SYSTEM AND METHOD FOR PRE-REGISTRATION OF FIDO AUTHENTICATORS

§101 §102 §103 §112 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Election/Restrictions NO restrictions warranted at applicant’s time of filing for CONtinuation. Priority This application is a CONtinuation and claims domestic priority under 35 USC 120 to non – provisional application # 17/478512, filed on 09/17/2021, now US PAT # 12126613. Information Disclosure Statement The information disclosure statements (IDS) submitted on 10/15/2024, the submissions are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Drawings Applicant’s drawings filed on 10/15/2024 have been inspected and are in compliance with MPEP 608.02. Specification Applicant’s specification filed on 10/15/2024 has been considered, and is in compliance with MPEP 608.01. Claim Objections NO claim objections warranted at applicant’s time of filing for CONtinuation. Claim Interpretation – 35 USC 112th f It is in the examiner’s opinion that claim[s] 1 – 20 do not invoke means for or step plus functional claim language under the meaning of the statute. Claim Rejections - 35 USC § 112 NO rejections warranted at applicant’s time of filing for CONtinuation. Claim Rejections - 35 USC § 101 NO rejections warranted at applicant’s time of filing for CONtinuation. Double Patenting The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a non-statutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claim[s] 1, 3, 5, 6, 8, 9, 11, 12, 14, 16 – 19 are rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 1, 4, 6, 9, 7, 12, 16 of U.S. Patent No. 12126613. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the subject matter of the reference patent are the same or similar in scope and are not distinct: After confirming an identity of a user by a relying party using a first identity verification technique as a result of the user performing a transaction with the relying party. During the first identity verification technique, the user verification reference data is collected and will be used in the next subsequent transaction with the relying party by use of second identity verification technique for authentication purposes. After the first identity verification technique has ended, requesting the user to personalize an authenticator of the user. Then after personalization of the authenticator, the user forwards a credential registration that includes the personalized authenticator to the relying party. Also, see the table below for a claim – by – claim comparison. Pending US Application # 18/915836 US PAT # 12126613 1. A method comprising: confirming an identity of a user by a relying party using a first identity verification technique responsive to the user performing a first transaction with the relying party; generating or collecting initial user verification reference data upon verification of the identity of the user through the first identity verification technique; requesting personalization of an authenticator to be provided to the user; receiving credential registration data of the authenticator after personalization; receiving a transaction request from the user that requires user authentication; and authenticating the user based on the authenticator and the credential registration data of the authenticator using a second identity verification technique. 1. (Currently Amended) A method comprising: confirming an identity of a user by a first relying party using a first identity verification technique responsive to the user performing a first transaction with the first relying party; generating or collecting initial user verification reference data upon verifying the identity of the user through the first identity verification technique; requesting personalization of an authenticator to be provided to the user, wherein the authenticator has not previously been registered to the user and the first relying party; storing or programming the initial user verification reference data or data derived from the initial user verification reference data into the authenticator; generating, by the authenticator, Fast Identity Online (FIDO) credentials including a first pair of a private key and a public key-pair; storing the FIDO credentials in a secure storage of the authenticator; providing the public key to the first relying party or an authentication server associated with the first relying party; securely providing the authenticator to the user; implementing, by the authenticator, a second identity verification technique by comparing the initial user verification reference data or data derived from the initial user verification reference data to data collected from the user or data collected from the authenticator; and providing proof of a successful verification of the identity of the user to the first relying party prior to or during performance of a second transaction with the first relying party. 3. The method of claim 1, wherein initial user verification reference data is injected to the authenticator as part of the personalization. 6. (Original) The method as in claim 1, further comprises integrating user-related attributes into the authenticator. 5. The method of claim 1, wherein personalization of the authenticator to be provided to the user is performed by a manufacturer of the authenticator, a device in which the authenticator is integrated, or a facility specialized in personalization. 4. (Currently Amended) The method as in claim 3, further comprising assembling or obtaining a new the authenticator to be personalized by the central personalization facility. 6. The method of claim 1, wherein the credential registration data of the authenticator is included in an attestation object signed using an attestation key associated with the authenticator or an authenticator model. 9. (Currently Amended) The method as in claim 1, further comprising: generating an attestation object, the attestation object comprising the public key signed by an attestation key of the authenticator; and providing the attestation object to the first relying party or the authentication server associated with the first relying party. 8. The method of claim 1, wherein the initial user verification reference data or data derived from the initial user verification reference data is to be provided to the user separately from the authenticator. 