DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has
been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37
CFR 1.114. Applicant's submission filed on 02/12/2021 has been entered.

	

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 119(e) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994)
The disclosure of the prior-filed application, Application No. 62/293,137, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph for one or more claims of this application.  The provisional .

Response to Amendment
This communication is in response to the amendment filed on 02/12/2021. The Examiner acknowledges the amended Claims 10-29.  Claims 1-9 have been cancelled. Claims 10-29 are pending and Claims 10-29 are rejected.  Claims 10 and 13 is/are independent. 

The previous rejection(s) of claims under 35 U.S.C. § 112 are withdrawn in view of Applicant's amendments. 

Response to Arguments
Applicant's arguments filed have been fully considered but they are moot in view of the new ground(s) of rejection. 

Applicant argues (see page 8 of Applicant's Remarks):
Oberheide therefore does not provide for a separate authentication session separate from the initial authentication of the device itself. Instead, Oberheide provides for the conventional push authentication in which a user tries to log into a system, and the system then pushes an acceptance request to the user to accept. However, Oberheide does not provide any specific assessment or review of the current session of the system at the time of sending the push request. It only determines that the device gets the push itself. This is exactly the prior art discussed in the instant application: "There are several prior art pending patent applications covering various combinations and methods incorporating this technique. In one such method a user when logging in to a terminal or personal computer (PC) either with a username or username and password, a push is sent to a preregistered mobile device. This authentication method is referred to as the tap-to-login process." (Instant Specification, US 2017/0230357,   [0005].) Oberheide does not determine whether an authentication session exists for the mobile device separate from the initial authentication of the mobile device and an authentication session activity status is still active between the mobile 
Houthooft also does not show or describe the claim authentication session including the activity status between the mobile device and the authentication server. Houthooft is tracking a global timer for the authentication process for performing all of the activities and not in any specific state of the mobile device with respect to the authentication process. Specifically, when Houthooft defines the current session - it is under the section of the server application states. (See, Houthooft,   [0062], [0071] ("server application state consists of registration records and session records. The registration records holds: ... Current session [which] is the session ID of the current authentication or registration session for this registration record.")) Similarly, when the server checks if the session is still valid and the associated client is not yet activated. The server is merely checking an individual session with the server and not the specific state of the mobile device. The only time Houthooft discloses checking the mobile device is when the "server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process." (Houthooft,   [00115].) This is referring to the RegID from the original authentication of the mobile device. (Houthooft,   [0059]-[0060] "The mobile application state is quite simple. At any time it holds two items: RegistrationID This is a UUID which is created during the registration process. It is the link between a registered mobile device and a user account on the server application." This RegID does not track a current session or activity status of the mobile device with the authentication server, but merely indicates that the mobile device is that related to the user account. Houthooft determines whether the RegID is blocked merely to determine whether too many log in attempts have been made. (See Houthooft,   [0116]-[0117] ("If the Pin failure counter exceeds a configured threshold the registration record can be marked as blocked.".)

 


Examiner respectfully disagrees. Examiner notes that new grounds of rejection are necessitated by applicant’s amendments. 
With respect to the limitation of claim 10:
determining whether an authentication session exists for the mobile device separate from the initial authentication of the mobile device and an authentication session activity status is still active between the mobile device and an authentication server before sending the push notification, wherein determining whether an authentication session exist comprises determining whether an authentication program was launch on the mobile device, and the authentication session activity status is still active comprises determining that the authentication program is still open and active on the mobile device at the time the push notification is sent by the authentication server;

Douglas et al. U.S. Publication 20200279255 (hereinafter “Douglas”) at para. [0042] discloses ‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device and a location of the second customer device, for example when geo-location services are activated at the customer device(s). When the customer authentication system 120 determines that the first customer device is not within a predetermined distance (500 feet, one mile, and the like) from the second customer device, the customer authentication system 120 may determine than an authentication code cannot be generated.’
The amended claim limitations are disclosed at least because the Douglas reference teaches location data sent from the mobile device to the authentication system 120 is used to generate the authentication code which is sent to the second customer device for completing the second phase of the two factor authentication. Since the authentication system 120 receives the location data from the mobile device, this indicates that the authentication system 120 has data indicating the authentication application on the second customer device is launched, open, and actively sending location data back to the authentication system 120.

Applicant argues (see page 8 of Applicant's Remarks):
Independent claim 10 also recites that "determining that the authentication program is still open and active on the mobile device at the time the push notification is sent by the authentication server." Even if Oberheide shows and describe an active status from the registration of the device, none of the references show or describe any 

Examiner respectfully disagrees. Based on the as filed specification on para. 16 and 18, it seems that the only way to know the authentication program is still open and active is either through a timer or possibly through receiving GPS coordinates from the mobile device. The newly cited Douglas reference also describes receiving GPS coordinates from the mobile device. Thus, both the cited Douglas reference and the description in the specification use the same technique of receiving GPS coordinates to determine that an application has been launched and is still open and active. Regarding the timer described in para. 16 of the specification, it is not clear how a timer can be used to perform a check of the actual authentication program on the device itself. Simply examining the time left until timeout at the server is not performing a check of the mobile device that is to receive the second factor authentication request, since a timer at the server cannot provide any indication of what is actually happening with an authentication application on the mobile device except for a timeout.  

Applicant argues (see page 9 of Applicant's Remarks):

Independent claim 13 also recites similar features to claim 10 including using the current authentication session. Dependent claims 24 and 28 also recite a time limit restriction based on when the authentication program is initiated. Therefore, these claims provide an additional basis of patentability than the cited reference. 

	Examiner respectfully disagrees. Based on applicant’s amendments and explanation of the activity between the first device and authentication server indicating an active application session, claim 13 is rejected with new grounds of rejection as argued below. Note that the second to last clause (“sending the push notification …”) of claim 13 is a conditional limitation and only one of the two possible ways the claim may read on prior art need be shown in the 
 
Accordingly, Applicant's arguments are moot in view of the new ground(s) of rejection. 
	


Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	
	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

	Claims 10-15, 17-21 and 25-27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide et al. U.S. Publication 20150046989 (hereinafter “Oberheide”) in view of Houthooft et al. U.S. Publication 20160219039 (hereinafter “Houthooft”), further in view of Douglas et al. U.S. Publication 20200279255 (hereinafter “Douglas”) (hereinafter “Douglas”) (relying on provisional application priority date of August 15, 2014).
As per claim 10, Oberheide discloses a multi-factor authentication method for confirming an identity of a user in possession of a mobile device, comprising: 
(See Oberheide Para. 68 ‘method may ……verifying multi-factor authentication of a user S160. The request may be an enrollment request. The request may alternatively be an authentication request.’[a multi-factor authentication method for confirming an identity of a user]
Oberheide [0019]
‘The system ….. a two-factor authentication (2FA) service, and more preferably a 2FA system that leverages a mobile computing device as the second factor of authentication.’ [in possession of a mobile device]
Oberheide [0040]
‘the method can be applied to adding an additional factor of authentication. The device profile can be used as a second form of authentication when logging into a service or more preferably when providing an additional verification vector of the device as shown in FIG. 11. The device profile can serve as a device “biometric” factor of authentication that can supplement the “what you have” form of two factor authentication with the device. The method is preferably implemented by a 2FA system that facilitates 2FA authentication for multiple users.’
[The multi-factor authentication of the user in the Oberheide reference confirms the identity of the user]
Oberheide [0029]
‘….verify identity when a device changes...’)

initially authenticating the mobile device for receiving a push notification; 
(See Oberheide Para. 
Para. [0037]
verifying multi-factor authentication of a user S160 as shown in FIG. 7. … ……authenticating an authentication device [initially authenticating the mobile device for receiving a push notification] ….simplify the process of adding devices as multi-factor authentication devices.’
Oberheide [0072]
‘If a second device instance is successfully enrolled or authenticated [initially authenticating the mobile device for receiving a push notification], the second device profile may set as a new reference device profile for subsequent enrollment or authentication requests. ……’
).

receiving an authentication request of the user in possession of the mobile device receiving the push notification; 
(See Oberheide 
Oberheide [0070] ‘……verifying multi-factor authentication of a user, …… verifying an authentication request [receiving an authentication request]….. a user will provide a username and password to website [receiving an authentication request of the user]; that website [website and/or the 2FA service represents authentication server] will invoke the 2FA service to push an authentication notification 
)

sending the push notification to the mobile device and the user by the authentication server only when the mobile device is authenticated
(See Oberheide 
authentication request is received for a particular account, a corresponding device profile can be identified.’
Oberheide [0070] ‘……verifying multi-factor authentication of a user, ……a user will provide a username and password to website [receiving an authentication request of the user]; that website [website and/or the 2FA service represents authentication server] will invoke the 2FA service to push an authentication notification 
[sending the push notification to the mobile device and the user; initial authentication of the mobile has been performed and the outcome of the initial authentication remains in effect; that is, the initial authentication session remains active] 
to the authentication application of the corresponding account; the user will respond …..on their phone to confirm the login request; transparently, a device profile is generated and sent along with the user confirmation; and the 2FA service uses the user confirmation and the device profile match to confirm or deny the authentication request on the website
[a matching device profile indicates 1) that the device has been authenticated and 2) the authentication is active. If the device has not been initially authenticated or if the initial authentication has been disabled or removed or deactivated, then there would be no matching device profile at the server]. 
the social networking server [authentication server] verifies the user credentials and confirms that the device profiles match before allowing login.’
Oberheide [0062] ‘……..receiving an authentication request of a device S134, which functions to use a device profile comparison as an additional factor of authentication.’
)

authenticating the user after receiving an input in response to the push notification to the mobile device
 (See Oberheide Para. [0070]
confirm or deny the authentication request on the website.’
Oberheide [0018] ‘As shown in FIG. 1, a system for verifying status of an authentication device…. can include an authentication application 110,’
)

However, Oberheide does not expressly disclose 
determining whether an authentication session exists for the mobile device separate from the initial authentication of the mobile device and an authentication session activity status is still active between the mobile device and an authentication server before sending the push notification, wherein determining whether an authentication session exist comprises determining whether an authentication program was launch on the mobile device, and the authentication session activity status is still active comprises determining that the authentication program is still open and active on the mobile device at the time the push notification is sent by the authentication server;


Houthooft discloses  
determining whether an authentication session exists for the mobile device
(See Houthooft Para.
[0069]
‘Activated This field indicates if this registration has been completed.’
Houthooft [0071]
‘Current session This is the session ID of the current authentication or registration session for this registration record.’

‘The mobile client, in the same server session submits: the RegID, PIN and the OTP where RegID and OTP are obtained from the mobile client's local persistent state.’
Houthooft [0114]
‘The server checks if the session exists and is still valid.’
[determining whether an authentication session exists for the mobile device]
Houthooft [0115]
‘The server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process.’
Houthooft [0125]
‘Only now the server marks the user server session as authenticated:
SessionID	Status	Start	RegID
<SessionID>	SUCCESS	<current time>	<RegID>’
Houthooft [0176]
‘Activated wherein this field indicates if this registration has been completed;’
Houthooft [0181]
‘SessionID which is a reference to this session used during client/server communication and in the registration record's current session;’
Houthooft [0182]
‘Status which is a field that tells if this session was successfully authenticated;’
[first device is authenticated;]
Houthooft [0183]
‘Start date: this tells when the session was started; this field is used to expire old sessions.’)

determining whether an authentication session exists for the mobile device
One of ordinary skill in the art would have made this modification to improve the ability of the system to authenticate the user. By ensuring that an authentication session exists to complete the authentication process, the system increases the likelihood that the authentication is not fraudulent. The system of the primary reference can be modified to determine whether an authentication session exists as described in the Houthooft reference.

