DETAILED ACTION
This is a non-final office action on the merits. The U.S. Patent and Trademark Office (the Office) has received claims 1-18 in application number 16/428,530
Claims 1-18 are pending and have been examined on the merits.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim objections
Claims 10, 12-13, and 15 are objected to because of the following informalities:
For claims 10, 12-13, and 15, applicant may have intended “The service provider of claim 8” to read as “The service provider computer of claim 9.” Similarly, applicant may have intended claims 11, 14, and 16 to refer to the “service provider computer” introduced in claim 9.
Appropriate correction is appreciated.

Claim Rejections - 35 USC § 112 second paragraph
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

 Claim 8 is rejected under 35 U.S.C. § 112(b) or 35 U.S.C.
§ 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claim 8. Claim 8 is indefinite because the direct object of the verb “providing” in the phase “providing login credentials to the one or more application servers to obtain the context data from the one or more application server” is indefinite. The claim might be interpreted to require “[the service provider] providing login credentials to the one or more application servers to obtain the context data from the one or more application server” consistent with limitation of claim 7 (on which claim 8 dependent on) “[the service provider] obtaining context data from the one or more supplemental devices comprises contacting one or more application servers associated with the one or more supplemental devices.” Alternatively, the claim might be interpreted to require “[the user] providing login credentials to the one or more application servers to obtain the context data from the one or more application server” consistent with portions of Applicant’s disclosure describing “In this example, the user may provide login credentials for the account maintained by an application server.” (App. Spec. 0057). Is the service provider providing the login credential to the application server to obtain the context data from the application server, or the user providing the login credential to the application server to obtain the context data from the application server? Both interpretations are reasonable based on the claim language, and both interpretations are consistent with the originally filed disclosure. 
As best understood by the Examiner, and for purpose of examination and compact prosecution, claim 8 will be interpreted as reciting ““[the user] providing login credentials to the one or more application servers to obtain the context data from the one or more application server”. Nonetheless, appropriate correction or clarification is requested and appreciated.

Claim Rejections – 35 U.S.C. § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-18 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to an abstract idea without significant more.
Regarding Claims 1-18. As discussed in MPEP § 2106 as revised by the 2019 Revised Patent Subject Matter Eligibility Guidance ("2019 PEG")1, when considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (i.e., Step 1). If the claim does fall within one of the statutory categories, it must then be determined whether the claim recites a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (i.e., Step 2A.1) and whether the exception is integrated into a practical application (i.e., Step 2A.2). With respect to Step 2A.1, the 2019 PEG extracts and synthesizes key concepts identified by the courts as abstract ideas to explain that the abstract idea exception includes the following groupings of subject matter, when recited as such in a claim limitation(s): mathematical concepts, certain methods of organizing human activity, and mental processes.2 With respect to Step 2A.2, elements that are indicative of integration into a practical application are discussed in MPEP § 2106.05(a), (b), (c), and (e)3. Elements that are not indicative of integration into a practical application are discussed in MPEP § 2106.05(f), (g), and 4 If the exception is not integrated into a practical application, the claim is found to be directed to the exception. It must then be determined whether the claim otherwise contains any additional elements or combination of additional elements sufficient to ensure that the claim recites an inventive concept, i.e., amounts to significantly more than the exception itself (i.e., Step 2B). Revised Step 2A overlaps with Step 2B, and thus, many of the considerations need not be reevaluated in Step 2B because the answer will be the same. However, a conclusion under revised Step 2A that an additional element was insignificant extra-solution activity should be reevaluated in Step 2B to determine if the element(s) are well-understood, routine, and conventional in the relevant field as discussed in MPEP § 2106.05(d).5
Analysis
In the present application, claims 1-8 are directed to a process (i.e., method); claims 9-16 are directed to a machine (i.e., computer comprising a processor); claims 17-18 are directed to another process (i.e., method). Thus, the eligibility analysis proceeds to Step 2A.1.
The limitations of independent claim 9, which is representative of independent claim 1, have been denoted with letters by the Examiner for easy reference. The judicial exceptions recited in claim 9 are identified in bold below:
[A] A service provider computer comprising: a processor; and a memory including instructions 
      that, when executed with the processor, cause the service provider computer to, at least:

[B] maintain an association between one or more supplemental devices and a user, the one 
      or more supplemental devices configured to provide biometric information associated 
      with the user;

[C] receive an authorization request message associated with a transaction;

[D] determine, based on the authorization request message, a level of risk associated with 
       the transaction;

upon determining that the level of risk is greater than a threshold value: obtain context 
     data from the one or more supplemental devices that corresponds to a time of the  
     transaction;

[F] determine a degree to which the context data supports an authenticity of the user;

[G] adjust the level of risk by the degree to which the context data
       supports tt1e authenticity of the user; and

[H] approve the transaction if the adjusted level of risk is less than the
      threshold value.

