Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is the initial office action has been issued in response to patent application, 18/769377, filed on 10 July 2024. Claims 1-20, as originally filed, are currently pending and have been considered below.
Information Disclosure Statement
The information disclosure statement filed 07/10/2024 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.
Specification
The disclosure is objected to because of the following informalities: in the applicant's specification, applicant recites “The computer readable medium may be a computer readable signal medium” (see paragraph 0008). “A computer readable signal medium may include a propagated data signal” (see paragraph 0010) “may take the form of acoustic or light waves” (see paragraph 0068). Examiner suggest amending to delete “signals”.
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-15:
With respect to claim 1, claim 1 is directed to a system being configured to perform some functions/steps. To one of ordinary skill in the art all the functions/steps cited in claim 1 may be reasonably implemented as software routines. In applicant’s specifications, “Aspects of the present disclosure may take the form of… an entirely software embodiment (including firmware, resident software, micro-code, etc.) … aspects hat may all generally be referred to herein as a “circuit,” “module” or “system. (see 0008). When interpreted broadly as software routines, claim 1 does not cite any claim elements for performing the functions wherein the claimed elements of the system are limited to a machine or a physical part of a device within the meaning of 35 U.S.C. 101. It appears the functions/steps do not explicitly mention hardware components doing any one of the functions/steps in the system claims. Accordingly, claim 1 fails to recite statutory subject matter as defined in 35 U.S.C. 101.
With respect to claims 2-15, claims 2-15 are rejected for the same analysis above and dependent on claim 1.
Claims 1-20:
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) receiving first request, generate/send first code, authenticate user , received first level authentication service, a first message, authenticating user. The limitations of receiving first request, generate/send first code, authenticate user , received first level authentication service, a first message, authenticating user, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “microprocessor”, “processor”:, nothing in the claim element precludes the step from practically being performed in the mind.
This judicial exception is not integrated into a practical application because the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements are generic computer components claimed to perform their basic functions of receiving first request, generate/send first code, authenticate user , received first level authentication service, a first message, authenticating user. The recitation of the computer limitations amounts to mere instructions to implement the abstract idea on a computer, such as using a computer program to enable generate/send first code, authenticate user. Taking the elements both individually and as a combination, the computer components at each step of the management process perform purely generic computer functions. The claim as a whole does not amount to significantly more than the abstract idea itself. Accordingly, the claim recites an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because with respect to integration of the abstract idea into a practical application, the additional element of using “microprocessor”, “processor” to perform both the comparing and determining steps amount to no more than mere instructions using a generic computer component which cannot provide an inventive concept. The claim is not patent eligible.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7-13, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chenna (US2014/0108810 A1, publish date 04/17/2014) in view of Sanctis et al. (US2025/0005127 A1, file date 06/29/2023).
Claims 1, 16, 20:
With respect to claims 1, 16, 20, Chenna discloses a system/method/non-transient computer readable medium having stored thereon instructions that cause a processor to execute a method (authenticating a user by using a certificate store and barcode scanner on a mobile device, Figure 4) comprising/the method comprising instructions to:
a microprocessor (Figure 1); and
a computer readable medium (a computer-readable medium, 0007), coupled with the microprocessor and comprising microprocessor readable and executable instructions that, when executed by the microprocessor, cause the microprocessor (includes instructions that enable a processing unit to implement one or more aspects, 0007) to:
receive a first request, from a user, to access a first, first level authentication
service (a client 401 requests a login page from a hosted application or service 403 (at 405), 0032, Figure 4, 405) (method 300 begins at step 305, where a user requests access to an application or service accessed over a network (e.g., an application hosted in a computing cloud), 0031) (supply credentials and request for access to application/service, Figure 3, 305);
generate a first code associated with the user, wherein the generated first code
