DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 5/1/2019.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Kim (US20190044943A1). Two-channel authentication proxy system capable of detecting application tampering, and a method therefor, and provides a method for detecting tampering of an authentication application installed on a mobile terminal. 
Ebrahimi et al (US20170257358A1). Authenticated Login Using Static or Dynamic Codes.
Drawings
The drawings are objected to because:
Fig. 5 has User Interface with reference number 13, which is also used for Server in Fig. 4. 
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, 
Specification
The disclosure is objected to because of the following informalities: 
Para. [0028] line 8 recites “user interface system 13” in reference to Fig. 5. However reference 13 has been used for Server as shown in Fig. 4 and para. [0027].
Appropriate correction is required.
Claim Objections
Claims 4, 14 are objected to because of the following informalities:  
Claim 4 line 2, similarly claim 14 line 2, “… such that no other static user ID may be assigned to the same dynamic user ID” is intended use rendering limitation following “such that” ambiguous and carry no patentable weight. 
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7, 17 recite the limitation "the third dynamic user ID" in line 1.  There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4-7, 11, 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman et al (US20140282961A1, hereinafter, “Dorfman”), in view of Lea (US20150222435A1, hereinafter, “Lea”), further in view of Alhothaily et al (US20170339163A1, hereinafter, “Alhothaily”).
Regarding claim 1, Dorfman teaches:
A method of authenticating a client device with a server (Dorfman, [Abstract] authenticating an identity of an online user), the method comprising: 
receiving a first authentication request from a first client device (Dorfman, See Fig. 4 step 402, and [0038] the user may desire to log-in to a website or, web page presented by a browser of the computing device. Thus, the user may initiate method 400 by requesting (i.e. first authentication request) to view a log-in site (step 402)); 
generating a first authentication token, the first authentication token including a first [dynamic] user ID, a first session ID, and [a first time stamp] (Dorfman, [0039] In response to the user's request, the authentication service may then generate a unique ID (i.e. user ID) and send the user's browser a QR code (i.e. authentication token) containing a server URL and the generated unique ID (step 404)); (see Alhothaily for dynamic user ID below)
(Dorfman, Fig. 4 step 404, Send (i.e. transmitting) QR code with server URL and unique ID); 
receiving a digital signature and a second authentication token from the first client device, the second authentication token including the first dynamic user ID, the first session ID, and [a second time stamp] (Dorfman, [0040] the mobile application may send to the authentication server a digital certificate containing the extracted unique ID and the log-in ID associated with the user (step 416). Specifically, because the mobile app may have been pre-registered with the authentication service, the mobile app may have one or more public/private keys, tokens, or any other authentication file suitable to securely transmit the encoded unique ID and log-in ID to the authentication service. Also see Fig. 5 step 508); (See Alhothaily for dynamic user ID, first timestamp and second timestamp below)
verifying the digital signature based on the contents of the second authentication token (Dorfman, [0041] Upon receiving the digital certificate from the mobile app, the authentication service may extract the unique ID from the browser's request from step 406, and extract the user's log-in ID from the digital certificate (step 418) (i.e. verifying). Also see Fig. 5 step 510); 
While Dorfman teaches authenticating user using QR code with unique ID and session ID but does not explicitly teach second request with third authentication token, however in the same field of endeavor Lea teaches:
generating a second [dynamic] user ID (Lea, [0010] a first user device obtaining an identifier; … the server generating an authentication token associated with the identifier); transmitting the second [dynamic] user ID and a third authentication token to the first client (Lea, [0010] a server is configured to generate an authentication token associated with the identifier in response to a first request, to transmit the authentication token (i.e. third authentication token) for receipt by an address associated with the user in response to the second request. And [0041] The application generates, in step 206, a message, including the UUID and token, signs it with the private key and transmits it to the server in step 207); (see Alhothaily for dynamic user ID below)
Examiner notes that the second dynamic user ID is interpreted as another dynamic user ID associated with another authentication token used in the second authentication request after the first authentication request.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lea in the authenticating an identity of a user of Dorfman by using second request derived from the first authentication token for user identity generation. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the second request in addition to the first request associated with the authentication token to validate user identity (Lea, [Abstract]).
Dorfman and Lea further teaches:
receiving the second [dynamic] user ID and the third authentication token from the first client device in a second authentication request (Dorfman, [0040] the mobile application may send to the authentication server a digital certificate containing the extracted unique ID and the log-in ID associated with the user (step 416)) occurring after the first authentication request (Lea, [0010] to verify the second request using a public key associated with the second request and, when verified, validating an identifier associated with the second request as an identity for the user. See Figure 2, the second request is generated (step 206) after the first request (step 203)); 
and authenticating the first client device using the third authentication token (Lea, [0010] when verified, validating an identifier associated with the second request as an identity for the user). Also see Dorfman (e.g. Fig. 4 step 426, Enable successful Log-in). 
The combination of Dorfman-Lea does not explicitly teach the user ID being dynamic and first timestamp and second timestamp included in the authentication token, however in the same field of endeavor Alhothaily teaches:
		authentication token including a first dynamic user ID, and a first time stamp; the second authentication token including a second time stamp (Alhothaily, [0029] The dynamic One-Time Username (OTU) (i.e. dynamic user ID) may be used by a user for a specific session login after service provider 325 verifies the user ticket and authenticates the user. And [0054] The ticket (i.e. authentication token), as described in detail above, may include a dynamic one-time username (OTU), a session key k, ticket validity period (TVP), timestamp (T) (i.e. first timestamp or second timestamp),…).
Examiner notes that claim 1 recites “a first time stamp” and “a second time stamp”, without being applied to perform any specific action in the claim.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Alhothaily in the authenticating an identity of a user of Dorfman-Lea by using ticket (i.e. authentication token) including dynamic one-time usernames and timestamp for user authentication to access 

