DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continuation
This application is a continuation application of US 17/821,748 (filed on Aug. 23, 2022 – now US Patent No. 12,250,317). The prosecution history and references cited in the above application have been fully considered.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 12,250,317. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of the instant application are anticipated by claims 1-17 of the conflicting patent.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 2-5, 14, and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 2, 14, and 20 recite limitations of “wherein performing the login procedure” and “wherein the instructions to perform the login procedure” and are dependent on parent claims 1, 13, and 19, respectively. A “selection…to use the passkey authentication for a login procedure” is received in their respective parent claims. However, this is not the same as an active step of performing the login procedure. Thus, claims 2, 14, and 20 are further defining a step that does not exist. Claims 3-5 are dependent on claim 2 and similarly rejected.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-8, 11-15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2022/0116392 to Shah et al. (hereinafter, “Shah”) in view of US 2020/00214481 to Chumbley (hereinafter, “Chumbley”).
As per claim 1: Shah discloses: A method for (systems, methods, and apparatus for contextual access control using an authentication technique [Shah, ¶0039]), comprising: receiving, via a web browser executing on a device associated with a user of the identity management platform (a browser application can communicate with a client device to receive an access request to an item of content [Shah, ¶0054]), capability information associated with the device that indicates whether the device is capable of using (the access request can include contextual factors, including hardware context of the client device indicating compatible authentication techniques [Shah, ¶0128, 0138]; for example, if the client device does not include a fingerprint sensor, the hardware context would indicate the lack of said sensors and fingerprint authentication would not be used [Shah, ¶0069]); transmitting, for display at a user interface configured for a client of the identity management platform associated with the user and based at least in part on enabling the (a server provides a selection request for one or more authentication techniques compatible for verification on an interface component of the client device, wherein the client device includes a browser to render information accessed by client application [Shah, ¶0042, 0046]); and receiving, from the user via the user interface, a selection of the option to use the (the operator of the client device can select one or more authentication techniques presented to them [Shah, ¶0046]).
Furthermore, Shah presents an example listing of authentication techniques [Shah, ¶0057; Fig. 3]. Shah does not explicitly disclose, but Chumbley discloses: an improved account authentication process using public-private key cryptography instead of passwords (i.e., a “passkey authentication”) [Chumbley, ¶0052].
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to try and use any known user authentication techniques Shah with reasonable success. The public-private key (passkey) authentication technique described in Chumbley would have improved user authentication security over conventional password-based methods, as a private key of a public-private key pair is securely stored [Chumbley, ¶0052].
As per claim 2: Shah in view of Chumbley disclose all limitations of claim 1. Shah does not explicitly disclose, but Chumbley discloses: wherein performing the login procedure comprises: transmitting an indication of a cryptographic challenge to the device associated with the user (a web authentication server generates a challenge to be used for authenticating the user device [Chumbley, ¶0078]; the server encrypts the challenge with the public key of the user and sends the encrypted challenge to the user device [Chumbley, ¶0079-0080]); receiving an indication of a cryptographic response from the device in response to the cryptographic challenge, wherein the cryptographic response (receiving a response from the user device [Chumbley, ¶0082]); and authenticating the user (the server then processes the response to authenticate the user device [Chumbley, ¶0083]).
Chumbley discloses an embodiment of encrypting the challenge with the public key of the user device and receiving a decrypted challenge as the response from the user device. The claimed invention recites a process that is the inverse of the operations of Chumbley. Furthermore, Chumbley explicitly suggests that the “public key may be used for public functions such as encrypting a message to send to the entity or for verifying a digital signature” and “private key, on the other hand, may be used for private functions such as decrypting a received message or applying a digital signature” [Chumbley, ¶0043]. Therefore, the challenge can be signed by the user’s device using the private key and then subsequently verified by the server using the corresponding public key.
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to try any known variations of utilizing public-key cryptography to authenticate a user. Signing a plaintext challenge with a private key to generate a digital signature as a response for the web authentication server would have achieved the same predictable results as encrypting the challenge and receiving the decrypted challenge as the response. With either method, the goal of verifying that the user’s device is in possession of the private key corresponding to the public key would have been achieved (e.g., see [Chumbley, ¶0052], authentication through proof that the user device has access to the private key corresponding to a registered public key).