However, the combination of Oberheide and Houthooft does not expressly disclose 
determining whether an authentication session exists for the mobile device separate from the initial authentication of the mobile device and an authentication session activity status is still active between the mobile device and an authentication server before sending the push notification, wherein determining whether an authentication session exist comprises determining whether an authentication program was launch on the mobile device, and the authentication session activity status is still active comprises determining that the authentication program is still open and active on the mobile device at the time the push notification is sent by the authentication server;
Douglas discloses determining whether an authentication session exists for the mobile device separate from the initial authentication of the mobile device and an authentication session activity status is still active between the mobile device and an authentication server before sending the push notification, wherein determining whether an authentication session exist comprises determining whether an authentication program was launch on the mobile device, and the authentication session activity status is still active comprises determining that the authentication program is still open and active on the mobile device at the time the push notification is sent by the authentication server;
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device and a location of the second customer device, for example when geo-location services are activated at the customer device(s). When the customer authentication system 120 determines that the first customer device is not within a predetermined distance (500 feet, one mile, and the like) from the second customer device, the customer authentication system 120 may determine than an authentication code cannot be generated.’
Douglas [0043]
‘Authentication data may be generated to be included with a notification, such as an SMS message, an MMS message, an e-mail, a push notification, a voicemail message, and the like. A notification may include data indicative of how to use the authentication code and/or data indicative of a customer authentication request. For example, where authentication data is transmitted in a push notification, the push notification may include a link to open a website, a mobile application, an authentication request notification, and/or an SMS message to input the authentication code and/or response. In the same manner, an SMS message, MMS message, e-mail, and the like may include a link to direct a customer to input the authentication data and/or authentication response for transmission to the customer authentication system 120 and/or customer authentication device 122.’
 the second phase of the two factor authentication. Since the authentication system 120 receives the location data from the mobile device, this indicates that the authentication system 120 has data indicating the authentication application on the second customer device is launched, open, and actively sending location data back to the authentication system 120.
Based on the as filed specification on para. 16 and 18, it seems that the only way to know the authentication program is still open and active is either through a timer or possibly through receiving GPS coordinates from the mobile device. The newly cited Douglas reference also describes receiving GPS coordinates from the mobile device. Thus, both the cited Douglas reference and the description in the specification use the same technique of receiving GPS coordinates to determine that an application has been launched and is still open and active. Regarding the timer described in para. 16 of the specification, it is not clear how a timer can be used to perform a check of the actual authentication program on the device itself. Simply examining the time left until timeout at the server is not performing a check of the mobile device that is to receive the second factor authentication request, since a timer at the server cannot provide any indication of what is actually happening with an authentication application on the mobile device except for a timeout.  ]
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate authentication code of Douglas to include 
determining whether an authentication session exists for the mobile device separate from the initial authentication of the mobile device and an authentication session activity status is still active between the mobile device and an authentication server before sending the push notification, wherein determining whether an authentication session exist comprises determining whether an authentication program was launch on the mobile device, and the authentication session activity status is still active comprises determining that the authentication program is still open and active on the mobile device at the time the push notification is sent by the authentication server;
One of ordinary skill in the art would have made this modification to improve the ability of the system to improve the probability that the mobile device has not been compromised when performing the second factor authentication. The authentication system of the primary reference can be modified to transmit location data from the mobile to the device authentication service to ensure that any notification codes generated for a second factor are based on the current location status of the mobile device, or to ensure that the mobile device is sufficiently close to the laptop to reduce the probability of a compromised second factor device. 


As per claim 11, the rejection of claim 10 is incorporated herein. 
However, Oberheide does not expressly disclose wherein the authentication server sending the push notification is programmed to reject an authentication request if the authentication session is not active.
Houthooft discloses wherein the authentication server sending the push notification is programmed to reject an authentication request if the authentication session is not active.
(See Houthooft Para. 0114]
‘The server checks if the session exists and is still valid.’
[0115]
‘The server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process.’

For the reasons discussed with respect to claim 10, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Oberheide with the authentication process aborting technique of Houthooft to include wherein the authentication server sending the push notification is programmed to reject an authentication request if the authentication session is not active.

As per claim 12, the rejection of claim 10 is incorporated herein. 
	However, the combination of Oberheide and Houthooft does not expressly disclose determining that a first location of the mobile device and a second location of a second device are in a same geographical location before sending the push notification, and the second device is used to authenticate the user in possession of the mobile device. 
Douglas discloses determining that a first location of the mobile device and a second location of a second device are in a same geographical location before sending the push notification, and the second device is used to authenticate the user in possession of the mobile device.
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device and a location of the second customer device, for example when geo-location services are activated at the customer device(s). When the customer authentication system 120 determines 
Douglas [0043]
‘Authentication data may be generated to be included with a notification, such as an SMS message, an MMS message, an e-mail, a push notification, a voicemail message, and the like. A notification may include data indicative of how to use the authentication code and/or data indicative of a customer authentication request. For example, where authentication data is transmitted in a push notification, the push notification may include a link to open a website, a mobile application, an authentication request notification, and/or an SMS message to input the authentication code and/or response. In the same manner, an SMS message, MMS message, e-mail, and the like may include a link to direct a customer to input the authentication data and/or authentication response for transmission to the customer authentication system 120 and/or customer authentication device 122.’
).
For the reasons discussed with respect to claim 10, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate and push authentication code of Douglas to include determining that a first location of the mobile device and a second location of a second device are in a same geographical location before sending the push notification, and the second device is used to authenticate the user in possession of the mobile device.