12. (Currently Amended) The method as in claim 11, wherein the initial user verification reference data or the data derived from the initial user verification reference data is provided to the user separately from the authenticator. 9. The method of claim 1, wherein generating or collecting the initial user verification reference data comprises obtaining a code to be entered by the user during the second identity verification technique. 16. (Currently Amended) The method as in claim 1, wherein generating the initial user verification reference data comprises generating a code to be entered by the user during the second identity verification technique. 11. The method of claim 1, wherein the authenticator is personalized through printing or engraving user-related attributes into the authenticator. 7. (Currently Amended) The method as in claim 6, wherein integrating the user-related attributes the integration comprises printing or engraving the user-related attributes into the authenticator. 12. A data processing system comprising: a processor coupled with a memory that store instructions that when executed by the processor, are capable of performing: confirming an identity of a user by a relying party using a first identity verification technique responsive to the user performing a first transaction with the relying party; generating or collecting initial user verification reference data upon verification of the identity of the user through the first identity verification technique; requesting personalization of an authenticator to be provided to the user; receiving credential registration data of the authenticator after personalization; receiving a transaction request from the user that requires user authentication; and authenticating the user based on the authenticator and the credential registration data of the authenticator using a second identity verification technique. 1. (Currently Amended) A method comprising: confirming an identity of a user by a first relying party using a first identity verification technique responsive to the user performing a first transaction with the first relying party; generating or collecting initial user verification reference data upon verifying the identity of the user through the first identity verification technique; requesting personalization of an authenticator to be provided to the user, wherein the authenticator has not previously been registered to the user and the first relying party; storing or programming the initial user verification reference data or data derived from the initial user verification reference data into the authenticator; generating, by the authenticator, Fast Identity Online (FIDO) credentials including a first pair of a private key and a public key-pair; storing the FIDO credentials in a secure storage of the authenticator; providing the public key to the first relying party or an authentication server associated with the first relying party; securely providing the authenticator to the user; implementing, by the authenticator, a second identity verification technique by comparing the initial user verification reference data or data derived from the initial user verification reference data to data collected from the user or data collected from the authenticator; and providing proof of a successful verification of the identity of the user to the first relying party prior to or during performance of a second transaction with the first relying party. 14. The data processing system of claim 12, wherein initial user verification reference data is injected to the authenticator as part of the personalization. 6. (Original) The method as in claim 1, further comprises integrating user-related attributes into the authenticator. 16. The data processing system of claim 12, wherein personalization of the authenticator to be provided to the user is performed by a manufacturer of the authenticator, a device in which the authenticator is integrated, or a facility specialized in personalization. 4. (Currently Amended) The method as in claim 3, further comprising assembling or obtaining a new the authenticator to be personalized by the central personalization facility. 17. A non-transitory machine-readable medium that stores instructions that when executed by a processor, are capable of performing: confirming an identity of a user by a relying party using a first identity verification technique responsive to the user performing a first transaction with the relying party; generating or collecting initial user verification reference data upon verification of the identity of the user through the first identity verification technique; requesting personalization of an authenticator to be provided to the user; receiving credential registration data of the authenticator after personalization; receiving a transaction request from the user that requires user authentication; and authenticating the user based on the authenticator and the credential registration data of the authenticator using a second identity verification technique. 1. (Currently Amended) A method comprising: confirming an identity of a user by a first relying party using a first identity verification technique responsive to the user performing a first transaction with the first relying party; generating or collecting initial user verification reference data upon verifying the identity of the user through the first identity verification technique; requesting personalization of an authenticator to be provided to the user, wherein the authenticator has not previously been registered to the user and the first relying party; storing or programming the initial user verification reference data or data derived from the initial user verification reference data into the authenticator; generating, by the authenticator, Fast Identity Online (FIDO) credentials including a first pair of a private key and a public key-pair; storing the FIDO credentials in a secure storage of the authenticator; providing the public key to the first relying party or an authentication server associated with the first relying party; securely providing the authenticator to the user; implementing, by the authenticator, a second identity verification technique by comparing the initial user verification reference data or data derived from the initial user verification reference data to data collected from the user or data collected from the authenticator; and providing proof of a successful verification of the identity of the user to the first relying party prior to or during performance of a second transaction with the first relying party. 