DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending in this application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/25/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-8, 10-18 and 20 /are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Tolba et al. (US 8,862,888 B2) (hereinafter, “Tolba”).
As to claim 1, Tolba discloses a computer-implemented method for authentication using a voice-based one-time password (OTP), the method comprising:
transmitting, by a computing device associated with an end-user, a message indicating an operation request to a backend server (“… receiving a user's identification and password transmitted from the user's mobile device, generating a One Time Password (OTP)” -e.g., see, Abstract; see also: “… a user's identification, such as a username or other "ID," and the user's password for the site being accessed is transmitted at 202, such as from the user's computing device (e.g., user computing device 106 of FIG. 1, for example, the user's PC), and is received by a server associated with the site, (e.g., authentication server 102 of system 100 shown in FIG. 1). At 204, an OTP is generated for the user.” -e.g., see, col. 4, lines 56-62: herein, the user’s mobile or computing device (the computing device associated with the end-user) transmits the message indicting the operation request (e.g., identification/password or access request) to the backend/authentication server)
receiving, by the computing device, an OTP request including an OTP prompt having OTP text of an OTP (“At 210, the encrypted two-dimensional barcode embodying the OTP is transmitted by the site authentication server to the computing device of the user. An image of the two-dimensional barcode displayed, such as on the user's computing device, is captured at 212 using the user's mobile device. In one implementation, for example, this is accomplished by photographing the image of the two-dimensional barcode using a camera of the user's mobile device. At 214, the two-dimensional barcode of the encrypted OTP is decoded, and the resulting encrypted string is decrypted using the user's mobile device at 216. At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text.” -e.g., see, col. 5, lines 7-22; herein, the computing device receives the OTP request (embodied as the transmitted barcode/prompt containing the OTP);
displaying, by the computing device, the OTP text of the OTP prompt at a user interface of the computing device of the end-user (“At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text. The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed.” -e.g., see, col. 5, lines 17-22; see also, claims 1 and claim 10 of Tolba; herein, he computing device (mobile device) displays the OTP text of the prompt at its user interface/screen in plain text);
obtaining, by the computing device, an audio signal including a speaker audio signal of the end-user purportedly speaking the OTP (“At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text. The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed.” -e.g., see, col. 5, lines 17-22; see also, claim 7 of Tolba; herein, the computing device obtains the audio signal by recording (via its microphone) the speaker audio signal of the end-user speaking/reading the OTP aloud);
generating, by the computing device, an OTP response corresponding to the OTP request, the OTP response including the audio signal including the speaker audio signal (“At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text. The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed.” -e.g., see, col. 5, lines 17-22; see also: “User computing device 106 also receives a two-dimensional barcode of the encrypted OTP, displays the two-dimensional barcode of the encrypted OTP for reading by user mobile device 108, records the OTP spoken by the user, and transmits the OTP to authentication server 102.” -e.g., see, col. 4, lines 24-38; herein, the computing device generates/prepares the OTP response that includes the recorded audio signal of the spoken OTP (corresponding to the received OTP request/prompt); and
transmitting, by the computing device, the OTP response to the backend server (“The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed. The spoken OTP transmitted by the user's computing device is received at 222, such by the server associated with the site being accessed.” -e.g., see, col. 5, lines 18-30; herein. The computing device transmits the OTP response (containing the spoken audio signal) to the backend/authentication server).
As to claim 11, it is rejected using the similar rationale as for the rejection of claim 1.
As to claim 2, Tolba discloses the method according to claim 1, Tolba discloses further comprising receiving, by the computing device, an authentication result for the operation request from the backend server (“The spoken OTP transmitted by the user's computing device is received at 222, such by the server associated with the site being accessed. At 224, the server, or an associated, dedicated voice recognition server, recognizes the user's voice and the OTP to authenticate the user to access the site using the user's computing device and/or the user's mobile device. This recognition of the user's voice at 224 may employ any number of biometric voice recognition techniques.” -e.g., see, col. 5, lines 23-43; herein, after the device transmits the spoken OTP response, the backend server processes it and the computing device receives the authentication result (successful authorization or verification failure) to complete access for the operation request).