CLAIM 13
As per independent claim 13, Oberheide discloses 
a multi-factor authentication method for confirming an identity of a user in possession of a mobile device, comprising: 
(See Oberheide Para. 68 ‘The method may additionally or alternatively include verifying multi-factor authentication of a user S160 [a multi-factor authentication method for confirming an identity of a user]. The request may be an enrollment request. The request may alternatively be an authentication request.’
Oberheide [0019]
‘…… two-factor authentication (2FA) service, and more preferably a 2FA system that leverages a mobile computing device [a mobile device ] as the second factor of authentication.’
Oberheide [0040]
‘…..adding an additional factor of authentication. The device profile can be used as a second form of authentication when logging into a service …… can serve as a device “biometric” factor of authentication that can supplement the “what you have” form of two factor authentication with the device [a mobile device].’
)

initially authenticating a first device for receiving a push notification; 
(See Oberheide Para. 
[0072]
‘If a second device instance is successfully enrolled or authenticated [initially authenticating a first device for receiving a push notification], the second device profile may set as a new reference device profile for subsequent enrollment or authentication requests.’
Oberheide Para. [0037]
verifying multi-factor authentication of a user S160 …… . even authenticating an authentication device [initially authenticating a first device for receiving a push notification] as shown in FIG. 8. …. additional factor of authentication …… simplify the process of adding devices as multi-factor authentication devices.’
)

initiating a login request through a first application on a second device; 
(See Oberheide
[0022]
‘a user attempts to login to a web service on a browser [initiating a login request] (on a different device [on a second device; second device = a different device] or in a different application), that web service can initiate an authentication process that will depend on some user interaction with the authentication application 110 (e.g., entering a code obtained from the application or completing some action from within the application)..’
Oberheide [0070] ‘,…..verifying multi-factor authentication of a user, … functions to use the device profile as criteria used in verifying an authentication request. …, a user will provide a username and password to website [initiating a login request through a first application]; that website [website in combination with the 2FA service represents authentication server; the username and password will authenticate the user] will invoke the 2FA service….. 
)

sending the login request to an authentication server;
(See Oberheide
[0070] ‘,…..verifying multi-factor authentication of a user, … functions to use the device profile as criteria used in verifying an authentication request. …, a user will provide a username sending the login request]; that website [website in combination with the 2FA service represents authentication server; the username and password will authenticate the user] will invoke the 2FA service
)

activating a current authentication session from the first device by launching an authentication program on the first device separate from the first application and separate from the initial authentication of the first device; 
 (See Oberheide [0069]
‘A new instance [launching an authentication program on the first device ] can include the same application installed on a new device, an updated version of the application, an application with all or a portion of the credential data missing. The second authentication application can alternatively be a completely different application.[ [launching an authentication program] ….., an association to the second application instance is added in addition to the existing one with the first authentication application instance. This variation enables two active application instances to be used to complete two factor authentication...’
)

determining whether the first device is authenticated
(See Oberheide
[0070] ’…..verifying multi-factor authentication of a user, ……, a user will provide a username and password to website; that website [website in combination with the 2FA service represents authentication server; the username and password will authenticate the user] will invoke the 2FA service to push an authentication notification to the authentication application of the corresponding account ‘
authentication credentials for registered accounts……assigning the second application instance includes reassigning the association of an account with the first application instance to the second application instance’
Oberheide [0004] ‘Two-factor authentication can involve enrolling a device to be used as an authentication device, such as a mobile phone. In some cases, the authentication can be tied to an authentication application on that device.’
[determining whether the first device is authenticated is disclosed since the account includes authenticated devices with authentication applications executing on such authenticated devices. Server must obtain the information regarding authentication application installed on mobile from the corresponding account and the corresponding account stores information of authenticated devices]
) 

sending the push notification to the first device and the user by the authentication server only when the first device and user are authenticated 
 (See Oberheide
[0070] ’…..verifying multi-factor authentication of a user, ……, a user will provide a username and password to website; that website [website in combination with the 2FA service represents authentication server; the username and password will authenticate the user] will invoke the 2FA service to push an authentication notification [sending the push notification] to the authentication application of the corresponding account; the user will respond through the authentication application on their phone [the first device ] to confirm the login request; transparently, a device profile is generated and sent along with the user confirmation; and the 2FA service uses the user confirmation and the device profile match to confirm or deny the authentication request on the website’
sending the push notification to the first device and the user by the authentication server only when the first device and user are authenticated is disclosed because the username and password authenticates the user ; initial authentication of the mobile has been performed (e.g., para. 37 and 72 as argued above) 
note this is a conditional limitation and only one of the two conditions for sending or not sending need to be present in the prior art to read on the prior art in the rejection ]
 )

authenticating the user after receiving an input in response to the push notification to the first device
 (See Oberheide Para. [0070]
‘that website will invoke the 2FA service to push an authentication notification …….the 2FA service uses the user confirmation and the device profile match to confirm or deny the authentication request on the website.’
[0018] ‘As shown in FIG. 1, a system for verifying status of an authentication device…. can include an authentication application 110,’
)

However, Oberheide does not expressly disclose 
determining whether the first device is authenticated and has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server through the authentication program being open on the first device and the first device remaining active,
sending the push notification to the first device and the user by the authentication server only when the first device and user are authenticated and has the current authentication session active, and not sending the push notification to the first device and the user by the authentication server when any of the first device is not authenticated, the user is not authenticated, and the user does not have the current authentication session active;

Houthooft discloses 
determining whether the first device is authenticated and has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server
(See Houthooft Para.
[0069]
‘Activated This field indicates if this registration has been completed.’
Houthooft [0071]
‘Current session This is the session ID of the current authentication or registration session for this registration record.’
Houthooft [0113]
‘The mobile client, in the same server session submits: the RegID, PIN and the OTP where RegID and OTP are obtained from the mobile client's local persistent state.’[an activity of the current authentication session is between the first device and the authentication server]
Houthooft [0114]
The server checks if the session exists and is still valid.[ determining whether the first device is authenticated and has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server]
Houthooft [0115]
The server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process.