18. The non-transitory machine-readable medium of claim 17, wherein the credential registration data of the authenticator is included in an attestation object signed using an attestation key associated with the authenticator or an authenticator model. 9. (Currently Amended) The method as in claim 1, further comprising: generating an attestation object, the attestation object comprising the public key signed by an attestation key of the authenticator; and providing the attestation object to the first relying party or the authentication server associated with the first relying party. 19. The non-transitory machine-readable medium of claim 17, wherein generating or collecting the initial user verification reference data comprises obtaining a code to be entered by the user during the second identity verification technique. 16. (Currently Amended) The method as in claim 1, wherein generating the initial user verification reference data comprises generating a code to be entered by the user during the second identity verification technique. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1, 3, 10, 12, 14, 17 is/are rejected under 35 U.S.C. 102(a)(2) as being taught by Nowak et al. [US PGPUB # 2019/0124081] As per claim 1. Nowak does teach a method [paragraph: 0001, Embodiments described herein generally relate to providing a variety of FIDO (“Fast IDentity Online”) authentication services to clients.] comprising: confirming an identity of a user by a relying party using a first identity verification technique responsive to the user performing a first transaction with the relying party [Figure # 2, and paragraph: 0025, lines 3 – 12, A user, such as a consumer and/or cardholder, wishing to register his or her user device 110 for FIDO authentication services interacts with the software development kit (SDK) 122 (see FIG. 1) running on the user's mobile device, which then discovers which type(s) of FIDO authenticators 128 are available. The user device 110 then transmits 202 a registration request to the IS core 104 that includes user data (such as a user identifier) and user device data (such as a device identifier), and including data that identifies the types of FIDO authenticators available.]; generating or collecting initial user verification reference data upon verification of the identity of the user through the first identity verification technique [Figure # 2, and paragraph: 0025, lines 12 – 18, The IS core 104 then verifies 204 the user data and user device data by, for example, establishing that the payload structure is correct (for example, that it includes data presented in a predefined manner which includes a user identifier, a device identifier and the like), and by ensuring that the payload has arrived from a registered device.]; requesting personalization of an authenticator to be provided to the user [Figure # 2, and paragraph: 0027, lines 1 – 4, The FIDO services user registration process 200 next includes the IS Core 104 transmitting 230 the FIDO challenge message along with a registration response to the user device 110]; receiving credential registration data of the authenticator after personalization [Figure # 2, and paragraph: 0027, lines 8 – 20, The user then interacts with the SDK of the user device 110 and provides FIDO authentication data (by interacting with one or more FIDO authenticators associated with the user's smartphone, for example) to satisfy the native authentication application (for example, a biometric application requiring fingerprint data from a FIDO fingerprint reader component) [i.e. applicant’s…personalization]. The user then utilizes the user device 110 to transmit 238 the registration response to the IS core 104, which then verifies 240 the payload (which includes a Universal Authentication Framework (UAF) registration response along with data such as the user identifier and the device identifier for consumption by the IS core 104).]; receiving a transaction request from the user that requires user authentication [Figure # 2, and paragraph: 0027, lines 8 – 20, The user then utilizes the user device 110 to transmit 238 the registration response to the IS core 104, which then verifies 240 the payload (which includes a Universal Authentication Framework (UAF) registration response along with data such as the user identifier and the device identifier for consumption by the IS core 104).]; and authenticating the user based on the authenticator and the credential registration data of the authenticator using a second identity verification technique [Figure # 2, and paragraph: 0027, lines 27 – 36, The IS core then transmits 242 the registration response to the routing engine 108. The routing engine 108 then retrieves 243 the FIDO registration response, retrieves 244 the application identifier, locates 246 the correlation identifier, selects 248 the ACME FIDO-certified server 114, and then transmits 250 the registration response and the correlation identifier to the ACME FIDO-certified server 114. The ACME FIDO-certified server 114 then retrieves 252 the FIDO facet and the authentication identifier, conducts 254 a verification process (as explained above), and transmits 256 the registration result to the routing engine 108, which forwards 258 the registration result to IS core 104. The IS core 104 then conducts 260 secure processing (as explained above) and transmits 262 the registration result to the user device 110, which typically then displays a “registration successful” message to the user on a display component.]