Claim 9 recites an apparatus (A) by which the risk of a transaction can be preliminary assessed 
(B, C, D) and based on the risk level, further data information associated with the transaction can be required (E, F) to make a decision on whether to approve the transaction (G, H). When considered as a whole, limitations B through H under the broadest reasonable interpretation covers steps of functions can be reasonably performed to organize human activity. Other than reciting generic computer hardware in limitations A, nothing in the claim element differentiates the limitation from processes that can reasonably performed to organize human activity. For example, the disclosure establishes the context of preventing fraudulent transaction while reducing the probability of declining transactions made by authenticated user.  (App. Spec. 0001). Traditionally, processing transactions has been one that relied upon managing relationships or transactions between people (e.g., merchant, customer, etc.) and/or financial institutions (e.g., issuer bank, acquirer bank, etc.), satisfying legal obligations/commercial obligations and mitigating risk. All of these concepts related to a business process designed to manage risk while attempting to enforce commercial and legal obligations. The concept of claim 1 is not meaningfully different from the concepts above because it is directed to mitigating risk and recites steps of mitigating risks occurred during payment processing by adopting a two-step authentication protocol. Therefore, claim 1 is directed to a business process designed to manage risk while attempting to enforce commercial and legal obligations, which fits squarely within the “certain methods of organizing human activity” grouping of abstract ideas.
	In addition, imitations D and E recite determining a level or risk of the transaction and determining a degree to which the user data supports the authenticity of the user, which can be reasonably performed in the human mind. The rationale to determine the level or risk, or the degree of user authenticity as described in the specification, is subjective. The specification indicates that the level of risk can be determined by a user’s transaction history (App. Spec. 0049). For example, a transaction involving luxury goods by a frugal person may be considered has a higher level or risk. Likewise, the specification describes that the degree to which the user data supports the authenticity of the user can be determined by the devices sent those data (App. Spec. 0051). All these decisions are made based on subjective standards either directly through observation or through the recommendations (i.e., judgments, evaluations) of other humans. Therefore, limitations D and E recite an abstract idea that is consistent with the observation, evaluation, and judgment aspect of a mental process.
	Accordingly, claim 1, and by analogy similar to claim 9, recite at least two abstract ideas and the analysis is proceed to Step 2A.2
	The judicial exception is not integrated into a practical application. In particular, claim 9 recites the additional elements in bold below:
[A] A service provider computer comprising: a processor; and a memory including 
      instructions that, when executed with the processor, cause the service provider 
      computer to, at least:

[B] maintain an association between one or more supplemental devices and a user, the one or 
      more supplemental devices configured to provide biometric information associated with          
      the user;

[C] receive an authorization request message associated with a transaction;

[D] determine, based on the authorization request message, a level of risk associated with the 


[E] upon determining that the level of risk is greater than a threshold value: obtain context data 
      from the one or more supplemental devices that corresponds to a time of the transaction;

[F] determine a degree to which the context data supports an authenticity of the user;

[G] adjust the level of risk by the degree to which the context data supports tt1e authenticity of 
      the user; and

[H] approve the transaction if the adjusted level of risk is less than the threshold value.