Only now the server marks the user server session as authenticated:
SessionID	Status	Start	RegID
<SessionID>	SUCCESS	<current time>	<RegID>’
Houthooft [0176]
‘Activated wherein this field indicates if this registration has been completed; ‘
Houthooft [0181]
‘SessionID which is a reference to this session used during client/server communication and in the registration record's current session;’
Houthooft [0182]
‘Status which is a field that tells if this session was successfully authenticated;’
[first device is authenticated]
Houthooft [0183]
Start date: this tells when the session was started; this field is used to expire old sessions.
)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Oberheide with the authentication session of Houthooft to include 
determining whether the first device is authenticated and has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server
One of ordinary skill in the art would have made this modification to improve the ability of the system to authenticate the user. By requiring an active authentication session to complete the authentication process, the system increases the likelihood that the authentication is not 

However, the combination of Oberheide and Houthooft does not expressly disclose determining whether the first device is authenticated and has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server through the authentication program being open on the first device and the first device remaining active, 
sending the push notification to the first device and the user by the authentication server only when the first device and user are authenticated and has the current authentication session active, and not sending the push notification to the first device and the user by the authentication server when any of the first device is not authenticated, the user is not authenticated, and the user does not have the current authentication session active;

Douglas discloses 
determining whether the first device has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server through the authentication program being open on the first device and the first device remaining active
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device the authentication program being open on the first device and the first device remaining active is disclosed from the transmission of the GPS data]
Douglas [0043]
‘Authentication data may be generated to be included with a notification, such as an SMS message, an MMS message, an e-mail, a push notification, a voicemail message, and the like. A notification may include data indicative of how to use the authentication code and/or data indicative of a customer authentication request. For example, where authentication data is transmitted in a push notification, the push notification may include a link to open a website, a mobile application, an authentication request notification, and/or an SMS message to input the authentication code and/or response. In the same manner, an SMS message, MMS message, e-mail, and the like may include a link to direct a customer to input the authentication data and/or authentication response for transmission to the customer authentication system 120 and/or customer authentication device 122.’

[Based on applicant’s amendments and explanation of the activity between the first device and authentication server indicating an active application session, claim 13 is rejected with new grounds of rejection.. Note that the second to last clause (“sending the push notification …”) of claim 13 is a conditional limitation and only one of the two possible ways the claim may read on prior art need be shown in the rejection.]
).

sending the push notification to the first device and the user by the authentication server only when has the current authentication session active,
(See Douglas Para. [0042]
[note this is a conditional limitation and only one of the conditions for either sending or not sending need be present in the prior art to read on the prior art in the rejection; this rejection is based on the activity being part of the active device as recited in claim 13 ]
 ‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted [sending the push notification ]to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device and a location of the second customer device, for example when geo-location services are activated at the customer device(s). When the customer authentication system 120 determines that the first customer device is not within a predetermined distance (500 feet, one mile, and the like) from the second customer device, the customer authentication system 120 may determine than an authentication code cannot be generated.’[and has the current authentication session active is disclosed because the transmitted GPS information indicates the active authentication session on the first device, and then the GPS is used to generate authentication code sent to the first device].
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate and send authentication code of Douglas to include
determining whether the first device is authenticated and has the current authentication session active, an activity of the current authentication session is between the first device and the authentication server through the authentication program being open on the first device and the first device remaining active
sending the push notification to the first device and the user by the authentication server only when the first device and user are authenticated and has the current authentication session active,
[note this is a conditional limitation and only one of the conditions for either sending or not sending need be present in the prior art to read on the prior art in the rejection; this rejection is based on the activity being part of the active device as recited in claim 13 ]

One of ordinary skill in the art would have made this modification to improve the ability of the system to improve the probability that the mobile device has not been compromised when performing the second factor authentication. The authentication system of the primary reference can be modified to transmit location data from the mobile to the device authentication service to ensure that any notification codes generated for a second factor are based on the current location status of the mobile device, or to ensure that the mobile device is sufficiently close to the laptop to reduce the probability of a compromised second factor device. 

As per claim 14, the rejection of claim 13 is incorporated herein. 
Oberheide in view of Houthooft discloses granting access to the first application on the second device when the user confirms authentication from the first device in response to the push notification.
(See Oberheide Para. [0070]
‘….. verifying multi-factor authentication ….. a user will provide a username and password to website; that website will invoke the 2FA service to push an authentication notification to the authentication application of the corresponding account; the user will respond through the authentication application on their phone to confirm the login request [when the user confirms authentication from the first device]; transparently, a device profile is generated and sent along with the user confirmation; and the 2FA service uses the user confirmation and the device profile match to confirm or deny the authentication request on the website. ….., the device profile can be used as a second factor of authentication. ……; the application sends the login credentials along with a generated device profile; the social networking server verifies the user credentials and confirms that the device profiles match before allowing login.’
)

As per claim 15, the rejection of claim 14 is incorporated herein. 
	However, the combination of Oberheide and Houthooft does not expressly disclose determining a distance proximity between the first device and the second device before sending the push notification to the first device. 
Douglas discloses determining a distance proximity between the first device and the second device before sending the push notification to the first device.
[0043]
‘Authentication data may be generated to be included with a notification, such as an SMS message, an MMS message, an e-mail, a push notification, a voicemail message, and the like. A notification may include data indicative of how to use the authentication code and/or data indicative of a customer authentication request. For example, where authentication data is transmitted in a push notification, the push notification may include a link to open a website, a mobile application, an authentication request notification, and/or an SMS message to input the authentication code and/or response. In the same manner, an SMS message, MMS message, e-mail, and the like may include a link to direct a customer to input the authentication 
For the reasons discussed with respect to claim 10, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate and push authentication code of Douglas to include 
determining a distance proximity between the first device and the second device before sending the push notification to the first device.