. As per claim 3. Nowak does teach the method of claim 1, wherein initial user verification reference data is injected to the authenticator as part of the personalization [Figure # 2, and paragraph: 0027, lines 8 – 20, The user then interacts with the SDK of the user device 110 and provides FIDO authentication data (by interacting with one or more FIDO authenticators associated with the user's smartphone, for example) to satisfy the native authentication application]. As per claim 10. Nowak does teach the method of claim 1, wherein receiving the credential registration data of the authenticator after personalization comprises accessing a database by the relying party or an authentication server [Figure # 2, and paragraph: 0027, lines 27 – 36, The IS core then transmits 242 the registration response to the routing engine 108. The routing engine 108 then retrieves 243 the FIDO registration response, retrieves 244 the application identifier, locates 246 the correlation identifier, selects 248 the ACME FIDO-certified server 114, and then transmits 250 the registration response and the correlation identifier to the ACME FIDO-certified server 114. The ACME FIDO-certified server 114 then retrieves 252 the FIDO facet and the authentication identifier, conducts 254 a verification process (as explained above), and transmits 256 the registration result to the routing engine 108,]. As per data processing system claim 12 that includes the same or similar claim limitations as method claim 1, and is similarly rejected. *** The examiner notes that applicant’s recited: processor, memory, instructions, is taught by the prior art of Nowak, at paragraph: 0023, lines 6 – 16. As per data processing system claim 14 that includes the same or similar claim limitations as method claim 3, and is similarly rejected. As per non – transitory machine – readable medium claim 17, that includes the same or similar claim limitations as method claim 1, and is similarly rejected. *** The examiner notes that applicant’s recited: processor, non – transitory machine readable medium is taught by the prior art of Nowak, at paragraph: 0023, lines 6 – 16. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or non-obviousness. Claim(s) 2, 13, is/are rejected under 35 U.S.C. 103 as being unpatentable over Nowak et al. [US PGPUB # 2019/0124081] in view of Avetisov et al. [US PGPUB # 2022/0255931] As per claim 2. Nowak does teach what is taught in the rejection of claim # 1, above. Nowak does not clearly teach the method of claim 1, wherein the relying party corresponds to an employer for which the identity of the user is to be verified. However, Avetisov does teach the method of claim 1, wherein the relying party corresponds to an employer for which the identity of the user is to be verified [paragraph: 0198, An example relying device 140 is shown. Examples of a relying device 140 may include a workstation which one or more users may access, such as to access one or more resources the workstation is configured to or permitted to access for authenticated users. Thus, for example, the relying device 140 may be a client-type device (e.g., like a relying device 140), and the relying device may be configured to access one or more online resources provided by a relying party. A relying device 140 may be associated with the relying party, an example of which may include an employer issued workstation where the online resources may include one or more internal resources of the employer. The disclosure, however, is not so limited. The relying party may provide 3.sup.rd party services (e.g., 3.sup.rd party online resources) to the employer, which employees may be permitted to access, such as via an employer issued workstation (or other device which relies on or is permitted to access the 3.sup.rd party services).]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nowak and Avetisov in order for the requesting user of the first request to the IS Core for access and selection of a FIDO certified server of Nowak to include federated identity management operations of Avetisov. This would allow for the IS Cor to choose the appropriate authenticating FIDO certified server regardless of type of third-party platform the user is requesting access to with his/her credentials. See paragraph: 0003 of Avetisov. As per data processing system claim 13 that includes the same or similar claim limitations as method claim 2, and is similarly rejected. Claim(s) 4, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nowak et al. [US PGPUB # 2019/0124081] in view of Costigan et al. [US PAT # 10075437] As per claim 4. Nowak does teach what is taught in the rejection of claim # 1, above. Nowak does not clearly teach the method of claim 1, wherein personalization of the authenticator to be provided to the user is performed for an employer of the user. However, Costigan does teach the method of claim 1, wherein personalization of the authenticator to be provided to the user is performed for an employer of the user [col. 8, lines 4 – 16, It is expected that users will acquire FIDO UAF Authenticators in various ways, such as: they purchase a new system that comes with embedded FIDO UAF Authenticator capability; they purchase a device with an embedded FIDO UAF Authenticator, or they are given a FIDO Authenticator by their employer or some other institution such as their bank. After receiving a FIDO UAF Authenticator, the user must go through an authenticator-specific enrollment process, which is outside the scope of the FIDO UAF protocols.]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nowak as modified and Costigan in order for the requesting user of the first request to the IS Core for access and selection of a FIDO certified server of Nowak as modified to include federated identity management operations of Costigan. This would allow for the IS Cor to choose the appropriate authenticating FIDO certified server regardless of type of third-party platform the user is requesting access to with his/her credentials. See col. 2, lines 31 – 37 of Costigan. As per data processing system claim 15 that includes the same or similar claim limitations as method claim 4, and is similarly rejected. Claim(s) 5, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nowak et al. [US PGPUB # 2019/0124081] in view of Boydstun et al. [US PAT # 7257834] As per claim 5. Nowak does teach what is taught in the rejection of claim # 1, above. Nowak does not clearly teach the method of claim 1, wherein personalization of the authenticator to be provided to the user is performed by a manufacturer of the authenticator, a device in which the authenticator is integrated, or a facility specialized in personalization. However, Boydstun does teach the method of claim 1, wherein personalization of the authenticator to be provided to the user is performed by a manufacturer of the authenticator, a device in which the authenticator is integrated, or a facility specialized in personalization [col. 12, lines 15 – 30, Two other paths in the security framework