The additional elements in limitation A are recited at a high level of generality (e.g., consistent with Applicant’s specification at 0077-79). The “supplemental device” from which context data are obtained is defined in the specification as “any electronic device capable of obtaining context data and conveying the context data to another electronic device” (App. Spec. 0026). In other words, a generic device that transmits data.  As such, when the additional elements are considered individually and as an ordered combination, the claim as a whole amounts to no more than or mere instructions to operations to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. Accordingly, the additional element(s) do not integrate the abstract idea into a practical application because they do not recite any additional elements indicative of integration into a practical application. Rather, the claim as a whole generally links the judicial exception to a technological environment defined by high level recitations of a computer. Therefore, the claim is directed to an abstract idea and the analysis proceeds to Step 2B. 
The additional elements, both individually and as an ordered combination, do not amount to significantly more than the judicial exception because the outcome of the considerations at Step 2B will be the same when the considerations from Step 2A.2 are reevaluated. As discussed under Step 2A.2, the additional element(s) amount to no more than generally link the abstract idea to a technological environment through steps performed by a generic computer. Because 
Dependent claim 2 recites a standard by which the degree of the context data’s authenticity can be evaluated, which merely elaborates limitation F of claim 9 without changes or impacts the abstract idea directed by claim 9. The standard recited by claim 2 is only associated with the type of the supplemental device and a decision based on that standard can be made entirely in human mind. Therefore, claim 2 is ineligible.
Dependent claim 3 recites the supplemental device can be an Internet of Thing (IoT). The recitation of IoT is merely enumerating a specific type of device can be used in a business process and does not change the abstract idea. Therefore, claim 3 is ineligible.
Dependent claim 4 recites the data type that may be used as context data, but the source or character of the information does not distinguish the judicial exception from an ordinary mental process, i.e., the abstract idea of itself or method of organizing manual or mental activity of a person should be performed the same regardless of what information is used to be subject to that abstract idea. Claim 4 does not recite any additional elements, and does not add anything in combination with claim 1.
Dependent claims 5-6 and 13-14 further directed to what the threshold identified in claim 1 represents (i.e., a level or risk a service provider is willing to take) and how the level of risk is determined. Merely explaining what does threshold mean (claim 5) does not significantly or meaningfully transform the judicial exception identified in claim 1. Furthermore, claims 6, and 13-14 recites other rules by which a level or risk is determined. This is a variation and elaboration of limitation D of the abstract idea identified in claim 1, but fails to recite any 
Dependent claims 7-8 further recite contacting data provider and providing login credential to obtain data, which relates to managing personal behavior or relationship or interactions between people and transactions between individuals and fall within “certain methods of organizing human activity” as described with respect to claim 1 above. Claims 7-8 add that to obtain context data, the service provider needs to be contacted by providing login credentials. This also relates to transactions between individuals and is not meaningfully different from managing personal interaction between people. The limitations of claims 7-8 do not recite any additional elements for consideration under Step 2B and therefore do not recite anything that can transform the judicial exception into eligible subject matter. Therefore claims 7-8 are not eligible.
Dependent claims 10 and 12 recite at a high level of generality that the association between supplemental devices and a resource provider is maintained by the service provider and is established when user enrolled the supplemental device with the service provider and does not implicate any specific technological elements, the Examiner concludes that there is nothing in the claims to transform the abstract idea into eligible subject matter. 
Dependent claim 11 repeats limitation F of claim 9 and the association between the resource provider and the supplemental device as identified in claim 10. Claim 11 further recites the resource provider is indicated in the authorization request message. As discussed before, the source or character of the data information (i.e., message) does not distinguish the judicial exception from an ordinary mental process, i.e., the abstract idea of itself or method of 
Dependent claims 15-16 further recite the degree to which the context data supports an authenticity of the user is a numeric value and an adjusted level of risk is obtained by subtracting that numeric value from initial level risk, which is merely reciting mathematical concepts. There is nothing in the additional elements or combination of elements in claims 15-16 that improves a technology or technological field or amounts to an unconventional step or limitation that transforms the abstract idea as discussed above. Accordingly, claims 15-16 are ineligible.
Independent claim 17 merely repeats limitations C-H of claim 9 by replacing some terms recited in claim 9 with more generic terms. For example, the term “service provider computer” recited in claim 9 is replaced with “processor computer,” “level of risk” recited in claim 9 is replaced with “interaction,” and “the level of risk is greater than a threshold value” recited in claim 9 is replaced with “the indication is uncharacteristic for the user.” Besides rephrasing these caved-out limitations from claim 9 and using more generic terms, claim 17 does not recite any additional elements for consideration under Step 2B and therefore claim 17 is ineligible.
Dependent claim 18 recites the information as identified in claim 17 includes context data.  As discussed before, the source or character of the information does not distinguish the judicial exception from an ordinary mental process, i.e., the abstract idea of itself or method of organizing manual or mental activity of a person should be performed the same regardless of what information is used to be subject to that abstract idea. Claim 18 does not recite any additional elements, and does not add anything in combination with claim 17.
Conclusion
In summary, the claims 1-18 considered both individually and as an ordered combination do not provide meaningful limitations to transform the abstract idea into a patent eligible application of the abstract idea such that the claims amount to significantly more than the abstract idea itself. The claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment. Therefore, the claims 1-18 are rejected under 35 U.S.C. § 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-7, 9-12, 15-18 are rejected under 35 U.S.C. § 103 over Zhang (U.S Patent Application Publication 2015/0186892A1) in view of Cao  (U.S Patent Application Publication 2020/2020/0153821)
Regarding independent claims 1 and 9. Zhang—which like the present invention is directed to a method and system for reducing false declines of transactions by requiring a secondary authorization of the transaction —discloses (in italics):
(Claim 1) A method comprising:
[In order to address the problems stated in the back ground section, the embodiments of the present disclosure provide methods and systems for real-time verification of a transaction. (Zhang 0005)]
(Claim 9) A service provider computer comprising: a processor; and a memory including instructions that, when executed with the processor, cause the service provider computer to, at least:
[In some embodiments, a method of real-time bio metric verification of a transaction is performed at a server system (e.g., server system 108, FIGS. 1-2) with one or more processors and memory. (Zhang 0006)]
(Claims 1 and 9 ) maintaining, at a service provider, an association between one or more supplemental devices and a user device, the one or more supplemental devices configured to provide biometric information associated with a user of the user device;
