Prosecution Insights
Last updated: July 17, 2026
Application No. 19/123,832

A METHOD, AN APPARATUS AND A SYSTEM FOR SECURING INTERACTIONS BETWEEN USERS AND COMPUTER-BASED APPLICATIONS

Non-Final OA §102§103
Filed
Apr 24, 2025
Priority
Nov 03, 2022 — provisional 63/422,405 +1 more
Examiner
ARYAL, AAYUSH
Art Unit
2435
Tech Center
2400 — Computer Networks
Assignee
Onespan North America Inc.
OA Round
1 (Non-Final)
86%
Grant Probability
Favorable
1-2
OA Rounds
1y 2m
Est. Remaining
95%
With Interview

Examiner Intelligence

Grants 86% — above average
86%
Career Allowance Rate
95 granted / 110 resolved
+28.4% vs TC avg
Moderate +8% lift
Without
With
+8.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 4m
Avg Prosecution
11 currently pending
Career history
121
Total Applications
across all art units

Statute-Specific Performance

§101
1.6%
-38.4% vs TC avg
§103
85.3%
+45.3% vs TC avg
§102
5.8%
-34.2% vs TC avg
§112
1.1%
-38.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 110 resolved cases

Office Action

§102 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 07/31/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Allowable Subject Matter Claims 5, 11 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Regarding Claims 5, 11 and 18, prior art does not explicitly disclose wherein the request to perform the security operation defined by the security operation script comprises an identifier of the security operation script and the personal security device obtains the security operation script using the identifier of the security operation script. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 9-10 and 12 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Forget (EP3008852). Regarding Claim 9, Forget discloses A personal security device configured to: receive from a security server a request to perform a security operation defined by a security operation script; perform the security operation script; and (Paragraph [0048] E.N. The validation challenge is sent to the validation device. By the creation of a validation challenge which is derived from the original message, the user can be ensured that this derived message comes from a trusted source with acceptable reasons to believe that it has not been altered before being presented to the user for validation as part of the signature generation process. This validation code is received at the signature creation device and must be verified before the transaction is signed by the central or local SCD.) return to the security server a security operation result of performing the security operation script. (Paragraph [0048] E.N. The verification ensures that the signature can only be generated if this verification has been successful.) Regarding Claim 10, Forget discloses the personal security device of claim 9. Forget also discloses wherein the personal security device is further configured to: obtain the security operation script defining the security operation requested by the security server. (Figure 1a E.N. The validation challenge is sent to the validation devices and by the creation of a validation challenge which is derived from the original message, the user can be ensured that the derived message comes from a trusted source.) Regarding Claim 12, Forget discloses the personal security device of claim 10. Forget also discloses wherein the request to perform the security operation defined by the security operation script (Paragraph [0048] E.N. The validation challenge is sent to the validation device) comprises the security operation script and the personal security device obtains the security operation script from the request to perform the security operation. (Figure 1a E.N. The validation challenge is sent to the validation devices and by the creation of a validation challenge which is derived from the original message, the user can be ensured that the derived message comes from a trusted source.) Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 6-8 and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Forget (EP3008852) in view of Greenberg (US20200327589). Regarding Claims 1 and 14 Forget discloses A system for securing interaction of a user with a computer-based application, the system comprising: a security server configured to: (Paragraph [0023] E.N. The signature server may comprise a separate authentication and validation server.) receive from the computer-based application a request to perform a security task for the user; EP3008852 (Paragraph [0028] E.N. The validation challenge may be sent direct or indirect to the second user device, e.g. the validation challenge may be sent via the first user device. The method may further comprise reformatting the validation challenge as a barcode (e.g. QR code) which is readable by the second user device. The barcode may be displayed on the first user device to be read by the second user device.) send to a personal security device of the user a request to perform a security operation defined by the security operation script; (Paragraph [0048] E.N. The validation challenge is sent to the validation device) receive from the personal security device a security operation result of performing the security operation script; (Paragraph [0048] E.N. If the user recognizes the transaction, he approves it on the Validation Device in which case a unique validation code is generated. This validation code is received at the signature creation device.) determine a security task result as a function of the security operation result; and return the security task result to the computer-based application. (Paragraph [0048] E.N. Must be verified before the transaction is signed by the central or local