DETAILED ACTION 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are pending and herein considered.

Allowable Subject Matter
Claims 6 and 7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The subject matter of claims 6 and 7 is not disclosed by the prior art of record

Claim Rejections - 35 USC § 112
Claim 14 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 14 recite “the processing the login request”. However, the term the login request lacks sufficient antecedent.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


Claims 1-2, 4-5, 8-14 and 16 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Koutenaei et al. US 2016/0269403 A1 (hereinafter Koutenaei).
Regarding claim 1, Koutenaei substantially discloses:
A first user device comprising: a communication module configured to communicate with a second user device using short range wireless communications; a non-transitory memory storing instructions; and one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory to cause the first user device to perform operations comprising (A (first) “browsing device” 10 (stationary or mobile computing device) in short range communication (e.g. Bluetooth, Wi-Fi) with a (second) “authentication device” 20 (e.g. smartphone/other smart wearable device); the first browsing device 10 and (optionally) the second authentication device 20 are further in communication with an “authentication server” 30; The browsing device 10, authentication device 20 and authentication server 30 cooperate to authenticate the user at the first device based on user “biometric information” (user face image) (Koutenaei: par. 3-4, 20-22, 25; Fig. 1, 12). In a first authentication method variant, the authentication device 20 does not communicate directly (communicates via the browser device) with the authentication server (Koutenaei: par. 42-44, Fig. 1). In a second alternative authentication method variant, the authentication device 20 communicates directly with the authentication server (Koutenaei: par. 94, Fig. 6)):
receiving an authentication request for an account of a first user in an application on the first user device (A “user may be granted or denied access to an application, software, account, virtual private network, or a computing device [including the browsing device]” (Koutenaei: par. 20); “the user may need to add software or application for the browsing device 10. This application designed for the browsing device 10 may include a plugin for Internet browser or the application” (Koutenaei: par. 28). After the user “clicks on the login, sign-in, submit, and the like, button on the browsing device 10, the user's biometric information is invoked to be acquired on the authentication device 20”, which must be in the proximity of the browsing device (Koutenaei: par. 23, 33, 35-36));
determining the second user device is within a distance to the first user device using a short range wireless scan of available devices by the communication module (“granting or denying access to the user using a browsing device” requires an “authentication device” to be in the proximity of the browsing device, where “a pair of devices may be considered to be in each other's proximity if they are able to send and receive Bluetooth beacons” (Koutenaei: par. 20); “once the user performs an action that requires user authentication or authorization (e.g. opens an application or software tries to log into an account or a webpage, and the like) the browsing device 10 first checks if the authentication device 20 is in its proximity”. “If the communication channel between the browsing device 10 and authentication device 20…is based on Bluetooth, the proximity is measured via beacon of Bluetooth” (Koutenaei: par. 34));
generating a confirmation request that the first user is utilizing the first user device; pushing the confirmation request to the second user device through the short range wireless communications by the communication module (After the user “clicks on ; and
receiving a response message from the second user device based on the confirmation request (“if the user's biometric information matches the record, as stored, for example, in the authentication device, the authentication device 20 communicates with the server (e.g. the authentication server 30) to inform server 30 of the match. Thereafter, the user is authenticated and access to the user is granted on the browsing device 10” (Koutenaei: par. 23, 39-42). More specifically, “the authentication device 20 creates two encrypted messages including a first message for the browsing device 10 and a second message for the authentication server 30. Both messages have a challenged signed by the authentication device's 20 private key. Then the authentication device 20 sends both encrypted messages to the browsing device 10”; the browsing device validates the first message, generates a third message and sends the second message (received from the authentication device) and the third message to the authentication server 30, as an authentication/access request (Koutenaei: par. 43-44). The authentication server 30 processes the received authentication/access request and if the user authentication is successful, “the user is granted access to an application or account”; otherwise, user access is limited/denied (Koutenaei: par. 20, 45-51)).


Regarding claims 2, 4-5 and 8-9, the rejection of claim 1 under 35 U.S.C 102(a)(2) is incorporated herein. In addition, Koutenaei substantially discloses:
(2) The short range wireless communications comprise one of near field communications, radio communications, infrared communications, Bluetooth communications, Bluetooth Low Energy (BLE) communications, WiFi communications, or LTE Direct communication (Koutenaei: e.g. par. 30-31).
(4) The authentication request comprises one of an account login at a new location for the first user device, a password reset for the account, or an electronic transaction processing in the application using the account (Koutenaei: e.g. par. 23, 50-51).
(5) The second user device comprises one of a plurality of user devices detected within the distance to the first user device using the short range wireless scan of the available devices, and wherein the confirmation request is pushed to each of the plurality of user devices (The authentication device 20 outlined for the rejection of claim 1). 
(8) The operations further comprise:
transmitting the response message to a service provider server associated with the account (the response message sent to the authentication server via the browser device, as outlined for the rejection of claim 1);
receiving an authentication response to the authentication request from the service provider server based on the response message (Koutenaei: par. 33, 49; the ; and providing access to the account based on the authentication response (as outlined for the rejection of claim 1).
(9) The operations further comprise: processing the authentication request using at least one of image matching of an image captured by the second user device in the response message, a confirmation response in the response message, or directional information of the second user device in the response message (Koutenaei: par. 43-44; and as outlined for the rejection of claim 1).