associated with a user causes a redirection to a second level authentication service;
send the generated first code associated with the user (The application 403 generates a nonce at 410 and at 415 encodes the nonce and a URL in a QR code. The application 403 sends the QR code to the client 401. , 0032, Figure 4, 415, 420) (The logon page 710 includes a QR code 705 encoding an authentication challenge performed before the application will grant the user with access to the hosted application. the user may scan the QR code with a mobile device and respond to the authentication challenge encoded by posting the signed nonce to a URL embedded in the QR code. 0040);
authenticate the user based on a valid first authentication credential of the user,
wherein authenticating the user based on the valid first authentication credential is
accomplished at one of: the first, first level authentication service or the second level
authentication service (supply credentials and request for access to application/service, Figure 3, 305) (a user may have to provide a password or pin to the authentication app 118 to access the private key in the certificate store 117. 0027) (may prompt the user to supply authenticating credentials prior to accessing the private key stored on the mobile device. For example, a user may have to enter a pin code or password on the mobile device in order to access the certificate store, 0031, Figure 3, 315);
receive, at the first, first level authentication service, a first message from the
second level authentication service, wherein the first message sent from the second level authentication service is sent in response to the second level authentication service validating the generated first code associated with user (the client 401 displays the QR code. At 425, an app on the mobile device 402 scans the QR code to recover the encoded nonce and URL., the mobile device 402 retrieves a private key from a certificate store and uses it so sign the nonce., the application 440 validates the signature posted by the mobile device 402. At 445, the application 403 validates the certificate supplied by mobile device 402.,. 0032, Figure 4, 425, 435, 440, 445, 450); and
in response to authenticating the user based on receiving the first message from
the second level authentication service, allow access, by the user to a first resource (Once validated, the application 403 grants access to the client 401 (at 450). 0032, Figure 4, 450).
Sanctis et al. teaches a pre-authorizing for securing a session on a mobile entity application (Figure 1), User 102 may have a personal account within entity app 108. User 102 may be authenticated into the entity application 108 running on the desktop computer 106 and may have access to the personal account profile. (0087),
generate a first code associated with the user, wherein the generated first code (Advanced generation of the dynamic QR code for authenticating user 102 into mobile entity app may be enabled., Entity app 108 may be triggered to generate QR code 110 displayed on a user interface (“UI”) of computer 106., smartphone 104 may capture the QR code, 0088-0090) (Figure 1) associated with a user causes a redirection to a second level authentication service; send the generated first code associated with the user (The URL may be a short URL that may be redirectable. The short URL may redirect to a second URL. The second URL may be continuously changed., short URL may be configured to redirect a web browser of the second computing device to a first website , The first website when accessed, may instruct the central server to authenticate the user to the secure session, 0032-0035) (prior to a selection of the dynamic QR code, the user may be prompted to input a user ID and password and/or biometric signal as an additional form of authentication for the mobile entity app running on smartphone 202., 0095) (When the QR code is retrieved during the selected time period, the user may be enabled to be authenticated into the secure session at the mobile entity app, as shown at UI 210., 0098)(Figure 2) (parse QR code, access short URL, redirect to first website, Figure 6, 606, 608, 610, 612)
Chenna and Sanctis et al. are analogous art because they are from the same field of endeavor of secure authentication using codes.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Sanctis et al. in Chenna to provide two-factor authentication methods that do not require manual entry of an additional data element, such as by capturing a displayed image to leverage two-factor authentication and to provide for authentication methods that provides systems and methods for usage even when the second device is not accessible to the user at the time of the authentication, a dynamic data element that will only provide authentication to the user (See Sanctis et al. 0004, 0006).
Claim 2:
With respect to claim 2, Chenna discloses wherein authenticating the user based on the valid first authentication credential of the user is accomplished at the first, first level
authentication service (supply credentials and request for access to application/service, Figure 3, 305) (a user may have to provide a password or pin to the authentication app 118 to access the private key in the certificate store 117. 0027).