As per claim 3: Shah in view of Chumbley disclose all limitations of claim 2. The motivations for incorporating Chumbley in claims 1 and 2 are also applicable herein. Therefore, Shah in view of Chumbley disclose: further comprising: determining that the device has access to a private key associated with the user based at least in part on the digital signature in the cryptographic response, wherein authenticating the user is based at least in part on determining that the device has access to the private key (the user device proves it has access to the private key corresponding to the registered public key [Chumbley, ¶0052]; therefore, (as discussed in claim 2) proof can be achieved by using the private key to decrypt an encrypted challenge by its corresponding public key, or using the private key to sign the challenge and provided as response to be verified using its corresponding public key).
As per claim 5: Shah in view of Chumbley disclose all limitations of claim 3. The motivation for incorporating Chumbley in claims 1 and 2 are also applicable herein. Therefore, Shah in view of Chumbley disclose: wherein the private key is generated and stored at the device after the user selects the option to use the passkey authentication for the login procedure (the user device generates a public-private key pair in response to input to the user interface [Chumbley, ¶0057]; the private key is then securely stored on the user device [Chumbley, ¶0058]).
As per claim 6: Shah in view of Chumbley disclose all limitations of claim 1. The same motivations for incorporating Chumbley in claim 1 is also applicable herein. Therefore, Shah in view of Chumbley disclose: further comprising: receiving an indication that the user has registered the public key with the client of the identity management platform, wherein obtaining the public key for the user is based at least in part on the indication (the user registers the public key with the web authentication server (corresponding to the server in Shah) that includes providing the public key to the web authentication server via a registration request message [Chumbley, ¶0052, 0059]).
As per claim 7: Shah in view of Chumbley disclose all limitations of claim 1. The same motivations for incorporating Chumbley in claims 1 and 2 are also applicable herein. Therefore, Shah in view of Chumbley disclose: wherein receiving the selection of the option to use the passkey authentication comprises: receiving the selection via the web browser executing on a device associated with the user (the one or more authentication techniques selection compatible with the client device can be displayed on an interface component of the client device, wherein an embedded browser enables the operator of the client device to communicate with the server [Shah, ¶0042, 0046]), wherein a public key of the user is stored at the identity management platform in association with the user, the web browser, the device, an operating system of the device, or a combination thereof (sending a registration request message that includes the user device’s public key to the web authentication server [Chumbley, ¶0059]; wherein the public key is stored in a database and associated with an account name of the user [Chumbley, ¶0062-0063]).
As per claim 8: Shah in view of Chumbley disclose all limitations of claim 1. The same motivations for incorporating Chumbley in claims 1 and 2 are also applicable herein. Therefore, Shah in view of Chumbley disclose: further comprising: storing a public key at the identity management platform in association with an identifier of the user, a password of the user, an account number associated with the user, or a combination thereof, wherein the public key is retrieved from the identity management platform after the user initiates the login procedure (the web authentication server stores account names in a public key database and verifies that the public key is registered in said database [Chumbley, ¶0076-0077]; the account name and public key are associated during a registration period [Chumbley, ¶0074]).
As per claim 11: Shah in view of Chumbley disclose all limitations of claim 1. The same motivations for incorporating Chumbley in claims 1 and 2 are also applicable herein. Therefore, Shah in view of Chumbley disclose: further comprising: configuring a passkey for the user based at least in part on performing one or more application programming interface calls to a web authentication service, wherein the passkey comprises a public key and a corresponding private key associated with the user (the user device generates a public-private key pair and registers the public key with the web authentication server (corresponding to the information processing system of Yasuda) of the account provider [Chumbley, ¶0062, 0068]; an API may be used to build applications to allow communications between entities [Chumbley, ¶0047]).
As per claim 12: Shah in view of Chumbley disclose all limitations of claim 1. . The same motivations for incorporating Chumbley in claims 1 and 2 are also applicable herein. Therefore, Shah in view of Chumbley disclose: wherein displaying the option to use the passkey authentication comprises: transmitting, for display at the user interface, a first option to use the passkey authentication for the login procedure and a second option to use other credentials for the login procedure, wherein the first option is selected by the user (the client device receives a request to select one or more authentication techniques for verification (in view of Chumbley, passkey would be one of the authentication techniques), wherein the selection request is displayed on the client device [Shah, ¶0046]).
As per claim 13: Claim 13 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 13 is directed to an apparatus performing the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 13.
As per claim 14: Claim 14 incorporates all limitations of claim 13 and is an apparatus corresponding to the method of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 13 are equally applicable to claim 14 and rejected for the same reasons.
As per claim 15: Claim 15 incorporates all limitations of claim 13 and is an apparatus corresponding to the method of claim 8. Therefore, the arguments set forth above with respect to claims 8 and 13 are equally applicable to claim 15 and rejected for the same reasons.