[For example, in response to selection of remote entry affordance 516-1, biometric information (e.g., voice input) associated with information items 512-1 is input via the user's mobile device (i.e., the second device) and checked by server system 108. (Zhang 0096); Attention is now directed towards embodiments of user interfaces and associated processes that may be implemented on a respective client device 104 with one or more speakers 602 enabled to output sound, zero or more microphones 604 enabled to receive sound input, and a touchscreen 606 (sometimes also herein called a touch screen display) enabled to receive one the service server sends the voice verification request to the voice processing system. The Voice verification request instructs the Voice processing system to establish Voice communication with the user using the Voice contact information included in the Voice verification request. In an optional embodiment, the voice verification request further includes Verification content information (e.g., transaction amount, date of birth, security question, and so on), which is used by the Voice processing system to prompt the user to provide verification information that corresponds to the verification content information. In some embodiments, the Voice processing system establishes (708) voice communication with client device 104. In some embodiments, the Voice processing system establishes voice communication with client device 104 according to the Voice contact information included in the Voice verification request. (Zhang 0112-13)]
 (Claims 1 and 9 ) receiving, at the service provider, an authorization request message associated with a transaction;
[In some embodiments, the service server obtains (702) a service request submitted by a user at client device104. In some embodiments, the user uses a user terminal Such as a mobile phone, a personal computer, and a tablet computer to submit the service request to the service server through a payment/transaction application, a service Submission web page, an instant messaging client, a simple notification Service (SNS) client, or the like. In some embodiments, the service request includes a login request, a transaction request, a payment request, a session request, and the like, where the transaction request and the payment request 
(Claims 1 and 9 ) determining, based on the authorization request message, a level of risk associated with the transaction;
[In some embodiments, the service server detects (704) a security risk in the service request. In some embodiments, in accordance with a preset risk assessment mechanism, the service server performs a risk assessment process on the service request. For example, the service server determines whether the payment amount of the service request exceeds a daily payment limit predetermined by the user, whether a previous login of the user to the service server had a security risk, whether the good or service corresponding to the service request has a security risk, or the like. (Zhang 0109); If the service server determines that the service request has a security risk, the service server performs step 706. Additionally and/or optionally, in some embodiments, the service server further assigns a security risk level to the service request according to the preset risk assessment mechanism. For example, the security risks are classified into high, medium, and low risk levels. If the service request is assigned a high risk level, the service server rejects the service request. If the service request is assigned a low risk level, the service server performs the service request and returns a message indicating that the service processing is successful. If the service request is assigned a medium risk level, the service server performs step 706. (Zhang 0110)]
(Claims 1 and 9 ) upon determining that the level of risk is greater than a threshold value: obtaining context data from the one or more supplemental devices that corresponds to a time of the transaction: 
In accordance with a determination that the security level for the transaction meets (1006) a predetermined criterion, the server system: instructs (1008) the first device to Suspend the transaction and to display a first interface on the first device indicating Suspension of the transaction and sends (1010) a confirmation request to a second device associated with the account to request voice verification for the transaction. In some embodiments, the transaction meets the predetermined criterion when the security risk assigned to the transaction by security determination module 224 is a high or medium level risk.  (Zhang 0155)]
(Claims 1 and 9 ) determining a degree to which the context data supports an authenticity of the user;
[In some embodiments, the service server performs (714) service processing on the service request according to the verification information from the user. In some embodiments, the service server verifies the obtained verification information by determining whether the verification information is the same as the related information corresponding to the service request (e.g., by comparison). (Zhang 0117); alternatively and/or additionally, in some embodiments, the Verification information includes Voice information from the user. In this event, the service server performs voice recognition on the voice information to verify that the Voice signature in the Voice information matches a voice signature corresponding to the user of the account used to initiate the transaction. (Zhang 0118); if the verification succeeds, the security risk is downgraded by one level; in other words, it is determined that the current service request has a lower risk. If the verification fails,
(Claims 1 and 9 ) adjusting the level of risk by the degree to which the context data supports the authenticity of the user: and
[Further, in some embodiments, the service server adjusts the security risk level assessment of the current Service request according to the verification result. For example, if the verification succeeds, the security risk is downgraded by one level; in other words, it is determined that the current service request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current service request has a higher risk. (Zhang 0119]
(Claims 1 and 9) approving the transaction if the adjusted level of risk is less than the threshold value.
[Further, in some embodiments, the service server adjusts the security risk level assessment of the current Service request according to the verification result. For example, if the verification succeeds, the security risk is downgraded by one level; in other words, it is determined that the current service request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current service request has a higher risk. (Zhang 0119); Additionally and/or optionally, in some embodiments, the service server further assigns a security risk level to the service request according to the preset risk assessment mechanism… If the service request is assigned a low risk level, the service server performs the service request and returns a message indicating that the service processing is successful. (Zhang 0110)]
However, Zhang does not expressly disclose the one or more supplemental devices is associated with a user device. 
italics):
(Claims 1 and 9) maintaining, at a service provider, an association between one or more supplemental devices and a user device, 
[It should be understood that the user 112 is associated with an account for the skill 126 (i.e., a capability of VID 114), whereby a backend for the skill 126, such as, for example, the issuer 108, is permitted to identify the user 112. That is, the user 112 has registered for an account with the backend for the skill 126, such that the skill 126 is linked to the account (e.g., includes an account number, an email contact, a phone number, etc.). In addition, as described above, the user 112 is also associated with an account for the voice interactive device 114 (VID 114), whereby the VID server 128 associates the user 112 (and certain information about the user 112) with the VID 114. (Cao 0074]
	Thus, Zhang shows it was known in the art before the effective filling date of the invention to operate a system and method for a two-step authentication including user biometric data authentication. Once a transaction is provisionally declined, the system in Zhang obtains voice verification of the transaction for further authentication. The system is capable of obtaining the voice verification through a voice capture module (which includes one or more input devices, e.g., a microphone) to which a user can provide audio data. Zhang discloses that it functions using the voice capture module that can collect voice information from the user for authenticating the user identity. Cao shows it was known to associate voice interactive device (VID) to a user (and certain information about the user). By going into more details regarding how the voice capture module is related to the user, Cao complements the voice capture module 
	Therefore, before the effective filing data of the invention it would have been obvious to a person having ordinary skill in the art to associate one or mode voice input devices with user devices taught by Zhang using the association techniques taught by Cao, because the combination of these references is merely a combination of prior arts elements according to known methods to yield predictable results. 