Claim 3:
With respect to claim 3, Chenna discloses wherein authenticating the user based on the valid first authentication credential of the user is accomplished at the second level
authentication service (the client 401 displays the QR code. At 425, an app on the mobile device 402 scans the QR code to recover the encoded nonce and URL., the mobile device 402 retrieves a private key from a certificate store and uses it so sign the nonce., the application 440 validates the signature posted by the mobile device 402. At 445, the application 403 validates the certificate supplied by mobile device 402.,. 0032, Figure 4, 425, 435, 440, 445, 450) (may prompt the user to supply authenticating credentials prior to accessing the private key stored on the mobile device. For example, a user may have to enter a pin code or password on the mobile device in order to access the certificate store, 0031, Figure 3, 315)
Claims 4, 17:
With respect to claims 4, 17, Chenna discloses wherein authenticating the user based on the valid first authentication credential of the user is accomplished at the first, first level
authentication service and wherein the first message from the second level authentication service is sent, also based on a validation of a second authentication credential of the user received at the second level authentication service (the client 401 displays the QR code. At 425, an app on the mobile device 402 scans the QR code to recover the encoded nonce and URL., the mobile device 402 retrieves a private key from a certificate store and uses it so sign the nonce., the application 440 validates the signature posted by the mobile device 402. At 445, the application 403 validates the certificate supplied by mobile device 402.,. 0032, Figure 4, 425, 435, 440, 445, 450).
Claim 5, 18:
With respect to claims 5, 18, Chenna discloses wherein authenticating the user based on the valid first authentication credential of the user is accomplished at the second level authentication service, wherein the first authentication credential of the user
comprises a password provided by the user, wherein the generated first code associated with the user comprises a username provided when the user first requests the access the first, first level authentication service, and wherein validation of the first authentication credential of the user is based on the password provided by the user at the second level authentication service and the username in the generated first code associated with the user (supply credentials and request for access to application/service, Figure 3, 305) (a user may have to provide a password or pin to the authentication app 118 to access the private key in the certificate store 117. 0027) (may prompt the user to supply authenticating credentials prior to accessing the private key stored on the mobile device. For example, a user may have to enter a pin code or password on the mobile device in order to access the certificate store, 0031, Figure 3, 315)
Claim 7:
With respect to claim 7, Chenna discloses wherein the generated first code is a Quick Response (QR) code that comprises a signed certificate that is validated by the second level authentication service (the authentication app signs the nonce using the private key from the certificate store and posts the signature along with the user's certificate to the URL encoded by the QR code., 0031) (Figure 7).
Claim 8:
With respect to claim 8, the combination of Chenna and Sanctis et al. discloses the limitations of claim 1, as addressed.
Chenna discloses wherein the signed certificate includes information that defines what the user can access and/or administer in the first resource (may be configured with CA certificates from certificate authority 127. Doing so allows relying application to validate that a public key listed in a certificate is, in fact, associated with a given user. Further, the relying application 107 may be configured to confirm that a given user's certificate is valid and not revoked as part of the authentication process by communicating with CRL/OSCP service 129 on CA server 125., 0025) (After the authentication component 528 verifies the signature, the certificate may be validated against CA certificates 532, 0035).
Sanctis et al. teaches includes information that defines what the user can access and/or administer in the first resource (authenticating the user into a secure session at the mobile entity app may further include authenticating the user to perform high-risk transactions , activity relating to profile changes, administrative functions and high dollar transfers may also be authenticated on the mobile device, 0079-0080).
Chenna and Sanctis et al. are analogous art because they are from the same field of endeavor of secure authentication using codes.
The motivation for combining Chenna and Sanctis et al. is recited in claim 1.
Claims 9, 19:
With respect to claims 9, 19, Chenna discloses wherein the microprocessor readable and executable instructions further comprise instructions to:
receive a second request to authenticate at a second, first level authentication
service;
generate a second code associated with the user, wherein the generated second
code associated with the user causes a redirection to the second level authentication
service;
send the generated second code associated with the user;
authenticate the user based on a valid second authentication credential of the user,
wherein authenticating the user based on the valid second authentication credential of the user is accomplished at one of: the first, first level authentication service or the second level authentication service;
receive, at the second, first level authentication service, a second message from
the second level authentication service, wherein the second message sent from the second level authentication service is sent in response to the second level authentication service validating the generated second code associated with user; and
in response to authenticating the user based on receiving the second message from
the second level authentication service, allow access, by the user, to a second resource (The short URL may redirect to a second URL. The second URL may be continuously changed. 0032) (to redirect the web browser of the second computing device to a second website when the time of the selection of the dynamic QR code is during a second time period. The second time period may follow the first time period., 0036) (When the dynamic QR code is deactivated, the QR code may be reactivated when an additional element of authentication may be provided. The additional element may include another biometric signal, an answer to a personal question that may be saved in the account profile of the user and/or a newly generated OTP from a third computing device, 0048).