As per claim 17, the rejection of claim 14 is incorporated herein. 
Oberheide discloses wherein the authentication server is configured to not send the push notification when the user and first device are not authenticated.
(See Oberheide Para. 
[0044]
‘….. a 2FA system, ……configure a device for authentication. …… an application on a mobile device is used by a 2FA system to push authentication requests as the second factor of authentication. Thus, during enrollment, the 2FA associates the installed application instance with the corresponding account so that push notifications can be delivered to the correct application. 
[The device must be enrolled and authenticated in order to push notification]
Oberheide [0070] 
‘…….verifying multi-factor authentication of a user, functions to use the device profile as criteria used in verifying an authentication request. …….. a user will provide a username and password to website; that website will invoke the 2FA service to push an authentication notification to the authentication application of the corresponding account; the user will respond through the authentication application on their phone to confirm the login request;’

).
Houthooft discloses wherein the authentication server is configured to not send the push notification when the user and first device are not authenticated.
(See Houthooft Para. [0115]
‘The server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process.’
[If the registration record for a mobile device is blocked that means the mobile device is not registered and authenticated and the server aborts]
Houthooft [0117]
‘The server also checks if the PIN code matches the PIN code that is stored in the registration record matching the RegID parameter. If the submitted PIN code does not match the PIN code in the server's persistent state a PIN failure counter can be increased. If the PIN failure counter exceeds a configured threshold the registration record can be marked as blocked. The PIN counter can be reset to zero after every successful authentication attempt.’
Houthooft [0120]
‘The OTP' and the optional items to be confirmed or configured are sent back to the mobile client.’
[Verifying the PIN code is authenticating the user and if the PIN code cannot be verified then the OTP’ and the option items to be confirmed or configured are not sent to the mobile client.]

As per claim 18, the rejection of claim 17 is incorporated herein. 
wherein the current authentication session is inactive and the server does not send the push notification to the first device and the user.
Houthooft discloses wherein the current authentication session is inactive and the server does not send the push notification to the first device and the user.
(See Houthooft Para. [0115]
‘The server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process.’

As per claim 19, the rejection of claim 17 is incorporated herein. 
However, Oberheide does not expressly disclose wherein the authentication server denies a  login attempt and does not allow the login request to be confirmed.
Houthooft discloses wherein the authentication server denies a login attempt and does not allow the login request to be confirmed.
(See Houthooft Para. [0115]
‘The server checks if the registration record (Reg ID) is activated and not blocked. If it is blocked the server aborts the authentication process.’

As per claim 20, the rejection of claim 13 is incorporated herein. 
However, Oberheide does not expressly disclose wherein the authentication server does not send out a login confirmation notification to the first device if the current authentication session is not active.
Houthooft discloses wherein the authentication server does not send out a login confirmation notification to the first device if the current authentication session is not active.
(See Houthooft Para. [0115]
blocked the server aborts the authentication process.’

As per claim 21, the rejection of claim 13 is incorporated herein. 
Oberheide in view of Houthooft discloses wherein the first device is a mobile device.
(See Oberheide Para. [0019]
‘The system is preferably used in combination with a two-factor authentication (2FA) service, and more preferably a 2FA system that leverages a mobile computing device as the second factor of authentication.’

As per claim 25, the rejection of claim 10 is incorporated herein. 
Oberheide in view of Houthooft discloses wherein determining whether an authentication session exists comprises authenticating the first device
(See Oberheide 
Para. [0037]
‘FIG. 6, a method for verifying status of an authentication device ….. include verifying multi-factor authentication of a user S160 as shown in FIG. 7. … ……authenticating an authentication device [initially authenticating the mobile device for receiving a push notification] ….simplify the process of adding devices as multi-factor authentication devices.’
Oberheide [0072]
‘If a second device instance is successfully enrolled or authenticated [initially authenticating the mobile device for receiving a push notification], the second device profile may set as a new reference device profile for subsequent enrollment or authentication requests. ……’
push an authentication notification to the authentication application of the corresponding account 
Oberheide [0069]  ‘adds a second optional set of authentication credentials for registered accounts……assigning the second application instance includes reassigning the association of an account with the first application instance to the second application instance’ [these are actual application instances which means that the application instance is alive and active and open]
Oberheide [0004] ‘Two-factor authentication can involve enrolling a device to be used as an authentication device, such as a mobile phone. In some cases, the authentication can be tied to an authentication application on that device.’
)
However, the combination of Oberheide and Houthooft does not expressly disclose wherein determining whether an authentication session exists comprises authenticating the first device, and determining whether an authentication session is active comprises determining that the first device remains open and active.
Douglas discloses determining whether an authentication session is active comprises determining that the first device remains open and active 
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device 
For the reasons discussed with respect to claim 10, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate and transmit authentication code of Douglas to include wherein determining whether an authentication session exists comprises authenticating the first device, and determining whether an authentication session is active comprises determining that the first device remains open and active.

As per claim 26, the rejection of claim 13 is incorporated herein. 
However, the combination of Oberheide and Houthooft does not expressly disclose wherein determining whether the current authentication session is active comprises determining whether an authentication program was launch on the first device and is still open on the first device before sending the push notification.
Douglas discloses determining whether an authentication program was launch on the first device and is still open on the first device before sending the push notification.
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), 
).
For the reasons discussed with respect to claim 13, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate and transmit authentication code of Douglas to include wherein determining whether the current authentication session is active comprises determining whether an authentication program was launch on the first device and is still open on the first device before sending the push notification.