Regarding claim 10, it corresponds to claim 1 (first authentication method variant), where the response (to the user identification message) received from the second (authentication) device, is transmitted by the first (browsing) device (as an authentication/content access request) to the authentication server where it is processed as outlined for the rejection of claim 1. In addition, claim 10 also corresponds to the second alternative user authentication method variant (outlined for the rejection of claim 1), where the authentication device 20 communicates directly with the authentication server. Therefore, claim 10 is rejected as outlined above and for the rejection of claim 1, and is additionally rejected according to the second authentication method, as outlined below.
Although the messages of the first and second method variants are exchanged over different routes, the user biometric authentication is performed over the same user 
 A method comprising:
receiving, by a service provider server, a content access request for an account of a user from a first mobile device (“in this embodiment, the browsing device 10 and the authentication device 20 directly communicate with the authentication server 30” (Koutenaei: par. 94). The “At 901, the user requests [on the browsing device 10] user authentication or authorization”. Next, “the browsing device 10 encrypts its session information and other device information” and “sends the encrypted message with an enquiry to authenticate the user to the authentication server 30” (Koutenaei: par. 105; Fig. 9));
determining a second mobile device within a short range wireless communication range of the first mobile device (The browsing device 10 and the authentication device 20 are required to be in proximity of each other for the user to be logged in; the proximity can be measured “as provided in previous embodiments” (via Bluetooth beacons, as outlined for the rejection of claim 1). Alternatively, the proximity is monitored by the authentication server 30, based on GPS information (Koutenaei: par. 122-123). Moreover, “the authentication device [20] acquires the user biometric information” that includes a “face image” of the user (Koutenaei: par. 106), i.e. the authentication device 20 is required to be in the proximity of the browser device 10);
transmitting a user identification message to the second mobile device, wherein the user identification message requests that the second mobile device confirm that the user for the account is present with the first mobile device (The “authentication server sends a push notification to the authentication device 20 of that specific user that is registered with the account. In addition to the push notification that is designed to alert the user, the authentication server also sends an encrypted message to the user's authentication device to request authentication. This message also includes a challenge that needs to be signed by the authentication device 20” (Koutenaei: par. 106));
receiving a response to the user identification message from the second mobile device; and processing the content access request based on the response (The authentication request is validated by the authentication device 20; if the validation is successful, the user provides biometric information,which is compared with the stored (reference) biometric information to determine if the provided and stored biometric information match (Koutenaei: par. 106-109). If the comparison fails (the user is not locally authenticated), “the authentication device 20 sends negative results to the authentication server 30” and the user is denied or is provided limited access “to the account, webpage, application, software, and the like or-temporary or permanently-suspending any actions that needs users' authentication or authorization” (Koutenaei: par. 110). If the comparison (local authentication) is successful, the result is sent to the authentication server 30 (Koutenaei: par. 111-112). The authentication server performs additional verification and if no significant anomalies are detected, “the user is granted access and/or gets logged in to his/her account, website, application, cloud server, VPN, and the like”. If however, anomalies are detected, “any actions that need[s] user's authentication or authorization” are limited or denied   (Koutenaei: par. 20, 113-119)).
The aforementioned covers all the limitations of claim 10.