As to claim 12, it is rejected using the similar rationale as for the rejection of claim 2.
As to claim 3, Tolba discloses the method according to claim 2, Tolba further discloses comprising displaying, by the computing device, the authentication result for the operation request as received from the backend server (“At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text. The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed. The spoken OTP transmitted by the user's computing device is received at 222, such by the server associated with the site being accessed. At 224, the server, or an associated, dedicated voice recognition server, recognizes the user's voice and the OTP to authenticate the user to access the site using the user's computing device and/or the user's mobile device.” -e.g., see, col. 5, lines 17-29; herein, the computing device displays the received authentication results (success/failure or access grant) at its user interface which is consistent with its role in displaying OTP and handling the full interactive flow).
As to claim 13, it is rejected using the similar rationale as for the rejection of claim 3.
As to claim 4, Tolba discloses the method according to claim 1, Tolba further discloses wherein the OTP response further includes metadata associated with the computing device of the end-user, the metadata including at least one of a user identifier of the end-user or a device identifier of the computing device (“… the two-dimensional barcode may be captured by a camera (e.g., the mobile phone's camera) and subsequently decoded and decrypted (e.g., by the phone). Further, the encryption/decryption may employ a shared-key based on the International Mobile Equipment Identity ("IMEI") of the phone and/or the International Mobile Subscriber Identity ("IMSI") of the user, which is "known" by the mobile phone and the site the user is attempting to access. A server may identify a user's mobile device through the mobile device's IMEI and/or the user's IMSI. The IMEI and/or IMSI may be extracted using the application-programming interface (API) for the mobile device's operating system.” -e.g., see, col. 2, lines 45-60; herein, The OTP response transmitted from the computing device includes metadata such as device identifier (IMEI) and/or user identifier (IMSI), which are used in the response data for identification and encryption).
As to claim 14, it is rejected using the similar rationale as for the rejection of claim 4.
As to claim 5, Tolba discloses the method according to claim 1, Tolba further discloses wherein the OTP response further includes an operation request identifier associated with the operation request (“Counter data, such as retrieved at 306 and updated at 312, may be used as a synchronization parameter between the server side and the client side. Hence, in accordance with the present systems and methods, the number of OTPs that have been generated on the server side and the number of OTPs that have been decrypted on the client side may be tracked and compared.” -e.g., see, col. 7, lines 4-11; herein, counter/synchronization data that ties requests and response across server and client side; see also: “… retrieving a number of times a one time password has been issued to the user; and incrementing a counter of the number of times a one time password has been issued to the user upon transmitting the two-dimensional barcode of the encrypted one time password to a computing device of the user.” -e.g., see, claim 5 of Tolba; herein, Tolba teaches that the OTP response includes or is associated with an identifier/context (e.g., counter or session parameter) that links it to the original operation request).
As to claim 15, it is rejected using the similar rationale as for the rejection of claim 5.
As to claim 6, Tolba discloses the method according to claim 1, Tolba further discloses wherein the computing device transmits the message indicating the operation request via at least one of a telephony channel or a data channel (“Each of user computing device 106 and/or user mobile device 108 are also in data communication with authentication server 102.” -e.g., see, col. 3, liens 61-65; herein, the computing device transmits the operation request message via data channel (or telephony channel via mobile device)).
As to claim 16, it is rejected using the similar rationale as for the rejection of claim 6.
As to claim 7, Tolba discloses the method according to claim 1, Tolba further discloses wherein the computing device receives the OTP request via at least one of a data channel or a telephony channel (“At 210, the encrypted two-dimensional barcode embodying the OTP is transmitted by the site authentication server to the computing device of the user. An image of the two-dimensional barcode displayed, such as on the user's computing device, is captured at 212 using the user's mobile device. In one implementation, for example, this is accomplished by photographing the image of the two-dimensional barcode using a camera of the user's mobile device. At 214, the two-dimensional barcode of the encrypted OTP is decoded, and the resulting encrypted string is decrypted using the user's mobile device at 216. At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text.” -e.g., see, col. 5, lines 7-22; herein, the computing device receives the OTP request/prompt via data channel (or telephony channel via mobile device)).