As per claim 27, the rejection of claim 13 is incorporated herein. 
Oberheide in view of Houthooft discloses wherein activating a current authentication session comprises authenticating the first device
(See Oberheide 
[0070] ’…..verifying multi-factor authentication of a user, ……, a user will provide a username and password to website; that website will invoke the 2FA service to push an authentication notification to the authentication application of the corresponding account 
Oberheide [0069]  ‘adds a second optional set of authentication credentials for registered accounts……assigning the second application instance includes reassigning the association of an account with the first application instance to the second application instance’ 
the authentication can be tied to an authentication application on that device.’
Oberheide Para. [0037]
‘FIG. 6, a method for verifying status of an authentication device ….. include verifying multi-factor authentication of a user S160 as shown in FIG. 7. … ……authenticating an authentication device [initially authenticating the mobile device for receiving a push notification] ….simplify the process of adding devices as multi-factor authentication devices.’
Oberheide [0072]
‘If a second device instance is successfully enrolled or authenticated [initially authenticating the mobile device for receiving a push notification], the second device profile may set as a new reference device profile for subsequent enrollment or authentication requests. ……’
)
However, the combination of Oberheide and Houthooft does not expressly disclose wherein activating a current authentication session comprises authenticating the first device and determining whether the current authentication session is active comprises determining that the first device remains open and active.
Douglas discloses determining whether the current authentication session is active comprises determining that the first device remains open and active.
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the customer authentication system 120 may determine a location of the first customer device and a location of the second customer device, for example when geo-location services are activated at the customer device(s). When the customer authentication system 120 determines that the first customer device is not within a predetermined distance (500 feet, one mile, and the like) from the second customer device, the customer authentication system 120 may determine than an authentication code cannot be generated.’
).
For the reasons discussed with respect to claim 13, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for using location coordinates of a mobile device to generate and transmit authentication code of Douglas to include wherein activating a current authentication session comprises authenticating the first device, and determining whether the current authentication session is active comprises determining that the first device remains open and active.


Claims 16 and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide in view of Houthooft, in view of Douglas, further in view of Singhal et al. U.S. Publication 20070042755 (hereinafter “Singhal”).
As per claim 16, the rejection of claim 14 is incorporated herein. 
	However, the combination of Oberheide, Houthooft, and Douglas does not expressly disclose wherein the second device and the first device are the same device.
Singhal discloses wherein the second device and the first device are the same device.
(see Singhal figure 1, element 12, and para. 24 and 26;

).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide, Houthooft, and Douglas with the device of Singhal to include wherein the second device and the first device are the same device.  
One of ordinary skill in the art would have been motivated to make the modification because the authentication can be automatic (and therefore more efficient) when the authentication is performed without requiring a security token, and using the same device for both stages of two-factor authentication (See Singhal, para. 7). The system of the primary reference can be modified to use a device as both the first and second device in two-factor authentication as taught in the Singhal reference.

As per claim 22, the claim(s) is/are directed to a method with limitations which correspond to limitations of claim 16, and is/are rejected for the reasons detailed with respect to claim 16.  


	Claim 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide in view of Houthooft, in view of Douglas, further in view of Sylvain et al. U.S. Publication 20170206525 (hereinafter “Sylvain”).
As per claim 23, the rejection of claim 13 is incorporated herein.
	However, the combination of Oberheide, Houthooft, and Douglas does not expressly disclose wherein the authentication server receives the login request by the second device and the login attempt carries information that associates the login attempt to the first device previously registered with said authentication server.
Sylvain discloses wherein the authentication server receives the login request by the second device and the login attempt carries information that associates the login attempt to the first device previously registered with said authentication server.
(See Sylvain Para. 38; ‘an online transaction begins with the conventional login process 435 whereby the user provides a user id and password information from a web browser 405. The online merchant's website 410 validates the provided user credentials; applicant’s specification indicates at paragraph 17 that username or password information can be such information associating a login attempt with a previously registered device’
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide, Houthooft, and Douglas with the information associating a login attempt of Sylvain to include wherein the authentication server receives the login request by the second device and the login attempt carries information that associates the login attempt to the first device previously registered with said authentication server.
One of ordinary skill in the art would have made this modification to improve the ability of the system to determine which device to use as a second authentication factor device when users attempt login. The system of the primary reference can be modified for associating information with a device as described in the Sylvain reference.

Claims 24 and 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide in view of Houthooft, further in view of Douglas, further in view of Weber et al. U.S. Publication 20130174252 (hereinafter “Weber”).
As per claim 24, the rejection of claim 10 is incorporated herein. 
wherein determining whether the authentication session is still active comprises determining that a time duration since the authentication program was launched within a predetermined time limit.
Weber discloses determining that a time duration since the authentication program was launched within a predetermined time limit.
(See Weber Para. [0079] ‘the Bluetooth enabled device authentication control application may include a timeout period or timestamp or otherwise be configured to monitor another identifiable event or characteristic, where upon expiration of the timeout period or identification of the event, the Bluetooth enabled device will no longer provide authentication information without further interaction from the user to reset the timeout period or event. For example, a timeout period may be set for a certain number of days, such that after the specified number of days, the Bluetooth enabled device will no longer transmit the authentication information until the user interacts with the Bluetooth enabled device, such as but not limited to, by providing a password or other known information. Of course, the timeout period could be adjustable and may be set to any suitable duration of time, for example but not limited to, from any number of seconds to any number of days, and could even be set to never expire, if so desirable. As an additional example, the Bluetooth enabled device authentication control application could be set up to publish the service information only for a limited time after the user starts the application. In this way, the authentication information would be available generally only during a time period that the user expects or desires to use the authentication information..’
)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide, Houthooft, and Douglas with the techniques for assigning a timeout for an authentication wherein determining whether the authentication session is still active comprises determining that a time duration since the authentication program was launched within a predetermined time limit. The system of the primary reference can be modified to put a timeout period on the authentication application of the authentication device so that if the duration of time after the authentication program has been launched is passed a preset period of time than the application program is no longer effective for authentication.
One of ordinary skill in the art would have made this modification to improve the ability of the system to improve the likelihood that the authentication program is secure when operated since the longer the application program is left the more time there is for security violation or  incident to occur with respect to the authentication program.