Regarding claim 2. Zhang in view of Cao teaches all the limitation of claim 1, Cao further teaches (in italics):
the degree to which the context data supports the authenticity of the user is weighted based on a type of supplemental device from which the context data was received. [For example, a risk score, for a given transaction, may be determined based on whether the specific transaction is a transaction commonly performed on the type of the VID 114 (e.g., a smart speaker, etc.) (Cao 0095]

Regarding claim 3. Zhang in view of Cao teaches all the limitation of claim 1, Cao further teaches (in italics):
at least one of the one or more supplemental devices is an Internet of Things (loT) device.
[For example, a voice interactive device (VID) (e.g., a smart speaker, a vehicle with a voice interface, or an internet of things (IoT) device with a voice interface, etc.), which receives the voice command for the interaction, may authenticate the user through a voice reference for the user (either directly on the VID, or through a network - based authentication service (e.g., a cloud service, etc.)). (Cao 0016)]

Regarding claim 4. Zhang in view of Cao teaches all the limitation of claim 1, Zhang further teaches (in italics):
the context data comprises at least one of audio data, image data, biometric data, or user action data. [Alternatively, in some embodiments, the user pro vides the verification information to the Voice processing system by means of voice. (Zhang 0115)]

Regarding claim 5. Zhang in view of Cao teaches all the limitation of claim 1, Zhang further teaches (in italics):
the threshold value represents a level of risk that the service provider is willing to undertake. [For example, the security risks are classified into high, medium, and low risk levels. If the service request is assigned a high risk level, the service server rejects the service request. If the service request is assigned a low risk level, the service server performs the service request and returns a message indicating that the service processing is successful. If the service request is assigned a medium risk level, the service server performs step 706. (Zhang 0110)]

Regarding claim 6. Zhang in view of Cao teaches all the limitation of claim 1, Zhang further teaches (in italics):
the level of risk associated with the transaction is determined based at least in part on historical transaction data for the user. [In some embodiments, the service server detects (704) a security risk in the service request. In some embodiments, in accordance with a preset risk assessment mechanism, the service server performs a risk assessment process on the service request. For example, the service server determines whether the payment amount of the service request exceeds a daily payment limit predetermined by the user, whether a previous login of the user to the service server had a security risk, whether the good or service corresponding to the service request has a security risk, or the like. (Zhang 0110)]