As to claim 17, it is rejected using the similar rationale as for the rejection of claim 7.
As to claim 8, Tolba discloses the method according to claim 1, Tolba further discloses wherein the computing device transmits the OTP response via at least one of a data channel or a telephony channel (“At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text. The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed.” -e.g., see, col. 5, lines 17-22; see also: “The spoken OTP transmitted by the user's computing device is received at 222, such by the server associated with the site being accessed. At 224, the server, or an associated, dedicated voice recognition server, recognizes the user's voice and the OTP to authenticate the user to access the site using the user's computing device and/or the user's mobile device.” -e.g., see, col. 5, lines 23-30; herein, the computing device transmits the OTP response (including the audio signal) via data channel (or telephony channel for voice/audio transmission).
As to claim 18, it is rejected using the similar rationale as for the rejection of claim 8
As to claim 10, Tolba discloses the method according to claim 1, Tolba further discloses wherein the computing device receives the OTP request containing the OTP prompt via at least one of a text message or an email message (“At 210, the encrypted two-dimensional barcode embodying the OTP is transmitted by the site authentication server to the computing device of the user. An image of the two-dimensional barcode displayed, such as on the user's computing device, is captured at 212 using the user's mobile device. In one implementation, for example, this is accomplished by photographing the image of the two-dimensional barcode using a camera of the user's mobile device. At 214, the two-dimensional barcode of the encrypted OTP is decoded, and the resulting encrypted string is decrypted using the user's mobile device at 216. At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text.” -e.g., see, col. 5, lines 7-22; see also: “At 218, the OTP is displayed, such as on a screen of the user's mobile device, in plain text. The user reads the OTP aloud at 220, such as into a microphone of the user's computing device, whereupon it may be recorded by the user's computing device and transmitted to an authentication server associated with the site being accessed.” -e.g., see, col. 5, lines 17-22; herein, Tolba teaches device display/barcode capture; which teaches mobile OTP prompt delivery).
As to claim 20, it is rejected using the similar rationale as for the rejection of claim 10.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Tolba as applied to claims 1 and 11 above, and further in view of Sanin et al. (US 2014/0007213 A1) (hereinafter, “Sanin”).
As to claim 9, Tolba discloses the method according to claim 1, Tolba further discloses wherein the computing device includes and executes a mobile application associated with the backend server, and wherein the computing device receives the OTP request … (“A user may have software on his or her mobile phone, which may allow the user to enter identification ("ID") and a password ("PW"), as well as to foster secure communication with a server to complete the authentication.” -e.g., see, col. 2, lines 30-38; see also: “User mobile device 108 may include one or more processors operatively coupled to memory comprising computer program instructions executable by the one or more processors to implement operations, such as initiating contact with authentication server 102 …” -e.g., see, col. 4, lies 40-45; herein, Tolba teaches the computing device runs a mobile application/client software associated with the server and receives the OTP request).
Tolba doesn’t explicitly disclose a push notification for the mobile application.
However, in an analogous art, Sanin discloses a push notification for the mobile application (“…. push notification service further forwards the push notification to the intended computing/mobile device and application running on the device (Step 5). Here, the push notification service guarantees that the verification token will be delivered to the intended device and application combination as designated by the device token.” -e.g., see, Sanin: [0023]; see also: “… app engine 102 receives the verification token from the third-party push notification service.” -e.g., see, [0024]; herein, the mobile application on the computing device receives the OTP/authentication request as a push notification via a third-party push service).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was to modify the teaching of Tolba with the additional feature of Skerpac in order to improve real-time delivery and ensure security of the communication.
As to claim 19, it is rejected using the similar rationale as for the rejection of claim 9.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
SUMAN DEBNATH
Patent Examiner
Art Unit 2495
/S.D/Examiner, Art Unit 2495
/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495