As per claim 28, the rejection of claim 13 is incorporated herein. 
However, the combination of Oberheide and Houthooft does not expressly disclose 
wherein the activity of the current authentication session is determined based on the authentication program being open on the first device at the time the push notification is sent, and that a time elapse from when the current authentication session was activated is within a predefined time limit.
Douglas discloses wherein the activity of the current authentication session is determined based on the authentication program being open on the first device at the time the push notification is sent,
(See Douglas Para. [0042]
‘Authentication code data be generated based on geo-location data, such as a location associated with a customer device (e.g., customer device 130 or customer device 202). For example, if a customer is requesting authentication from a first device and the customer authentication system 120 determines that an authentication code should be transmitted to a second customer device based on data stored in data storage 128 (or from a third party), the authentication program being open on the first device at the time the push notification is sent  is disclosed from the transmission of the GPS data which indicates that the authentication program is open and active and sending back data; this is similar to applicant’s specification which describes sending GPS data back to the authentication server; timer described in applicant’s specification actually provides no indication of an operational status of any of the authentication application on the first device]
).
For the reasons discussed with respect to claim 13, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide and Houthooft with the technique for sending GPS data from the authentication device of Douglas to include wherein the activity of the current authentication session is determined based on the authentication program being open on the first device at the time the push notification is sent,

	However, the combination of Oberheide, Houthooft, and Douglas does not expressly disclose wherein the activity of the current authentication session is determined based on the authentication program being open on the first device at the time the push notification is sent, and that a time elapse from when the current authentication session was activated is within a predefined time limit.

wherein the activity of the current authentication session is determined based on  a time elapse from when the current authentication session was activated is within a predefined time limit.
(See Weber Para. [0079] ‘the Bluetooth enabled device authentication control application may include a timeout period or timestamp or otherwise be configured to monitor another identifiable event or characteristic, where upon expiration of the timeout period or identification of the event, the Bluetooth enabled device will no longer provide authentication information without further interaction from the user to reset the timeout period or event. For example, a timeout period may be set for a certain number of days, such that after the specified number of days, the Bluetooth enabled device will no longer transmit the authentication information until the user interacts with the Bluetooth enabled device, such as but not limited to, by providing a password or other known information. Of course, the timeout period could be adjustable and may be set to any suitable duration of time, for example but not limited to, from any number of seconds to any number of days, and could even be set to never expire, if so desirable. As an additional example, the Bluetooth enabled device authentication control application could be set up to publish the service information only for a limited time after the user starts the application. In this way, the authentication information would be available generally only during a time period that the user expects or desires to use the authentication information..’
)
For the reasons discussed with respect to claim 24, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide, Houthooft and Douglas with the technique for timing out authentication application and device of Weber to include 

wherein the activity of the current authentication session is determined based on the authentication program being open on the first device at the time the push notification is sent, and that a time elapse from when the current authentication session was activated is within a predefined time limit.

Claim 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide in view of Houthooft, further in view of Douglas, further in view of Rotter et al. U.S. Publication 20160277439 (hereinafter “Rotter”).
As per claim 29, the rejection of claim 13 is incorporated herein. 
	However, the combination of Oberheide, Houthooft, and Douglas does not expressly disclose wherein activating a current authentication session comprises launching the authentication program on the first device by a second authentication of the user through the authentication program with the authentication server separate from the initial authentication of the first device.
Rotter discloses wherein activating a current authentication session comprises launching the authentication program on the first device by a second authentication of the user through the authentication program with the authentication server separate from the initial authentication of the first device.
(See Rotter see figure 2 user opens/closes deadbolt
Para. [0061] ‘The user further downloads a cyber deadbolt authentication application (e.g., mobile app) on the user's mobile device, or any other computing device 220, which is configured to communicate with the authentication server 240. In some embodiments, this authentication application may be used to perform the above described onboarding process. The authentication application on the user's computing device 220 may enable the user to enter (e.g., scan) the generated pairing code to pair the computing device 220 to the authentication account at the authentication server 240. In some embodiments, the pairing may further comprise the authentication server 240 confirming the identity of the user by various tertiary authentication methods 242, including using the user's captured voice signatures, the user's captured biometric or behavioral information, contacting the configured human authentications for the user, and such, prior to accepting the pairing 270..’
registering and initializing the user to create a user authentication account at the authentication server 240. The user may first install 310 an authentication application associated with the authentication server 240, for example a mobile application, on the computing device 220. In some embodiments, the installation of the authentication application includes collecting security information from the user, such as biometric or behavioral information (e.g., finger prints) or such. Thus, when an individual later attempts to execute the authentication application on the computing device 220, the authentication application, such as by touching or sliding an icon, button, or other such option presented on the computing device 220, for the authentication application may confirm the individual's identity as the user prior to enabling the authentication application interface to the individual. In this way, even if the individual accesses the user's computing device 220 (e.g., mobile phone), the individual may still not execute the authentication application interface to lock/unlock the user's paired accounts for client applications 250.’
)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Oberheide, Houthooft, and Douglas with the technique for confirming the identity of the user with the server by verifying the identity of the user through the mobile application installed on the mobile device of Rotter to include 
wherein activating a current authentication session comprises launching the authentication program on the first device by a second authentication of the user through the authentication program with the authentication server separate from the initial authentication of the first device.
	One of ordinary skill in the art would have made this modification to improve the ability of the system to prevent fraudulent use of the authentication application, to prevent users from fraudulently gaining access to the user’s accounts that require second factor authentication through the authentication application on the mobile.  The authentication application on the mobile device of the primary reference can be modified to confirm the identity of the user using previously acquired personal identifying characteristics of the user stored on the authentication server.
Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HOWARD H. LOUIE/Examiner, Art Unit 2494                                                                                                                                                                                                        
/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494