SYSTEMS AND METHODS FOR AN AUTHORIZED IDENTIFICATION SYSTEM

§101 §112 §DOUBLEPATENT

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This final action is in response to the applicant’s communication received on 12/10/2025 (“Amendment”). Claim Status Claims 1, 2, 4, 6, 8, 9, 11, 13, 15, 16, 18, and 20 have been amended. Claims 3, 10, and 17 have been canceled while claims 21-23 have been newly added. Claims 1-2, 4-9, 11-16, and 18-23 are pending. Continuation This application is a continuation application of U.S. application no. 17/718,044 filed on April 11, 2022, now U.S. Patent 12,008,568 ("Parent Application") which is a continuation of U.S. application no. 15/897,370 filed on February 15, 2018, now U.S. Patent 11,301,847 ("Parent Application"). See MPEP §201.07. In accordance with MPEP §609.02 A. 2 and MPEP §2001.06(b) (last paragraph), the Examiner has reviewed and considered the prior art cited in the Parent Application. Also in accordance with MPEP §2001.06(b) (last paragraph), all documents cited or considered ‘of record’ in the Parent Application are now considered cited or ‘of record’ in this application. Additionally, Applicant(s) are reminded that a listing of the information cited or ‘of record’ in the Parent Application need not be resubmitted in this application unless Applicant(s) desire the information to be printed on a patent issuing from this application. See MPEP §609.02 A. 2. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-2, 4-9, 11-16, and 18-23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Per claim 1, the claim has been amended to recite that the “device identifier” is “derived from user device data”. Instant specification mentions “device identifier” or “device ID” in paragraphs [0029], [0040], [0043], [0046], and [0049]. The Specification, however, does not show support that the device identifier is derived from user device data. Furthermore, the claim recites that the updated data includes location data and an operation status of a user device associated with the user and that the computing system verifying the location data and the operational status (i.e., operation status of the user device received in real-time) against the user device data. While the Specification discloses receiving data from the carrier about the device in real time (e.g., location) and comparing the user device identifier data in the message to the user device identifier data from the carrier, the specification does not disclose receiving the location data and the operational status of the user device and that the location data and the operation status of the user device data are verified against the user device data. Furthermore, the specification does not particular recite “operational status” of the user device. The only description that suggests operational status is whether the user device is off and/or the application(s) are not running in paragraphs [0029], [0040], and [0049]. Here, the section describes an alternate embodiment, i.e., rather than checking the location, the system checks to see whether the user device is off and/or the application(s) are not running, not both. Furthermore, the claim clearly recites that the verification of the operational status of the user device is performed against the user device data. One of ordinary skill would appreciate that the recitation would suggest some comparison against the received operational status of the user data against the user device data, i.e., stored user device data (see applicant’s interpretation of the claim in page 10 of the Amendment). The Specification, however, only discloses that the verification is performed merely by pinging the enrolled user device. Even if the verification of the location of the user device and the operation status of the user device received from the MNO is verified against the stored device data in the specification, the Specification does not provide how this is achieved, i.e., where the device data is stored and updated to reflect dynamic information of the device and how the computing system gets this updated stored information. Furthermore, the claim is rejected as the specification provides one species in that the real-time updated data about the device identifier is received from MNO (i.e., carrier). The applicant does not have possession of the genus as claimed as the claim is broad to include the real-time updated data about the device identifier received from other sources. The other independent claims, i.e., claims 8 and 15, are rejected similarly as they are significantly similar to claim 1. The dependent claims are rejected as they depend on claim(s) above. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-2, 4-9, 11-16, and 18-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does not fall within at least one of the four categories of patent eligible subject matter because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. MPEP 2106 provides step(s) in determining eligibility under 35 U.S.C. § 101. Specifically, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter. If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), and if so, it must additionally be determined whether the claim is a patent-eligible application of the exception. If an abstract idea is present in the claim, any additional elements in the claim must integrate the judicial exception into a practical application. If not, the inquiry continues to see whether any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea itself. Examples of abstract ideas include mathematical concepts, mental processes, and certain methods of organizing human activities. Under