE and the device management service). Smith does not, but Larson discloses: wherein an attestation that the first device is associated with the organization is based at least in part on the enrollment request message (see Larson, col. 24, lines 32-36, where a user provides identity data, in response to a prompt during an enrollment process, to an identity verification service (IVS); see col. 28, lines 8-12, where a user of a client system provides identity data includes an organization/enterprise ID. In other words, an organization/enterprise ID (i.e., attestation) of a user of a client system (i.e., first device) associated with an organization is included in a message provided to the IVS for validation for an enrollment process). It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith's invention by enhancing it for an attestation that the first device is associated with the organization is based at least in part on the enrollment request message, as taught by Larson, in order for verifying user identity including organization/enterprise ID during an enrollment process (Larson, abstract and col. 28, line 12). Regarding claim(s) 2, 9, and 16: Smith discloses: receive, from the authentication server, a response message indicating that the first device is enrolled in the authentication service, the first device being enrolled in the authentication service based at least in part on the data of the enrollment request message (see paras. 58-59 where the UE prompts the user to input credentials and/or identity associated with a company/enterprise/organization for authenticating, via the authentication service, to enroll to the device management service, wherein the UE receives, from the authentication server, an authentication token (i.e., a response message comprising an authentication token) when the credentials and/or identity of the user of the UE associated with the company/enterprise/organization are valid to enroll to the device management service). Regarding claim(s) 4, 11, and 18: Smith does not, but Larson discloses: receive, from the authentication server associated with the authentication service, an enrollment denial message that indicates a denial of the enrollment of the first device in the authentication service based at least in part on the attestation of the first device; and display, at a first user interface of the first device, the enrollment denial message based at least in part on receiving the enrollment denial message (see Larson, col. 6, lines. 56-63, where the client system (i.e., first device) runs an application to interact with the IVS (i.e. authentication server); see Larson, col. 24, lines 32-36, where a user provides identity data, in response to a prompt during an enrollment process, to an identity verification service (IVS); see col. 28, lines 8-12, where a user of a client system provides identity data includes an organization/enterprise ID (i.e., attestation); see col. 45, lines 57-67 where the application receive, from the IVS, an indication (i.e., enrollment denial message) of the user's enrollment status that indicates that the IVS was unable to verify the user’s identity, and displays the indication on a user interface, e.g., GUI, of the client system). It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith's invention by enhancing it to receive, from the authentication server associated with the authentication service, an enrollment denial message that indicates a denial of the enrollment of the first device in the authentication service based at least in part on the attestation of the first device; and display, at a first user interface of the first device, the enrollment denial message based at least in part on receiving the enrollment denial message, as taught by Larson. The motivation is the same as presented in claim 1, 8, or 15. Regarding claim(s) 5, 12, and 19: Smith discloses: wherein the prompt to initiate the enrollment of the first device associated with the first user in the authentication service comprises: receiving, from the first user, one or more user inputs to associate the first user with the first device, the first device being associated with an identity provider that provides the authentication service (see fig. 1 and paras. 39, 58 and/or 97). Regarding claim(s) 6 and 13: Smith discloses: wherein the prompt to initiate the enrollment in the authentication service is displayed at a first user interface of the first device (see paras. 58 where the UE prompts the user to input credentials for authenticating, via the authentication service, to enroll to the device management service; see para. 97 where a prompt is displayed by a window for user input). Regarding claim(s) 7, 14 and 20: Smith discloses: wherein the second user of the organization associated with the device management provider is an administrative user for the device management provider (see paras. 28, 35, 40 where an admin user (i.e., second user) of an enterprise/company (i.e., organization) performs administrative operations to the UE and the device management service). 6. Claim(s) 3, 10, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith, Larson, and further in views of Barton et al. (US 2014/0032691 A1, hereafter Barton) and Verzun et al. (US 2019/0386969 A1, hereafter Verzun). Regarding claim(s) 3, 10, and 17: Smith does not, but Barton discloses: generate a signed device attestation to indicate that the first device is associated with the organization of the device management provider using a [signed] authentication certificate issued by the device management provider associated with the organization, wherein the enrollment request message comprises the signed device attestation (see Barton, para. 3 where a client/mobile device (i.e., first device) is issued to a user/employee by an organization/enterprise; see para. 86 where an enterprise has a certificate issuance service; see paras. 397-398, 401 where a client device has a client certificate issued by an enterprise, wherein the client certificate is used to sign an authentication message communicated from the client device to an authentication service; see para. 347 where a client device is authenticated based on user credentials associated with the client device. In other words, the client/mobile device generates a signed authentication message (i.e., enrollment request message) including user credentials (i.e., signed device attestation) of the client device associated with an organization of a certificate issuance service (i.e., device management provider) using a client certificate (i.e., authentication certificate) issued by the certificate issuance service). It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith's invention by enhancing it to generate a signed device attestation to indicate that the first device is associated with the organization of the device management provider using an authentication certificate issued by the device management provider associated with the organization, wherein the enrollment request message comprises the signed device attestation, as taught by Barton, in order to sign an authentication message using a client certificate (see Barton, para. 398). Smith-Barton does not, but Verzun discloses: signed authentication certificate (see Verzun, para. 44, where a signed certificate is issued by a trust certificate authority). It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith-Barton's invention by enhancing it for signed authentication certificate, as taught by Verzun, in order for a trust certificate authority to issue a signed certificate (see Verzun, para. 44). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA, can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HUAN V DOAN/Primary Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Apr 11, 2024
Application Filed
Jan 15, 2026
Non-Final Rejection mailed — §103
Apr 13, 2026
Response Filed
May 21, 2026
Final Rejection mailed — §103
Jul 07, 2026
Examiner Interview Summary
Jul 07, 2026
Applicant Interview (Telephonic)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683959
BIOMETRIC AUTHENTICATION DURING VOICE DATA TRANSFERS
3y 1m to grant Granted Jul 14, 2026
Patent 12670256
IDENTIFY MALICIOUS SOFTWARE
1y 8m to grant Granted Jun 30, 2026
Patent 12665882
GATEWAY AND METHOD FOR OPERATING A GATEWAY
2y 11m to grant Granted Jun 23, 2026
Patent 12659311
Pseudo-Passwordless Authentication System
2y 7m to grant Granted Jun 16, 2026
Patent 12647457
INVALID TRAFFIC DETECTION USING EXPLAINABLE UNSUPERVISED GRAPH ML
1y 6m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
80%
Grant Probability
99%
With Interview (+42.1%)
2y 12m (~8m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 285 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month