SCD.) Forget does not, but in related art, Greenberg discloses identify a security operation script corresponding to the security task; (Paragraph [0036] E.N. The user presents a form of identification to the merchant and receives, from the merchant, information (e.g. a verification code) that provides verification that the user satisfies the purchase restriction.) Therefore, it would be obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to have modified Forget to incorporate the teachings of Greenberg because Forget does not explicitly disclose identify a security operation script corresponding to the security task which is taught by Greenberg. Incorporating the teachings of Greenberg to Forget allows for the system to identify scripts that may be used for conducting security tasks to determine the authentication/verification of the user/application. Regarding Claims 2 and 15 Forget in view of Greenberg discloses the system of claim 1 and the method of claim 14. Forget further discloses wherein the security server is further configured to: identify from among a plurality of personal security devices the personal security device associated with the user; (Paragraph [0020] E.N. The signature is preferably an advanced electronic signature, i.e. one which is uniquely linked to the signatory, is capable of identifying the signatory, is created using means that the signatory can maintain under his sole control and is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.) wherein the request to perform the security operation defined by the security operation script is sent by the security server to the identified personal security device associated with the user. (Paragraph [0048] E.N. The validation challenge is sent to the validation device. By the creation of a validation challenge which is derived from the original message, the user can be ensured that this derived message comes from a trusted source with acceptable reasons to believe that it has not been altered before being presented to the user for validation as part of the signature generation process. This validation code is received at the signature creation device and must be verified before the transaction is signed by the central or local SCD.) Regarding Claims 3 and 16, Forget in view of Greenberg discloses the system of claim 1 and the method of claim 14. Forget further discloses wherein the system further comprises: the personal security device of the user, wherein the personal security device of the user is configured to: receive from the security server the request to perform the security operation defined by the security operation script; perform the security operation script; and (Paragraph [0048] E.N. The validation challenge is sent to the validation device. By the creation of a validation challenge which is derived from the original message, the user can be ensured that this derived message comes from a trusted source with acceptable reasons to believe that it has not been altered before being presented to the user for validation as part of the signature generation process. This validation code is received at the signature creation device and must be verified before the transaction is signed by the central or local SCD.) return to the security server a security operation result of performing the security operation script. (Paragraph [0048] E.N. The verification ensures that the signature can only be generated if this verification has been successful.) Regarding Claims 4 and 17, Forget in view of Greenberg discloses the system of claim 3 and the method of claim 14. Forget further discloses wherein the personal security device is further configured to: obtain the security operation script defining the security operation requested by the security server. (Figure 1a E.N. The validation challenge is sent to the validation devices and by the creation of a validation challenge which is derived from the original message, the user can be ensured that the derived message comes from a trusted source.) Regarding Claims 6, Forget in view of Greenberg discloses the system of claim 1. Forget further discloses receive from the security server the request to perform the security operation defined by the security operation script; perform the security operation script; and (Paragraph [0048] E.N. The validation challenge is sent to the validation device. By the creation of a validation challenge which is derived from the original message, the user can be ensured that this derived message comes from a trusted source with acceptable reasons to believe that it has not been altered before being presented to the user for validation as part of the signature generation process. This validation code is received at the signature creation device and must be verified before the transaction is signed by the central or local SCD.) return to the security server a security operation result of performing the security operation script. (Paragraph [0048] E.N. The verification ensures that the signature can only be generated if this verification has been successful.) Forget does not, but in related art, Greenberg discloses wherein the system further comprises: a plurality of personal security devices including the personal security device of the user, each of the plurality of personal security devices configured to: (Paragraph [0022] E.N. Some example implementations described herein concern a single transaction device, transaction authorization platform, transaction card, user device, and/or user, but implementations may include a plurality of transaction devices, transaction authorization platforms, transaction cards, user devices, and/or users. In some implementations, the