Step 1, claims 1-2, 4-7 and 21 are directed to a directed to a method (i.e. process), claims 8-9, 11-14, and 22 are directed to a system, while claims 15-16, 18-20, and 23 are directed to a non-transitory computer-readable media. Thus, the claimed inventions are directed towards one of the four statutory categories under 35 USC § 101. Nevertheless, the claims also fall within the judicial exception of an abstract idea without significantly more. Step 2A, 1st prong: Claim 1 recites: A method comprising: receiving, by a computing system, from an aggregator computing system, an access request of an account at a financial institution, the access request including a user identifier associated with a user of the account and encrypted authentication information, wherein the encrypted authentication information comprises a token identifier and a device identifier derived from user device data; decrypting, by the computing system, the encrypted authentication information; matching, by the computing system, the decrypted authentication information against stored authentication information associated with the user identifier of the user; receiving, by the computing system, real-time updated data about the device identifier, the updated data including location data and an operational status of a user device associated with the user; verifying, by the computing system, the location data and the operational status against the user device data; and providing, by the computing system, an authentication decision to the aggregator computing system, the authentication decision enabling the aggregator computing system to access and display information of the account to the user. (Emphasis added on the additional element(s)) The claim recites providing an authentication decision to an entity thereby enabling the entity to access and display information of the account to a user. To describe another way, the claim recites an authentication process for allowing of access of the account at a financial institution. The claim achieves this by receiving a request that includes a user identifier associated with a user of the account and encrypted authentication information (i.e., a token identifier and a device identifier) from an aggregator; decrypting the encrypted authentication information; matching the decrypted authentication information against stored authentication information associated with the user identifier of the user; receiving updated data about the device identifier (i.e., location data and an operational status of a used device associated with the user); verifying the location data and the operational status against the user device data; and providing an authentication decision to the aggregator. As such, the claim recites a certain method of organizing human activity, mitigating risk/commercial or legal interactions. Furthermore, the encryption/decryption at high level generality, under the broadest reasonable interpretation, is a mental process that can be performed in human mind with pen and paper. As such, the claim recites abstract idea. Moreover, the process of matching and verifying of information using gathered information is a mental process that can be performed in human mind with pen and paper. The other independent claims, i.e., claims 8 and 15, are significantly similar to claim 31. As such, claims 8 and 15 also recites abstract idea. The examiner further notes that the claim recitation of “enabling the aggregator computing system to access and display information of the account to the user” is descriptive of intended use of the authentication decision. Under the Step 2A (prong 2), this judicial exception is not integrated into a practical application. Specifically, the additional elements in the claim(s), i.e. computing system(s), real-time, network interface, database, and server system comprising a processor and instructions stored in non-transitory computer-readable media, are recited at a high-level generality such that it amounts to no more than mere instructions to implement the abstract idea, and/or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f). These limitation, e.g. abstract idea as described above, do not represent: Improvements to the functioning of the computing system or the components of the computing system(s) including the server system comprising the processor and non-transitory computer-readable media, network interface or to any other technology or technical field - see MPEP 2106.05(a). The examiner further submits that receiving real-time updated data about the device identifier is merely a data gathering using a computer. Under Step 2B, examiners should evaluate additional elements individually and in combination to determine whether they provide an inventive concept (i.e. whether the additional elements amount to significantly more than the exception itself). Here, the claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Specifically, the claims as a whole, taken individually and in combination, do not provide an inventive concept. As explained above with respect to the integration of the abstract idea into a practical application, the additional elements used to perform the claimed judicial exception amount to no more than mere instructions to implement the abstract idea on a computer or computer components, and/or merely uses a computer as a tool to perform an abstract idea. Mere instructions to implement the abstract idea on a computer, or merely using the computer as a tool to perform an abstract idea to apply the exception using a generic computer component cannot provide an inventive concept. Looking at the limitations as a combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of the elements improves the functioning of the recited computer system or its components individually or in combination. For these reasons, the claims are rejected under 35 U.S.C. § 101 as being directed to non-statutory subject matter. Dependent claims 2, 5-6, 9, 12-13, 16, and 19-23 further expand and recite the abstract idea without further additional element(s). Dependent claims 4, 11, and 18 further expand and recite the abstract idea. Even when taking the asymmetric encryption or a commutative encryption algorithm into consideration, the algorithm is considered as mathematical formula, hence abstract idea. Dependent claims 6-7, 13-14, and 20 further expand and recite abstract idea as the claims recite a particular algorithm, i.e., authenticated key exchange and a password authenticated key exchange protocol. Response to Argument(s) The applicant asserts that the claim does not recite any judicial exception, particularly that the step(s) such as decrypting encrypted authentication information and verifying real-time location data and operational status against stored device data cannot be performed in the human mind or on paper because they require network communication, real-time device telemetry, and cryptographic processing. In response, the examiner finds that the applicant attempts to conflate the step 2A 1st prong test with step 2A, 2nd prong test. As explained in the 101 section above, the network communication and real-time device telemetry (i.e., receiving in real-time information) amount to no more than mere instruction to implement the abstract idea and/or uses a computer as a took to perform the abstract idea. The recitation of receiving information and performing analysis, i.e., matching and verification, are indeed an abstract idea that can be performed in human mind. Insofar as the encryption/decryption is concerned, the concept is a mathematical formula and the encryption/decryption at high level could be performed in human mind. As explained above, receiving an access request to account information, making an authentication decision by performing verification(s) using data, and providing the authentication decision is a fundamental economic practice. The applicant asserts that the claim integrates the judicial exception into a practical application as the claim provides an improvement in security within distributed account access systems, reduces susceptibility to credential-only attacks, and applies cryptographic and telemetry-based verification techniques. The examiner respectfully disagrees. As explained above, the cryptography is an abstract idea and the authentication technique as recited in the claim(s) are abstract idea. The additional element of telemetry, i.e., network and real-time, are merely computer component used to implement the abstract idea. These additional elements, individually or in combination, do not improve upon the computer system that is responsible for performing the step(s), network, and/or real-time communication. The applicant asserts that the combination of additional elements amounts to significantly more than any alleged abstract idea as the verification step represents a non-conventional and non-generic technological improvement over routine authentication technique. First, the examiner would like to point out that authentication is an abstract idea as described above. The verification process as recited in the claim(s) merely gathers information and utilizes a mental process to result authentication decision. These additional elements, individually or in combination, do not improve upon the computer system that is responsible for performing the step(s), network, and/or real-time communication. Prior Art Rejection and the double patenting rejection have been withdrawn as the prior art alone or in combination does not teach “receiving, by the computing system, real-time updated data about the device identifier, the updated data including location data and an operational status of a user device associated with the user; verifying, by the computing system, the location data and the operational status against the user device data”. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20100191837 A1 discloses location awareness and utilizing location in verification of the mobile device prior to providing requested service; US 10154029 B1 discloses creating a symmetric key using the extracted secret knowledge data (e.g., using a Password Authenticated Key Exchange Protocol). The symmetric key is used to encrypt the biometric matching data. Also discloses a technique that utilize a key agreement scheme, such as Diffie-Hellman ("D-H"), to create the symmetric encryption key. Also discloses the financial institution using the stored secret knowledge factor to generate a symmetric key using the agreed-upon commutative encryption algorithm; US 20090288143 A1 discloses Password-based protocols in which the client computer and server system shared the plaintext password and exchanged encrypted information to allow them to derive a shared session key; US 9003506 B2 discloses mobile out of band authentication; US 9552245 B1; US 9786015 B1; US 9953318 B1; US 10108432 B1; and US 10607300 B1 discloses aggregation service utilizing credentials. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEVEN S KIM whose telephone number is (571)270-5287. The examiner can normally be reached on Monday -Friday: 7:00 - 3:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on 571-272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /STEVEN S KIM/Primary Examiner, Art Unit 3698