DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/03/2021 has been entered.
 
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Andre Grouwstra (Reg. No: 71,934) on 02/22/2021. 

CLAIMS
The application has been amended as follows: 

receiving a first signal from a first computing system, the first signal including login information for logging into a second computing system; 
employing the second computing system to process the login information and generate a token and a registration link in response to receiving the first signal; 
embedding the token into the registration link; 
representing the registration link as a Quick Response (QR) code that is signed via a private key by the second computing system, wherein the private key is stored in the first computing system and associated with a public key previously provided to the second computing system;
forwarding the registration link to the first computing system; 
in the first computing system, generating a request message including information from the registration link, wherein the information is signed with [[a ]]the private key the public key

authenticating the request message by validating signed information in the request message using the public key, thereby yielding an authenticated request message in response thereto; and
employing the second computing system to selectively fulfill the authenticated request message for the first computing system, wherein the receiving, employing the second computing system to process the login information, embedding, forwarding, detecting, authenticating, and employing the second computing system to selectively fulfill the request message are performed by the one or more hardware processors. 

2.  (Original)	The non-transitory processor-readable storage device of claim 1, wherein authenticating includes using Public Key Infrastructure (PKI). 

3.  (Original)	The non-transitory processor-readable storage device of claim 1, further including representing the registration link as plain text on the first computing system. 

4.  (Canceled)	  



6.  (Original)	The non-transitory processor-readable storage device of claim 5, wherein the token includes specification of an expiry time of the token. 

7.  (Original)	The non-transitory processor-readable storage device of claim 5, wherein the token includes a JavaScript Object Notation Language (JSON) Web Token (JWT).  

8.  (Original)	The non-transitory processor-readable storage device of claim 1, wherein the second computing system includes a server system, and wherein the server system includes one or more authentication servers and one or more application servers. 

9.  (Original)	The non-transitory processor-readable storage device of claim 8, wherein the one or more authentication servers run on the one or more application servers. 

10.  (Original)	The non-transitory processor-readable storage device of claim 1, wherein the first computing system includes a software authentication device that further includes a mobile computing device and one or more authentication modules, and 
		 
11.	(Currently Amended)	A method for facilitating establishment of secure communications between software systems, the method comprising:
receiving a first signal from a first computing system, the first signal including login information for logging into a second computing system; 
employing the second computing system to process the login information and generate a token and a registration link in response to receiving the first signal; 
embedding the token into the registration link; 
representing the registration link as a Quick Response (QR) code that is signed via a private key by the second computing system, wherein the private key is stored in the first computing system and associated with a public key previously provided to the second computing system;
forwarding the registration link to the first computing system; 
in the first computing system, generating a request message including information from the registration link, wherein the information is signed with [[a ]]the private key the public key

authenticating the request message by validating signed information in the request message using the public key, thereby yielding an authenticated request message in response thereto; and
employing the second computing system to selectively fulfill the authenticated request message for the first computing system, wherein the receiving, employing the second computing system to process the login information, embedding, forwarding, detecting, authenticating, and employing the second computing system to selectively fulfill the request message are performed by one or more hardware processors. 

12.  (Original)	The method of claim 11, wherein authenticating includes using Public Key Infrastructure (PKI). 

13.  (Original)	The method of claim 11, further including representing the registration link as plain text on the first computing system. 

14.  (Canceled)	  



16.  (Original)	The method of claim 15, wherein the token includes specification of an expiry time of the token. 

17.  (Original)	The method of claim 15, wherein the token includes a JavaScript Object Notation Language (JSON) Web Token (JWT).  

18.  (Original)	The method of claim 11, wherein the second computing system includes a server system, and wherein the server system includes one or more authentication servers and one or more application servers. 

19.  (Original)	The method of claim 18, wherein the one or more authentication servers run on the one or more application servers, and wherein the first computing system includes a software authentication device that further includes a mobile computing device and one or more authentication modules. 

20.	(Currently Amended) An apparatus comprising: 
one or more hardware processors; and 

receiving a first signal from a first computing system, the first signal including login information for logging into a second computing system; 
employing the second computing system to process the login information and generate a token and a registration link in response to receiving the first signal; 
embedding the token into the registration link; 
representing the registration link as a Quick Response (QR) code that is signed via a private key by the second computing system, wherein the private key is stored in the first computing system and associated with a public key previously provided to the second computing system;
forwarding the registration link to the first computing system; 
in the first computing system, generating a request message including information from the registration link, wherein the information is signed with [[a ]]the private key the public key
detecting, by the second computing system, the request message from the first computing system, the request message requesting to access one or more computing resources of the second computing system; 

employing the second computing system to selectively fulfill the authenticated request message for the first computing system. 

REASONS FOR ALLOWANCE
Claims 1-3, 5-13 and 15-20 are allowed. 
The present invention is directed to: a system and method that facilitates establishment of secure communications between software systems, e.g., a client computing device and one or more servers (e.g., a cloud) using Multi Factor Authentication (MFA) via strategic use of tokens. A method for overcoming longstanding security loopholes and usability issues with conventional MFA methods includes efficiently securing registration code (e.g., via public key cryptography and tokens) and exchanged data (e.g., message payloads), in part by embedding a signed token (e.g., a JWT token signed by a private key of the server system) in a registration link used by a client system to communicate with one or more servers of a server system.
The closest prior art, as previously recited, are Mahaffey et al (“Mahaffey,” US 20140189808), Nuggehalli et al (“Nuggehalli,” US 20150181080), Samdani et al (“Samdani,” US 20180310142) and Teixeron et al (“Teixeron,” WO2014022778).
Mahaffey is directed to: a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the 
Nuggehalli is directed to: providing an MFP device with access to external Web services. According to embodiments, an MFP Web application receives a registration request to register a particular user of an MFP with the MFP Web application. The MFP peripheral Web application uses at least one external Web service. In response to receiving the registration request, the MFP Web application performs at least one of sending to an email address associated with the particular user an email that includes a registration code and a link to the MFP Web application or sending to the MFP the registration code and encoded data including a link to the MFP Web application. After receiving an access token and the registration code, mapping data is stored at the MFP Web application that maps MFP device user identification data for the particular user to the access token for accessing the external Web service.
Samdani is directed to: a method and system for providing message-based management service enrollment. A map is generated that associates an identifier with an enterprise within the map. The identifier identifies a network endpoint of an enrollment service. A message with client data is received from a client device, which sends the message to the enrollment service using the identifier. A username is generated with the client data and a user account is created having the username. 
Teixeron is directed to: methods, apparatus, and systems for securing application interactions are disclosed. Application interactions may be secured by, at a user authentication device, capturing a signal emitted by an access device encoded with an authentication initiating message including an application identifier, decoding the signal and obtaining the authentication initiating message, retrieving the application identifier, presenting a human interpretable representation of the application identity to the user, obtaining user approval to generate a response message available to a verification server, generating a dynamic security value using a cryptographic algorithm that is cryptographically linked to the application identity, and generating a response message including the generated dynamic security value; making the response message available to a verification server; and, at the verification server, receiving the response message, verifying the response message including verifying the validity of the dynamic security value, and communicating the result of the verification of the response message to the application.
For example, none of the cited prior art teaches or suggests the steps of independent claims 1, 11 and 20: embedding the token into the registration link;  representing the registration link as a Quick Response (QR) code that is signed via a private key by the second computing system, wherein the private key is stored in the first computing system and associated with a public key previously provided to the second computing system; forwarding the registration link to the first computing system;  in the 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.









/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439