database scheme include several tables of information related to a legacy authenticator. If one is to migrate from one authenticator to a new authenticator certain advantage may be obtained by providing a subset of information which is related to the user and their status and information about them from the prior authenticator. One advantage would be that when the migration is complete, information stored in the new authenticator could be compared with information stored in the prior authenticator to verify a successful and complete migration. It provides a backward mapping into the old authenticator. If during the migration (or in the early period following the migration) trouble in an account was encountered, the problem could be fixed by accessing these tables as a reference]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nowak as modified and Boydstun in order for after authentication of the requesting user of the first request message containing the user's authentication data of Nowak as modified to include encrypting the user received authentication data of Boydstun. This would allow for the user's authentication data to be secured while at rest in the IS cor or the FIDO certified server. See col. 1 lines 26 - 41 of Boydstun. As per data processing system claim 16 that includes the same or similar claim limitations as method claim 5, and is similarly rejected. Claim(s) 6, 7, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nowak et al. [US PGPUB # 2019/0124081] in view of Law et al. [US PGPUB # 2023/0020611] As per claim 6. Nowak does teach what is taught in the rejection of claim # 1, above. Nowak does not clearly teach the method of claim 1, wherein the credential registration data of the authenticator is included in an attestation object signed using an attestation key associated with the authenticator or an authenticator model. However, Law does teach the method of claim 1, wherein the credential registration data of the authenticator is included in an attestation object signed using an attestation key associated with the authenticator or an authenticator model [paragraph: 0097, lines 11 – 30, generating a transaction confirmation response comprising a device authentication signature signed by the device authenticator private key]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nowak as modified and Law in order for after authentication of the requesting user of the first request message containing the user's authentication data of Nowak as modified to include securing the user received authentication data of Law. This would allow for the user's authentication data to be secured while at rest at the IS cor, and FIDO certified server during verification operations. See paragraph: 0042 of Law. As per claim 7. Nowak as modified does teach the method of claim 1, wherein the credential registration data of the authenticator comprises a public key of a key pair [Law, paragraph: 0097, lines 11 – 30, private key]. As per non – transitory machine – readable medium claim 18, that includes the same or similar claim limitations as method claim 6, and is similarly rejected. Claim(s) 8, 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nowak et al. [US PGPUB # 2019/0124081] in view of Park et al. [US PGPUB # 2018/0341763] As per claim 8. Nowak does teach what is taught in the rejection of claim # 1, above. Nowak does not clearly teach the method of claim 1, wherein the initial user verification reference data or data derived from the initial user verification reference data is to be provided to the user separately from the authenticator. However, Park does teach the method of claim 1, wherein the initial user verification reference data or data derived from the initial user verification reference data is to be provided to the user separately from the authenticator [Figure # 4, and paragraph: 0076, then the service server 102 transmits the optical code to the first user terminal 104 in operation S416]. It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Nowak as modified and Park in order for after authentication of the requesting user of the first request message containing the user's authentication data of Nowak as modified to include multi-period authentication operations of Park. This would allow for a dynamic multiple user input authentication operations to prevent unauthorized access of the requested resource or service by an unauthorized user of the IS cor or the FIDO certified server. See paragraph: 0008 of Park. As per claim 9. Nowak as modified does teach the method of claim 1, wherein generating or collecting the initial user verification reference data comprises obtaining a code to be entered by the user during the second identity verification technique [Park, paragraph: 0053, In addition, according to the embodiments of the present disclosure, the optical code displayed on the first user terminal 104 is photographed through an optical module included in the second user terminal 106 so that the random number required for the authentication process can be easily recognized. In this case, the user may easily ensure proximity to the first user terminal 104 using the second user terminal 106 owned by the user and a short-range wireless communication module, such as a Bluetooth module, does not need to be installed in the first user terminal 104 in order to ensure the proximity to the first user terminal 104 and the second user terminal 106.]. Allowable Subject Matter Claim[s] 11 contains allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with. See 37 CFR 1.111(b) and MPEP § 707.07(a). Claim[s] 11 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. ***The examiner notes that a reasons for allowance can be written in the next subsequent office action, once all formal requirements have above have been overcome. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Queralt et al., who does teach a method for integrating FIDO authentication systems and User verification systems. The system is provided in one configuration as a mobile app that allows access to highly sensitive information via a mobile device while simultaneously ensuring a highly secured environment authenticating both the mobile device and the user via a highly reliable authentication process. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DANT B SHAIFER HARRIMAN/ Primary Examiner, Art Unit 2434