Regarding claim 11, Dorfman-Lea-Alhothaily combination teaches:
A non-transitory computer-readable medium storing a plurality of instructions which, when executed by a processor (Dorfman, [0007] One system includes a data storage device storing instructions for authenticating an identity of an online user; and a processor configured to execute the instructions to perform a method), perform a method comprising: the method steps substantially similar to the method steps of claim 1, therefore is rejected with same reason set forth as rejection of claim 1 above. 

Regarding claim 4, similarly claim 14, Dorfman-Lea-Alhothaily combination further teaches:
The method of claim 1, the method of claim 11, 
wherein the first and second dynamic user ID, when generated, are uniquely assigned to a static user ID such that no other static user ID may be assigned to the same dynamic user ID (Dorfman, [0006] a log-in ID associated with the user and the unique ID (i.e. dynamic user ID); and authenticating the identity of the user to grant the user access, through the first device, to the web page associated with the user's online account). Examiner notes claim recites “such that …” is intended use, therefore the claim limitations reciting “no other static user ID may be assigned to the same dynamic user ID” does not carry patentable weight.

Regarding claim 5, similarly claim 15, Dorfman-Lea-Alhothaily combination further teaches:
The method of claim 1, the method of claim 11,
further comprising: generating a third session ID that is assigned to the second dynamic user ID (Dorfman, [0039] The authentication servers may then save the generated unique ID, which was sent to the browser in the QR code, along with a session ID that identifies the pending request by the browser to receive notice of completed log-in (step 410).  Thus, in one embodiment, the authorization service may store in a database, a plurality of unique IDs and session IDs received from various users' browsers, with the data indexed by the unique IDs).  

Regarding claim 6, similarly claim 16, Dorfman-Lea-Alhothaily combination further teaches:
The method of claim 1, the method of claim 11, 
wherein the second dynamic user ID is transmitted within the third authentication token (Lea, [0010] a server is configured to generate an authentication token associated with the identifier in response to a first request, to transmit the authentication token for receipt by an address associated with the user in response to the second request. And [0041] The application generates, in step 206, a message, including the UUID and token, signs it with the private key and transmits it to the server in step 207).  

Regarding claim 7, similarly claim 17, Dorfman-Lea-Alhothaily combination further teaches:
The method of claim 1, the method of claim 11, 
wherein the third dynamic user ID is transmitted separately from the third authentication token (See 35 USC 112(b) for the third dynamic user ID for lack of antecedent basis. Examiner notes the third dynamic user ID is transmitted with the fourth authentication token as seen from claim 3 therefore it is obvious that it is transmitted separately from the third authentication token).  

Claims 2, 12 are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman-Lea-Alhothaily as applied above, further in view of Kanukollu (US20200112436A1, hereinafter, “Kanukollu”).
Regarding claim 2, similarly claim 12, Dorfman-Lea-Alhothaily teaches:
The method of claim 1, the medium of claim 11,
While the combination of Dorfman-Lea-Alhothaily does not explicitly teach the following limitation(s), Kanukollu in the same field of endeavor teaches:
wherein the first authentication request includes a fourth authentication token (Kanukollu, [0037] At operation 208, the client 102 sends a client token (i.e. fourth authentication token) and the code received at operation 204 to the identity provider 106), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kanukollu in the authenticating an identity of a user of Dorfman-Lea-Alhothaily by receiving client generated 
Dorfman further teaches:
the method further comprising: extracting a second session ID from the fourth authentication token (Dorfman, [0041] The authentication service may then look-up the session ID for which the extracted unique ID was saved (step 420)); and determining whether a valid session for the first client device exists based on the second session ID (Dorfman, [0041] thus, the authentication service may, having received a digital certificate and enclosed unique ID and log-in ID, desire to identify the browser session corresponding to that unique ID.  That is, the authentication service may determine which browser issued a pending request for notice of completed log-in associated with the log-in ID that it now received from a mobile device).  