transaction device, the transaction authorization platform, and/or the user device may be connected via a network, such as the internet, an intranet, and/or the like.) Therefore, it would be obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to have modified Forget to incorporate the teachings of Greenberg because Forget does not explicitly disclose a plurality of personal security devices which is taught by Greenberg. Incorporating the teachings of Greenberg to Forget allows for the system to identify multiple security devices and determine which devices have access to certain permissions/applications. Regarding Claims 7, Forget in view of Greenberg discloses the system of claim 6. Forget further discloses wherein each of the plurality of personal security devices is configured to: obtain the security operation script defining the security operation requested by the security server. (Figure 1a E.N. The validation challenge is sent to the validation devices and by the creation of a validation challenge which is derived from the original message, the user can be ensured that the derived message comes from a trusted source.) Regarding Claims 8 and 20, Forget in view of Greenberg discloses the system of claim 1 and the method of claim 14. Forget does not, but in related art, Greenberg discloses wherein the security task is associated with transaction data, the security operation script is a micro application (u-app) that provides instructions to the personal security device for processing the transaction data, and the p-app does not include the transaction data. (Paragraph [0084] E.N. Receiving transaction data relating to a transaction event involving a transaction card, wherein the transaction card stores user data associated with a user of the transaction card, and wherein the transaction data includes the user data and a category identifier of a merchant. For example, the transaction authorization platform may receive transaction data relating to a transaction event involving a transaction card.) Therefore, it would be obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to have modified Forget to incorporate the teachings of Greenberg because Forget does not explicitly disclose security task associated with transaction data which is taught by Greenberg. Incorporating the teachings of Greenberg to Forget allows for the system to associate security tasks with transactional data for better authentication/verification. Regarding Claim 13, Forget discloses the personal security device of claim 9. Forget does not, but in related art, Greenberg discloses wherein the security operation script is a micro application (u-app) that provides instructions to the personal security device for processing transaction data associated with a security task and the p-app does not include the transaction data. (Paragraph [0084] E.N. Receiving transaction data relating to a transaction event involving a transaction card, wherein the transaction card stores user data associated with a user of the transaction card, and wherein the transaction data includes the user data and a category identifier of a merchant. For example, the transaction authorization platform may receive transaction data relating to a transaction event involving a transaction card.) Therefore, it would be obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to have modified Forget to incorporate the teachings of Greenberg because Forget does not explicitly disclose security task associated with transaction data which is taught by Greenberg. Incorporating the teachings of Greenberg to Forget allows for the system to associate security tasks with transactional data for better authentication/verification. Regarding Claim 19, Forget in view of Greenberg discloses the method of claim 17. Forget further discloses wherein the request to perform the security operation defined by the security operation script comprises the security operation script and the personal security device obtains the security operation script from the request to perform the security operation. (Figure 1a E.N. The validation challenge is sent to the validation device. By the creation of a validation challenge which is derived from the original message, the user can be ensured that this derived message comes from a trusted source with acceptable reasons to believe that it has not been altered before being presented to the user for validation as part of the signature generation process.) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to AAYUSH ARYAL whose telephone number is (571)272-2838. The examiner can normally be reached 8:00 a.m. - 5:30 p.m.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AAYUSH ARYAL/Examiner, Art Unit 2435 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435
Read full office action

Prosecution Timeline

Apr 24, 2025
Application Filed
Jul 01, 2026
Non-Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12675592
SYSTEM AND METHOD FOR OPTIMIZED METRIC DISPLAY
2y 6m to grant Granted Jul 07, 2026
Patent 12664292
ROBOTIC PROCESS AUTOMATION DRIVEN CONDITIONAL FORMATTING RULES FOR USER INTERFACES
2y 1m to grant Granted Jun 23, 2026
Patent 12665759
SECURE MODEL AGGREGATION METHOD AND APPARATUS
1y 7m to grant Granted Jun 23, 2026
Patent 12659156
COMMUNICATION METHOD, COMMUNICATION PROGRAM, AND AUTOMATIC TELLER MACHINE
1y 11m to grant Granted Jun 16, 2026
Patent 12608497
CENTRAL DATA PROTECTION AND PRIVACY FRAMEWORK
2y 4m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
86%
Grant Probability
95%
With Interview (+8.5%)
2y 4m (~1y 2m remaining)
Median Time to Grant
Low
PTA Risk
Based on 110 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month