Regarding claim 7. Zhang in view of Cao teaches all the limitation of claim 1, Cao further teaches (in italics):
obtaining context data from the one or more supplemental devices comprises contacting one or more application servers associated with the one or more supplemental devices.
 [The VID 114 also includes a skill 126 (e.g., an application that runs on the VID 114, alone or in combination with potentially multiple applications; etc.) that configures the VID 114 to interact with the user 112 and / or a third party, as described herein. (Cao 0027); For example, the authentication service 122 and/or the voice recognition service 124 may be included in the VID 114 in one or more embodiments, or more likely, the payment network 106, in various embodiments, whereby the payment network 106 is configured to provide associated services in connection with authentication requests (in connection with an interaction with the VID 114),  as such, in response to the command, the VID 114 is configured, by the skill 126, to request that the VID server 128 authenticate the user 112. The request is associated with identifying information about the user 112, such as, for example, an account number of an account at the VID server 128 for the user 112 or other information specific to the user 112 and known to the VID server 128. In response, the VID server 128 is configured to identify the user 112, based on the account number, email address, device information, etc. included in the request and to request an authentication input from the user 112, at the communication device 130 (rather than at the VID 114) (e.g., via the application 132 , etc.).The communication device 130, in turn, is configured (e.g., generally, or by the application 132, etc.) to solicit an authentication input (e.g., a PIN, a passcode, an OTP, etc.) from the user 112 and to verify the authentication input once received. (Cao 0054-55)]

Regarding claim 10. Zhang in view of Cao teaches all the limitation of claim 9, Cao further teaches (in italics):
the instructions further cause the service provider computer to maintain an association between one or more additional supplemental devices and at least one resource provider [It should be appreciated that while the VID server 128 is illustrated as separate from the merchant 102, in one or more embodiments, the merchant 102 and the VID server 128 may be integrated at least in part (whereby the VID server 128 may be configured to facilitate purchases of products from the merchant 102, etc.). For example, the Alexa™ speaker by Amazon provides the Amazon™ online store through the Alexa™ speaker, whereby the backend for the Alexa™ speaker may then be both a backend, as described, and also a merchant, etc. (Cao 0028)]

Regarding claim 11. Zhang in view of Cao teaches all the limitation of claim 9, Zhang further teaches (in italics):
obtain additional context data from at least one of the one or more additional supplemental devices, the at least one of the one or more additional supplemental devices comprising supplemental devices associated with a resource provider indicated in the authorization request message. [the service server sends (706) a voice verification request to the voice processing system. (Zhang 0110); the voice verification request further includes Verification content information (e.g., transaction amount, date of birth, security question, and so on), which is used by the Voice processing system to prompt the user to provide verification information that corresponds to the verification content information. (Zhang 0112)]
Cao further teaches (in italics):
obtain additional context data from at least one of the one or more additional supplemental devices, the at least one of the one or more additional supplemental devices comprising supplemental devices associated with a resource provider indicated in the authorization request message. [The VID 114 also includes a skill 126 (e.g., an application that runs on the VID 114, alone or in combination with potentially multiple applications; etc.) that configures the VID 114 to interact with the user 112 and/r a third party, as described herein… Other skills may be included at the VID 114, for example , and may be associated with other entities or capabilities, such as mobile telecommunication providers, utilities, other banking institutions, vehicles, smart home retailers, merchants, etc. (Cao 0028); Regardless of whether the authentication request (AReq) is from the merchant 102 or the VID server 128, the AReq includes the detail of the transaction or transfer, including, without limitation , an amount of the transaction/transfer , a date/time, a payment account credential (e.g., a token, etc.), merchant data (e.g., a name or ID of the merchant 102, a MCC for the merchant 102 , etc.), etc. (Cao 0094)]

Regarding claim 12. Zhang in view of Cao teaches all the limitation of claim 9, Cao further teaches (in italics):
the association between one or more supplemental devices and the user is established when the user enrolls the one or more supplemental devices with the service provider computer.
 [The VID server 128 is configured to maintain an account for the user 112, whereby interactions between the VID 114 and the user 112 may be associated with the user's account and/or based on information contained in the user's account, as described below. In general, the user 112 registers for the account with the VID server 128 through the VID 114, or through a communication device associated with the user 112 (e.g., communication device 130 via an application included therein, etc.), whereby the VID 114 and / or the VID server 128 is configured to solicit and receive information associated with the registration from the user 112, etc. The account may include (without limitation) a name, billing or account may include (without limitation) a name, billing or shipping addresses, a phone number, an email address, etc., for the user 112. (Cao 0028); For example, during a setup and/or registration of the VID 114 (e.g. , with the VID server 12 , etc.), the VID 114 is configured to solicit inputs from the user 112 to register the VID 114 to the user 112 and create an account associating and/or binding the user 112 and the VID 114. (Cao 0038)]