Claims 3, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman-Lea-Alhothaily-Kanukollu as applied above, further in view of Shablygin (US20130145148A1, hereinafter, “Shablygin”).
Regarding claim 3, similarly claim 13, Dorfman-Lea-Alhothaily-Kanukollu teaches:
The method of claim 2, the medium of claim 12,
While the combination of Dorfman-Lea-Alhothaily-Kanukollu does not explicitly teach the following limitation(s), Shablygin in the same field of endeavor teaches:
(Shablygin, [0277] While a blank token resulting from the deactivation of an active token, may have a token ID, user ID, and encryption keys stored on the token, the deactivated token cannot be used for any form of authentication… a disabled token may be reused by overwriting existing information with a new token ID, user ID, and encryption keys as described above).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Shablygin in the authenticating an identity of a user of Dorfman-Lea-Alhothaily by disabling deactivated token as blank token. This would have been obvious because the person having ordinary skill in the art would have been motivated to reuse the disabled token for a new token ID, user ID etc. for user authentication (Shablygin, [0004], [0006], [0277]).

Claims 8, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman-Lea-Alhothaily-Kanukollu as applied above, further in view of Pearson et al (US20060218625A1, hereinafter, “Pearson”).
Regarding claim 8, similarly claim 18, Dorfman-Lea-Alhothaily-Kanukollu combination teaches:
The method of claim 2, the method of claim 12,
While the combination Dorfman-Lea-Alhothaily-Kanukollu does not explicitly teach the following limitations, in the same field of endeavor Pearson teaches:
(Pearson, [0045] the first identity provider server determines that the end-user has a valid login session.  If the end-user does not have a valid login session, the first identity provider server challenges the end-user for a username and password, i.e., credentials, before moving to step 422); generating a third session ID; and transmitting the challenge to the client device (Pearson, [0045] At step 422, the first identity provider server formulates a redirecting authentication response, e.g., https://www.SP1.com/ AuthnResponse? [Encrypted Payload] and sends it back to the end-user browser.  Then, at step 424, the end-user browser forwards the identity provider server authentication response to first service provider server.  The first service provider server decodes the response and creates a login session for the end-user).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pearson in the authenticating an identity of a user of Dorfman-Lea-Alhothaily-Kanukollu by challenging the end-user if the end-user does not have valid login session. This would have been obvious because the person having ordinary skill in the art would have been motivated to have service provider server to provide the end-user to access a protected application by having a valid session with challenge and response process (Pearson, [0043], [0045]).

Claims 9, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman-Lea-Alhothaily as applied above to claim 1, 11 respectively, further in view of Xu et al (US20150163216A1, hereinafter, “Xu”).
Regarding claim 9, similarly claim 19, Dorfman-Lea-Alhothaily combination teaches:
The method of claim 1, the method of claim 11,
While the combination Dorfman-Lea-Alhothaily does not explicitly teach the following limitation(s), in the same field of endeavor Xu teaches:
further comprising: after generating the second dynamic user ID, rejecting authentication of a second client device in response to receiving an authentication token containing the first dynamic user ID (Xu, [0120] the method for identity authentication provided in the embodiments can switch to another check character generation rule when the current check character generation rule is cracked and puts the version number of the new rule in the new access ID to assign to the authorized third party developer in order to invalidate the old access ID (i.e. rejecting authentication of first dynamic user ID).  As such, the difficulty of cracking access ID is increased).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Xu in the authenticating an identity of a user of Dorfman-Lea-Alhothaily by invalidating the old access ID in identity authentication. This would have been obvious because the person having ordinary skill in the art would have been motivated to invalidate the old access ID in order to protect from access ID cracking in identity authentication (Xu, [0120]).

Claims 10, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dorfman-Lea-Alhothaily-Xu as applied above to claim 9, 19 respectively, further in view of Atwood et al (US20190363886A1, hereinafter, “Atwood”).
Regarding claim 10, similarly claim 20, Dorfman-Lea-Alhothaily-Xu combination teaches:
The method of claim 9, the method of claim 19,
While the combination Dorfman-Lea-Alhothaily-Xu does not explicitly teach the following limitation(s), in the same field of endeavor Atwood teaches:
wherein the second client device is the first client device (Atwood, [0014] the first server may maintain a record of a plurality of applications, each of which may be authenticated by receipt of the token.  The first server may receive an additional service request for a different application from the client electronic device, wherein the additional service request includes the token, a different application identifier, and the device identifier… determining that the token is valid may include confirming that the device identifier received with the additional service request is the same device identifier (i.e. first client device) that was received with the handshake request).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Atwood in the authenticating an identity of a user of Dorfman-Lea-Alhothaily-Xu by maintaining a record of a plurality of application with different application identifier of the same client device. This would have been obvious because the person having ordinary skill in the art would have been motivated to manage the different application with secure and authenticated communication channel (Atwood, [0013-0014]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436