Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1 and 23-24 have been amended. Claims 1-5, 7-17 and 21-24 have been examined.

Response to Arguments
2.	Applicant’s arguments with respect to the 35 USC 103 rejection of claim 1 have been considered but are moot because the new grounds of rejection.

Claim Interpretation
3.	For claims 1 and 23-24, the limitation “a central server providing a business application” has been added to the preamble. The phrase “providing a business application” does not appear in the body of the claim. The phrase is merely the purpose or intended use of the claimed invention and is therefore not given patentable weight (note MPEP 2111.02).

	For claims 1, 11, 17 and 23-24, the phrase “and/or” has been given the broadest, reasonable interpretation of “or”, which only requires a single element from given alternatives.

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 

5.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim Rejections - 35 USC § 103
6.	Claims 1-5, 7-17 and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Stubblefield (U.S. Patent Application Publication 2014/0282964), and further in view of Neuman et al. (U.S. Patent Application Publication 2013/0263211; hereafter “Neuman”).
For claims 1 and 23-24, Stubblefield teaches a method, non-transitory computer-readable medium (note paragraph [0024], storage devices) and system (note paragraph [0024], computer) for authentication of a login of a client process into a server process on a central server (note paragraph [0031], BCA system may be implemented across one authentication server) providing a business application (note paragraphs [0002] and [0030], server provides authentication application used in business transactions) by means of multiple communications comprising at least a primary authentication communication and a secondary authentication communication (note paragraph [0017], multi-factor authentication), wherein the method comprises steps for:

-    the server process on the central server sending an initiating communication to a secondary device initiating the secondary authentication communication between the server process and a client authentication process (note paragraph [0047], block 315 server sends verification message),
-    the server process receiving primary authentication information comprising an authentication code or an authentication result by means of the primary authentication communication (note paragraph [0047], block 305 user inputs username and password and paragraph [0032], first authentication factor may include security code or token),
-    the server process receiving from the client authentication process secondary authentication information comprising an authentication code or an authentication result of the secondary authentication communication (note paragraph [0048], block 317 server receives confirmatory message/response and behavioral data),
-    the server process establishing the authentication on the basis of the primary authentication information and secondary authentication information (note paragraph [0022] and paragraph [0050], block 335 server provides access if first and second authentications are satisfied),
wherein the primary authentication communication and the secondary authentication communication are separate communications and/or wherein the server process can automatically establish a secondary authentication on the basis of the 
-    wherein the client authentication process is performed on a secondary device that has been previously registered at the server by means of a prior verification comprising a step in which a user using an application comprising the client authentication process calls the server process being performed on the server and logs in by means of his/her login information known to the server (note paragraph [0019], communication number is entered as part of a login or registration process), and
- the server process initiating the secondary authentication communication, initiates based on a push notification in the initiating communication to the secondary device previously registered for the secondary authentication process (note paragraph [0047], push notification).

Stubblefield differs from the claimed invention in that they fail to explicitly teach:
-    wherein the client authentication process is performed on a secondary device that has been previously logged in and gained access to the central server by means of a prior verification comprising a step in which a user using an application comprising the client authentication process calls the server process being performed on the server and logs in by means of his/her login information known to the server, and
, wherein, by applying the previous login, the user need not input any data to perform the secondary authentication.

Neuman teaches:
-    wherein the client authentication process is performed on a secondary device (note paragraph [0146], user downloads app onto their smart phone) that has been previously logged in and gained access to the central server by means of a prior verification comprising a step in which a user using an application comprising the client authentication process calls the server process being performed on the server and logs in by means of his/her login information known to the server (note paragraphs [0178] and [0188], based on policy, user enters login information once for a set period of time), and
- wherein the server process initiating the secondary authentication communication, initiates based on a push notification in the initiating communication to the secondary device that has logged in and gained access to the central server for the secondary authentication process (note paragraphs [0203]-[0204], server initiates a connection to the user device app using a push mechanism; server message requests user validation of authentication event), wherein, by applying the previous login, the user need not input any data to perform the secondary authentication (note paragraphs [0087]-[0089], [0178], [0204]-[0205] and Figure 3, step 305, based on 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the multi-factor user authentication of Stubblefield and the secondary device previously logged in to the application server of Neuman. One of ordinary skill would have been motivated to combine Stubblefield and Neuman because it would allow a user to set security policies for their secondary authentication app that have the preferred balance of security and convenience for entering authentication data (note paragraphs [0176]-[0179] of Neuman).


For claim 2, the combination of Stubblefield and Neuman teaches claim 1, wherein the secondary authentication communication comprises steps for a user acceptance input to be received by the client authentication process (note paragraphs [0061] and [0064] of Stubblefield, user response).