Regarding claim 15. Zhang in view of Cao teaches all the limitation of claim 9, Zhang further teaches (in italics):
the degree to which the context data supports the authenticity of the user comprises a numeric value by which the level of risk should be adjusted. [Further, in some embodiments, the payment server adjusts the security risk level assessment of the current payment request according to the Verification result. For example, if the verification Succeeds, the security risk is downgraded by one level; in other words, it is determined that the current payment request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current payment request has a higher risk. In some embodiments, the payment server sends (818) an online payment result to the first device. (Zhang 0132)]

Regarding claim 16. Zhang in view of Cao teaches all the limitation of claim 15, Zhang further teaches (in italics):
adjusting the level of risk by the degree to which the context data supports the authenticity of the user comprises subtracting the numeric value from the level of risk. [Further, in some embodiments, the payment server adjusts the security risk level assessment of the current payment request according to the Verification result. For example, if the verification Succeeds, the security risk is downgraded by one level; in other words, it is determined that the current payment request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current payment request has a higher risk. In some embodiments, the payment server sends (818) an online payment result to the first device. (Zhang 0132)]

Regarding claim 17. Zhang in view of Cao teaches all the limitation of claim 1, Zhang further teaches (in italics):
receiving, by a processor computer, an authorization request message comprising interaction data for an interaction between a user and a resource provider;
[A user submits (802) a payment request to a payment server through a first device (e.g., POS device 122). Specifically, the first user terminal in this embodiment is an Internet enabled device Such as a personal computer, a tablet computer, a Smart phone, or the like, which can Submit the payment request to the payment server through a payment/ transaction application, an online transaction web page, an instant messaging client, an SNS client, or the like. In some embodiments, the payment request includes payment information Such as a transaction identifier or order number and a payment amount. (Zhang 0122); In an example usage scenario, when a user is standing in front of a POS device in a store, and after making a selection for remote entry of required verification information (e.g., as shown in FIG. 5A), the POS device displays the notification regarding Suspension of the transaction (e.g., as shown in FIG. 5B). (Zhang 0106)]

initially determining, by the processor computer, that the interaction is uncharacteristic for the user;
[In some embodiments, the payment server detects (804) a security risk in the payment request. In some embodiments, in accordance with a preset risk assessment For example, the payment server determines whether the payment amount of the payment request exceeds a daily payment preset by the user, whether a previous login of the user to the payment server had a security risk, whether the good or service corresponding to the payment request has a security risk, or the like. (Zhang 0123)]
obtaining, by the processor computer, further information regarding the user, the further information obtained using one or more sensors proximate to the user during the interaction; 
[In some embodiments, the payment server sends (806) a payment processing Suspension notification to the first device. As such, the payment server notifies the user that the payment request has a security risk and that the user needs to provide verification information, by means of voice communication with the Voice processing system, in order for the payment server to process the payment request. (Zhang 0125); in some embodiments, the Voice processing system obtains (812), by means of the voice communication, the verification information from the user of the second device. (Zhang 0128); in some embodiments, the voice processing system sends (814) the obtained verification information to the payment Server. (Zhang 0130)]

evaluating, by the processor computer, the interaction using the further information; and 
[In some embodiments, the payment server processes (816) the payment request according to the verification information. In some embodiments, the payment server verifies the verification information by determining whether the Verification information matches stored information corresponding to the verification content information. 
generating, by the processor computer, an indication of approval of the interaction after evaluating the further information and initially determining that the interaction is uncharacteristic for the user.
[Once the server receives and verifies the voice input received from the registered device of the user, the server sends a confirmation to the POS device, and the POS device displays the notification indicating that the Voice verification has been completed, and the transaction has been processed (as shown in FIG.5C). The entire transaction process is completed within the same session at the POS device in real-time, while the user is waiting in front of the POS device. (Zhang 0106)]

Regarding claim 18. Zhang teaches all the limitation of claim 17, Zhang further teaches (in italics):
the further information comprises context data obtained from one or more supplemental devices having the one or more sensors. [Alternatively, in some embodiments, the user provides the verification information to the Voice processing system by means of Voice. For example, the user reads the information related to the service request according to the prompt during the Voice communication. The Voice processing system obtains the Voice information which serves as the verification information, and returns the obtained voice information to the service server. Further optionally, the voice processing system prompts the user to read a sentence (e.g., the verification content information, or another piece of information such as “I am XX, and I confirm this payment”). The Voice processing system sends the whole piece of voice information to the service server as a service credential of this service request. (Zhang 0129)]

Claim 8 is rejected under 35 U.S.C. § 103 over Zhang in view of Cao, and in view of Summerlin (US Patent Application Publication 2018/0082304 A1).