Regarding claims 11-14 and 16, the rejection of claim 10 under 35 U.S.C 102(a)(2) is incorporated herein. In addition, Koutenaei substantially discloses:
(11) The method of claim 10, further comprising: determining a third user device is within the short range wireless communication range; and determining the third user device is not a trusted device, wherein the user identification message is not sent to the third user device (At least in one scenario, there are other devices (including the third device and different than the authentication device) in the proximity of the first (browsing) device. However, devices “must be registered” and only the authentication device is registered; “the browsing device 10 first checks if the authentication device 20 is in its proximity” (Koutenaei: par. 29, 31, 33-34), so the third device is ignored when a user is authenticated).
(12) The determining the second mobile device is within the short range wireless communication range comprises one of detecting that a geo-location of the second mobile device is within a geo-fenced area around the first mobile device or scanning for the second mobile device using a Bluetooth scan of available mobile devices by the first mobile device (Bluetooth scanning or GPS location, as outlined for the rejection of claims 1 and 10).
(13) The transmitting the user identification message to the second mobile device is performed through one of network communications between the service provider server and the second mobile device or short range wireless communications between the first mobile device and the second mobile device (As outlined for the rejection of claim 10).
(14) The processing the login request comprises authenticating the first mobile device for use of the account if the response confirms that the user is present with the first mobile device during the access request (The browsing and authentication devices must be registered, and are authenticated by the authentication server (Koutenaei: e.g. par. 29, 31, 44-46));
and wherein the method further comprises: providing access to the content through an application on the first mobile device (Access is provided (as outlined for the rejection of claims 1 and 10) through a browser (Koutenaei: par. 28, 31, 44)).
(16) Determining a third mobile device within the short range wireless communication range; transmitting a user identification message to the third mobile device, wherein the user identification message requests that the third mobile device confirm that the user for the account is present with the first mobile device; receiving a response to the user identification message from the third mobile device (As outlined for the rejection of claim 10, where the authentication is performed at a different time and the third mobile device may be the second authentication device or different than the second authentication device);
determining the third mobile device has a different trustworthiness score than the second mobile device; and weighing the response from the third mobile device differently than the second from the second mobile device (at the authentication server, “If the signed challenge or one time password is not correct, then the process moves to 337 and the authentication server 30 flags the account and/or the username as being at risk which may result in limiting access to the account”, as oposed to granting access to .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 3, 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Koutenaei in view of Zagarese et al. US 2018/0181964 A1 (hereinafter Zagarese).
	Regarding claims 3 and 15, the rejection of claims 1 and 10 under 35 U.S.C 102(a)(2) is incorporated herein. Koutenaei does not expressly disclose that the confirmation request/identification message comprises an image of the user, as recited by claims 3 and 15. However, in a related application, Zagarese discloses a method of verifying an identity of a user by: providing a current image of the user captured at a user device, and data captured from an identity document, the data including an identification (reference) photograph; further, comparing the current image of the user with the identity photograph using a facial verification algoritm; and identifying the user if the current image of the user matches the identification photograph (Zagarese: par. 235, 266, 269, 277). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Koutenaei with the teachings of Zagarese at least to use data and the user identification photograph from an identification document as a reference user image, and to identify the user by matching  “that they want to be authenticated on”.
Accordingly, Koutenaei in view of Zagarese  discloses:
	(3) The first user device of claim 1, wherein the confirmation request
comprises a request to identify that the first user is in possession of the first user device at a time associated with the authentication request (as outlined for the rejection of claim 1), and wherein the confirmation request comprises an image of the first user associated with the account (as outlined above; see also  Koutenaei: par. 70, 71).
(15) The user identification message comprises an image of the user associated with the account (as outlined above and for the rejection of claim 3), and wherein the user identification message further comprises a request to at least one of capture an image of the user, point the second mobile device at the user, or confirm that the user is present based on the image (as outlined for the rejection of claims 1 and 10).

Regarding claim 17, it corresponds to claims 10 and 15, wherein the user registers a plurality of authentication devices, such that any one of the registered authentication devices can authenticate the user at different times, the particular (second) authentication device used to authenticate the user at any one time beeing 

	Regarding claims 18-20, the rejection of claim 17 under 35 U.S.C 103 is incorporated herein. In addition. Koutenaei in view of Zagarese  discloses:
	(18) The determining the plurality of devices comprises: accessing a contact list associated with the first device; and identifying the plurality of devices within the wireless communication range of the first device based on the contact list (as outlined for the rejection o claim 17 and the (common part of the) rejection of claims 3 and 15).
	(19) The determining the plurality of devices comprises: accessing a social connection between the first device and the plurality of devices based on a device interaction between the first device and the plurality of devices; and identifying the plurality of devices within the wireless communication range of the first device based on the contact list (The list of registered authentication devices used in the past to authenticate the user at the first device is used to identify and select a second authentication device for current user authentication session (as outlined for the rejection of claims 17, 3 and 15).
(20) prior to communicating the identification request, the operations further comprise:determining an account of the user based on the access request; and accessing the user image from the account (Zagarese: The (personal) data and the identification photograph (from an identification document) is stored at the digital identity .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Jain et al. US 2020/0120094 A1
Kamal et al. US 2019/0197815 A1
Tussy US 2018/0181737 A1
Johansson et al. US 9166961 B1

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-10-2021