For claim 3, the combination of Stubblefield and Neuman teaches claim 1, wherein the client process and the client authentication process can be performed on the same device (note paragraph [0026] of Stubblefield, login devices are 105a-105e and verification devices are 105a-105f).



For claim 5, the combination of Stubblefield and Neuman teaches claim 1, wherein the client authentication process is based on a unique device identification of a device on which it is performed (note paragraph [0019] of Stubblefield, communication device is registered with device ID).

For claim 7, the combination of Stubblefield and Neuman teaches claim 1, wherein the client authentication process comprises steps for receiving an input of a security code of a user (note paragraph [0047] of Stubblefield, one-time password (OTP)).

For claim 8, the combination of Stubblefield and Neuman teaches claim 1, wherein the steps for initiating the secondary authentication communication comprise steps for the server sending a message to the client authentication process (note paragraph [0047] of Stubblefield, block 315 server sends verification message to user communication device).

For claim 9, the combination of Stubblefield and Neuman teaches claim 8, comprising steps for using a gateway configured to transmit push notifications to the 

For claim 10, the combination of Stubblefield and Neuman teaches claim 1, wherein the primary and secondary authentication communications form separate communication loops (note paragraph [0047] of Stubblefield, primary authentication is username and password through website or application; secondary authentication is OTP through phone call, SMS, push notification, etc.).

For claim 11, the combination of Stubblefield and Neuman teaches claim 1, wherein no information transfer is performed between the primary authentication and the secondary authentication and/or between the secondary authentication and the primary authentication (note paragraph [0047] of Stubblefield, primary authentication is username and password through website or application; secondary authentication is OTP through phone call, SMS, push notification, etc.).

For claim 12, the combination of Stubblefield and Neuman teaches claim 1, wherein the server process has access to a data source comprising previously entered authentication data relating to devices on which the client authentication process is performed (note paragraph [0033] of Stubblefield, authentication server stores communication number for user verification data).



For claim 14, the combination of Stubblefield and Neuman teaches claim 1, wherein the primary authentication comprises a check by the server process of a username and password received by the server by means of the primary authentication communication between the client process and the server process (note paragraph [0032] of Stubblefield, first authentication factor may include username and password).

For claim 15, the combination of Stubblefield and Neuman teaches claim 1, comprising a further authentication by means of a tertiary authentication communication (note paragraph [0049] of Stubblefield, authentication by behavioral data that has been communicated to the server).

For claim 16, the combination of Stubblefield and Neuman teaches claim 1, comprising steps for:
-    receiving from a server process the message (note paragraphs [0060] and [0064] of Stubblefield, verification message sent to application on verification device),
-    receiving a confirmation or an authentication by means of a user input (note paragraphs [0061] and [0064] of Stubblefield, user verification response),


For claim 17, the combination of Stubblefield and Neuman teaches claim 16, comprising steps for determining by the client authentication process, on the basis of the received message, that the message is intended for the specific client authentication process and/or the device on which it functions (note paragraphs [0060]-[0061] and [0064] of Stubblefield, network connection and user response).

For claim 22, the combination of Stubblefield and Neuman teaches claim 1, comprising steps to keep track of one on one relations between users of user accounts and devices for the authentication (note paragraph [0019] of Stubblefield, communication number is entered as part of a user login or registration process). 


7.	Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Stubblefield and Neuman as applied to claim 1 above, and further in view of Ozzie et al. (U.S. Patent Application Publication 2010/0100945; hereafter “Ozzie”).
For claim 21, the combination of Stubblefield and Neuman differs from the claimed invention in that they fail to teach:
steps for removing a previously registered device.

Ozzie teaches:
steps for removing a previously registered device (note paragraph [0040], remove the user’s mobile phone from their authentication account).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the combination of Stubblefield and Neuman and the remove authentication device of Ozzie. One of ordinary skill would have been motivated to combine Stubblefield, Neuman and Ozzie because it would allow a user to remove a lost device from the list of devices which can be used in verification (note paragraph [0040] of Ozzie).


Conclusion
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
	Kalinichenko et al. (U.S. Patent Application Publication 2014/0237236) teaches a previous log in (note Fig. 1, step 122) and a secondary authentication that the user need not input any data to perform the secondary authentication (note Fig. 2, step 134).

	Srivastav (U.S. Patent Application Publication 2013/0312073) teaches second factor authentication with a push notification to a mobile device where the user .

9.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711.  The examiner can normally be reached on 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/David J Pearson/Primary Examiner, Art Unit 2438