Claim 10:
With respect to claim 10, Chenna discloses wherein authenticating the user based on the valid first authentication credential of the user is accomplished at the first, first level
authentication service, wherein authenticating the user based on the valid second
authentication credential of the user is accomplished at the second, first level
authentication service, wherein the first message sent from the second level
authentication service is sent, also based on a validation of a third authentication
credential of the user received at the second level authentication service (to use an additional layer of authentication to the secure session. The additional layer may use a third computing device associated with the user for authentication. 0051) (the second computing device may be configured to transmit an electronic request to the third computing device for a generation of a one-time password (“OTP”)., 0052-0057) (When the second computing device captures the dynamic QR code, the second computing device may be configured to transmit an electronic communication to the third computing device. The electronic communication may include a request for a generation, by the OTP application, of an OTP, 0058), and wherein the second message sent from the second level authentication service is sent, also based on a validation of a fourth authentication credential of the user received at the second level authentication service (by verification of a user ID, password and one or more biometrics. 0027) (The additional element may include another biometric signal, an answer to a personal question that may be saved in the account profile of the user and/or a newly generated OTP from a third computing device., 0048).
Claim 11:
With respect to claim 11, Chenna discloses wherein authenticating the user based on the valid first authentication credential of the user is accomplished at the first, first level
authentication service (User 102 may be authenticated into the entity application 108 running on the desktop computer 106 and may have access to the personal account profile., 0087) wherein authenticating the user based on the valid second
authentication credential of the user is accomplished at the second (prior to a selection of the dynamic QR code, the user may be prompted to input a user ID and password and/or biometric signal as an additional form of authentication for the mobile entity app running on smartphone 202., 0095), first level authentication service, wherein the first message sent from the second level authentication service and the second message sent from the second level authentication are sent, also based on a validation of a third authentication credential of the user received at the second level authentication service (to use an additional layer of authentication to the secure session. The additional layer may use a third computing device associated with the user for authentication. 0051) (the second computing device may be configured to transmit an electronic request to the third computing device for a generation of a one-time password (“OTP”)., 0052-0057) (When the second computing device captures the dynamic QR code, the second computing device may be configured to transmit an electronic communication to the third computing device. The electronic communication may include a request for a generation, by the OTP application, of an OTP, 0058).
Claim 12:
With respect to claim 12, Chenna discloses wherein the access to the first resource is based on a redirection from the second level authentication service to the first, first level
authentication service and wherein the redirection from the second level authentication service to the first, first level authentication service is based on a redirection Uniform Resource Locator (URL) in the generated first code associated with the user and/or a service identifier (The application 403 generates a nonce at 410 and at 415 encodes the nonce and a URL in a QR code. The application 403 sends the QR code to the client 401. , 0032, Figure 4, 415, 420) (The logon page 710 includes a QR code 705 encoding an authentication challenge performed before the application will grant the user with access to the hosted application. the user may scan the QR code with a mobile device and respond to the authentication challenge encoded by posting the signed nonce to a URL embedded in the QR code. 0040)
Claim 13:
With respect to claim 13, Chenna and Sanctis et al. discloses the limitations of claim 1, as addressed.
Sanctis et al. teaches wherein the redirection URL comprises information that defines what the user can access and/or administer in the first resource (authenticating the user into a secure session at the mobile entity app may further include authenticating the user to perform high-risk transactions , activity relating to profile changes, administrative functions and high dollar transfers may also be authenticated on the mobile device, 0079-0080).
Chenna and Sanctis et al. are analogous art because they are from the same field of endeavor of secure authentication using codes.
The motivation for combining Chenna and Sanctis et al. is recited in claim 1.