As per claim 18: Claim 18 incorporates all limitations of claim 13 and is an apparatus corresponding to the method of claim 11. Therefore, the arguments set forth above with respect to claims 11 and 13 are equally applicable to claim 18 and rejected for the same reasons.
As per claim 19: Claim 19 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 19 is directed to a non-transitory computer-readable medium storing code corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 19.
As per claim 20: Claim 20 incorporates all limitations of claim 19 and is a non-transitory computer-readable medium storing code corresponding to the method of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 19 are equally applicable to claim 20 and rejected for the same reasons.
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Shah in view of Chumbley and in further view of US 2011/03143042 to Braams (hereinafter, “Braams”).
As per claim 4: Shah in view of Chumbley disclose all limitations of claim 3. Shah in view of Chumbley does not explicitly disclose, but Braams disclose: wherein the private key is locally unlocked on the device after the user successfully performs a facial recognition procedure, a voice recognition procedure, a fingerprint recognition procedure, a personal identification number verification procedure, a security key verification procedure, or a combination thereof (access to master secrets stored in a secure key storage require user authentication prior to performing read/execution access in the storage, wherein user authentication includes PIN, password verification, or biometrics [Braams, ¶0029]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to securely store the private key described in [Chumbley, ¶0109], such that it is only accessible through user authentication methods described in Braams. It also would have been obvious to try any well-known data access control methods to protect stored data (i.e., the private key). For example, PIN verification is simply remembering a value to enter and biometrics involve authentication aspects that are difficult to steal and replicate.
Claims 9, 10, 16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Shah in view of Chumbley and in further view of US 2021/00811543 to Yasuda (hereinafter, “Yasuda”).
As per claim 9: Shah in view of Chumbley disclose all limitations of claim 1. Shah and Chumbley do not explicitly disclose, but Yasuda discloses: receiving, from an administrator of the identity management platform via a second user interface configured for the identity management platform, an indication to enable passkey authentication; and enabling the passkey authentication for clients of the identity management platform in response to the administrator of the identity management platform selecting one or more user interface elements displayed in the second user interface (administrator can set a login method, through an interface (as illustrated in Fig. 6) displayed on a second terminal 30 operated by the administrator, in the information processing system for each tenant [Yasuda, ¶0134; Figs. 5-6]; tenants can represent multiple customers/users or one customer/users representing multiple tenants [Yasuda, ¶0060]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to enable manually set passkey authentication as one of the available authentication techniques compatible with the client device in the modified system of Shah in view of Chumbley. As discussed in [Shah, ¶0058], a workspace can select one or more of the compatible authentication techniques to be available for authentication. An administrator would have been able to manually select passkey authentication technique, if it was compatible with the client device in light of Shah, upon their discretion, as a preferred technique, or for security policies/design requirements. The manner of selecting the available authentication techniques would have resulted in the same results of displaying the options of capable authentication techniques of the device.
As per claim 10: Shah in view of Chumbley and Yasuda disclose all limitations of claim 9. The motivation for incorporating Yasuda in claim 9 is also applicable herein. Therefore, Yasuda discloses: wherein the one or more user interface elements comprise a checkbox, a toggle switch, a dropdown list, a button, or a combination thereof (checkboxes [Yasuda, ¶0134; Fig. 6]; furthermore, Official Notice is taken herein that the other recited elements are well-known HTML/web browser elements).
As per claim 16: Claim 16 incorporates all limitations of claim 13 and is an apparatus corresponding to the method of claim 9. Therefore, the arguments set forth above with respect to claims 9 and 13 are equally applicable to claim 16 and rejected for the same reasons.
As per claim 17: Claim 17 incorporates all limitations of claim 16 and is an apparatus corresponding to the method of claim 10. Therefore, the arguments set forth above with respect to claims 10 and 16 are equally applicable to claim 17 and rejected for the same reasons.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 11,991,165: A user equipment sends the authentication method types it is supported by as part of security capabilities to a core network. See col. 7, lines 20-28.
US 2023/0028416: A user can select different password-less sign-in alternatives for subsequent logins. See Abstract.
US 2022/0337577: A login interface displays available third-party login icons to an electronic device. See ¶0070.
US 2020/0065463: A terminal transmits biometric capability information of the terminal to an authentication server during a user’s biometric registration. The capability information refers to the biometric technologies supported by the terminal. See ¶0040.
US 2015/0257004: Different biometric login options are presented on a mobile device’s display, allowing the user to select a preferred biometric login setting. See ¶0037.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached at 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494
1 Cited in the IDS filed 3-19-2025.
2 Cited in the IDS filed 3-19-2025
3 Cited in the IDS filed 3-19-2025