Regarding claim 8. The combination of Zhang and Cao teaches all the limitations of claim 1. Zhang teaches all the limitations of claims 1 and 7. However, the combination of Zhang and Cao does not disclose remaining limitation of claim 8. 
	Nonetheless, Summerlin – which like the present invention is directed to authenticating subject’ identity using identification data indicative of a subject’s identity– specifically teaches (in italics):
providing login credentials to the one or more application servers to obtain the context data from the one or more application servers. [Using network access point 410, a user logs into an online environment, for example through a mobile app, requiring identity authentication. (Summerlin 0088); During a logon process, system 400 prompts the user for user identification data, e. g., a username, and active authentication data, e. g., a password . At the same time, system 400 passively gathers one or more additional authentication data at network access point. This authentication data can include keystroke data (e.g., from the keyboard or touch panel), mouse motion data, facial images (e. g., from a webcam), voice recognition (e. g., from a microphone). This data is transmitted to authentication server 140 where it is processed to verify or deny the user’s identity as discussed previously. (Summerlin 0089)]
Thus, the combination of Zhang and Cao shows it was known before the effective filing date of the invention to operate a system and method in which one or more input devices collects 
Therefore, before the effective filing date of the invention it would have been obvious to a person having ordinary skill in the art to requiring account credential registered and stored in the voice interactive devices (VID) as disclosed in Cao to be used as logon information when trying to access the VID server using the techniques taught by Summerlin, because the 

Claims 13-14 are rejected under 35 U.S.C. § 103 over the combination of Zhang and Cao and in view of Maheshwari (US Patent Application Publication 2018/0025356 A1).
Regarding claim 13. The combination of Zhang and Cao teaches all the limitations of claim 9. However, the combination of Zhang and Cao does not disclose remaining limitation of claim 13. 
Nonetheless, Maheshwari – which like the present invention is directed to a computer device for monitoring for fraudulent activity– specifically teaches (in italics):
the level of risk associated with the transaction is determined based at least in part on a resource provider associated with the transaction. [If the Fraud Engine 118 determines , at step 500 , that the authentication is associated with an in - App purchase , then the Fraud Engine 118 generates , at step 502 , the current location of the device 10 and determines, 504, if the current location falls within a set of secure locations. If so, then the Fraud Engine 118 increments, at step 506, the Confidence Level. (Maheshwari 0182); If the Fraud Engine 118 determines, at step 508, that the user has previously made a successful purchase with the same merchant, then the Fraud Engine 118 increments, at step 510, the Confidence Level. Further, the Fraud Engine 118 checks, at 512, to determine if the repeat purchase was recently made. If so, then the Fraud Engine 118 increments, at step 514, the Confidence Level. (Maheshwari 0193); The Fraud Engine 118 checks, at step 516, to see if the site where the purchase is being made is suspicious. If found to be suspicious, then the Fraud Engine 118 decrements, at step 518, the Confidence Level. (Maheshwari 0200)]



Regarding claim 14. The combination of Zhang and Summerlin, in view of Maheshwari   teaches all the limitations of claims 9 and 13. Maheshwari further teaches (in italics): 
the level of risk associated with the transaction is inversely correlated to a level of trustworthiness associated with the resource provider. [The Confidence Level is preferably a number which reflects the level of trust that should be associated with the procedure. (Maheshwari 0157)]


Relevant Prior Art Not Relied Upon
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure. The additional cited art, including but not limited to the excerpts below, further establishes the state of the art at the time of Applicant's invention and shows the following was known:
Systems and methods for authorization. The method may include accessing, by an authorization engine for a transaction by a user, an activity pattern model of the user from a database. The activity pattern model of the user may be indicative of a geospatial behavior of the user over time. The authorization engine may determine a set of sensors Hanna)
A system includes one or more memory devices storing instructions, and one or more processors configured to execute the instructions to perform steps of a method providing biometric detection of coercion of a user. The system may detect a trigger event associated with a potential transfer of funds and may receive user biometric data. The system may determine, based on stored user biometric data and the detected user biometric data, a confidence level that the stored user biometric data is indicative of biological information representative of a user being in a stressed state. The system may initiate one or more precautionary safety measures. (Bermudez)
A system to authenticate an entity and/or select details relative to an action or a financial account using biometric, behavior-metric, electronic-metric and/or knowledge-metric inputs. These inputs may comprise gestures, facial expressions, body movements, voice prints, sound excerpts, etc. Features are extracted from the inputs and each feature converted to a risk score, which is then translated to a representative value, such as a Tunnell)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JING WANG whose telephone number is (571)272-6940.  The examiner can normally be reached on M-F 7:30-17:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on 571-272-7575.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-




/J.W./Examiner, Art Unit 3685                                                                                                                                                                                                        

/PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3685                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 84 Fed. Reg. 50, 51 (Jan. 7, 2019).
        2 Id. at 52.
        3 Id. at 55.
        4 Id. 
        5 Id. at 56.