Claim 15:
With respect to claim 15, Chenna discloses wherein the first resource is controlled by a first entity, wherein in response to authenticating the user based on receiving the first
message from the second level authentication service, access is also allowed, by the user, to a second resource controlled by a second entity (cloud computing allows a user to access virtual computing resources (e.g., storage, data, applications, and even complete virtualized computing systems) in "the cloud, 0023) (the computing environment includes a server computer 105 hosting a computing resource (e.g., application/service 107). The server computer 105 may be a physical computing system (e.g., a system in a data center) or may be a virtual computing instance executing within a computing cloud, 0024) (relying application 107 either grants or denies access to the requested resources on servicer 105 (e.g., cloud-based computing applications). 0029).
Claims 6, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Chenna (US2014/0108810 A1, publish date 04/17/2014) in view of Sanctis et al. (US2025/0005127 A1, file date 06/29/2023) further in view of Quintas et al. (US2017/0374067 A1, publish date 12/28/2017).
Claim 6:
With respect to claim 6, Chenna and Sanctis et al. discloses the limitations of claim 1, as addressed.
Neither Chenna and Sanctis et al. discloses wherein the first message from the second level authentication service is sent, also based on a validation of a device token of a
first communication device in the generated first code associated with the user
and a device token of a second communication device as claimed.
However, Quintas et al. teaches wherein the first message from the second level
authentication service is sent, also based on a validation of a device token of a
first communication device in the generated first code associated with the user
and a device token of a second communication device (The client device 106 can also execute a device token application 149. The device token application 149 can request a device posture token 151 from the device token generator 120. The device token application 149 can then provide the device posture token 151 to the verification device 107, which can determine whether the client device 106 complies with the security policies of an organization with which the verification device 107 is affiliated. (0041) The data structure can be encoded into a QR code or other digital or visual representation that the device token application 149 can obtain from the device token generator 120 and subsequently provide to the verification device 107 for verification. (0042) (The device posture token 151 can be displayed by the device token application 149 in a QR code or another barcode that can be visually encoded (0053) (the verification application 153 can obtain the device posture token 151 by capturing a QR code that the client device 106 has displayed on a user interface of a display of the client device 106, 0067) (Figure 5).
Chenna and Sanctis et al., Quintas et al. are analogous art because they are from the same field of endeavor of secure authentication using codes.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Quintas et al. in Chenna and Sanctis et al. for providing a trusted computing relationship can be established between the management service associated with the client device and the verification device to provide the verification device with a mechanism to verify the authenticity of the device posture token (and the contents thereof), to prevent security breaches, administrator authorization may be required for the trusted computing relationship to be established. (see Quintas et al. 0014)
Claim 14:
With respect to claim 14, Chenna and Sanctis et al. discloses the limitations of claim 1, as addressed.
Neither Chenna and Sanctis et al. discloses wherein the first code comprises location information of a first communication device of the user and wherein the location information of the first communication device is used as part of authenticating the user as claimed.
However, Quintas et al. teaches wherein the first code comprises location information of a first communication device of the user and wherein the location information of the first communication device is used as part of authenticating the user (The device token generator 120 can generate a device posture token 151 that can include one or more of a representation of one or more compliance rules that comprise the security policies of an enterprise, a representation of the compliance status of a client device 106, or other hardware and software properties of the client device 106 (i.e., state information). can encode the compliance status of the client device 106 and other metadata about the client device 106 into data structure or other alphanumeric encoding that can be encoded within a QR code or other data representation (0021) (Compliance rules 125 can be based on geographical location, the client device 106 can satisfy a compliance rule 125 when the client device 106 is located within a particular geographic location (0028) (the state information can include the location of the client device 106, 0039).
Chenna and Sanctis et al., Quintas et al. are analogous art because they are from the same field of endeavor of secure authentication using codes.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Quintas et al. in Chenna and Sanctis et al. for providing a trusted computing relationship can be established between the management service associated with the client device and the verification device to provide the verification device with a mechanism to verify the authenticity of the device posture token (and the contents thereof), to prevent security breaches, administrator authorization may be required for the trusted computing relationship to be established. (see Quintas et al. 0014)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, see PTO Form 892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468. The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HELAI SALEHI/Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433