Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Observation
	It is noted that claims 6, 7, 9, 18, 19, and 21 use the term “where” instead of “wherein” while not unacceptable outright, based on standard presentation and its intermittent use in the claims of the Present Application Examiner observes that it may be an unintended typographical error.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 5, 12, 17, and 24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 5 and 17 recites the limitation "the respective cryptographic public key" without establishing antecedent basis for the limitation.  
Claims 12 and 24 recites the limitation "the define-prefix" without establishing antecedent basis for the limitation.  
Claims 1-7, 9-10, 13-19, 21-22, and 25 lack novelty under PCT Article 33(2) as being anticipated by US 2003/0182551 A1 to Frantz et al. (hereinafter Frantz).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-7, 9-10, 13-19, 21-22, and 25 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent Application Publication No.: US 2003/0182551 A1 (Frantz et al.).

As Per Claim 1: Frantz et al. teaches: A system comprising:

- a local challenge generator of a client apparatus to generate a challenge on a client device using a derivation function;
	(Frantz et al., Paragraph [0017], “The server 104 and/or the client 12 also may have a single sign-on service (SSS) module 118 to facilitate multiple network sign-on authentications via a single sign-on routine by the client 102. A remote server, such as the directory server 28, also may have the SSS module 118 or another suitable single sign-on service module. The SSS module 118 may embody a Java applet, VBScript, or any other suitable executable format. As illustrated in FIG. 2, and discussed in further detail below, the SSS module 118 may comprise a variety of modules to facilitate a IF single sign-on for multiple devices or services. For example, the SSS module 118 comprises a data retention module 136, the data access module 138, an auto interaction module 140, and a data exchange module 142. The data retention and access modules 136 and 138 are provided for locally storing and accessing client credentials and other authentication data derived from a first authentication routine. For example, the data retention module 136 may store client credentials in Web browser cache, on a floppy disk, on the hard drive, in RAM, or in any suitable storage location, or in the data memory area of an applet running inside the web browser. The auto interaction module 140 is provided for interacting with a client authentication system or challenge, such as the authentication challenge 114. For example, the auto interaction module 140 may notify the SSS module 118 of its presence and identify whether the requisite authentication data is stored by the SSS module 118. The data exchange module 142 is provided for exchanging authentication data obtained or needed by the authentication system or challenge, such as the authentication challenge 114. For example, the data exchange module 142 may provide the client credentials 120 automatically to the client authentication system or challenge at the client-side.”).

- an authentication engine of the client apparatus to generate a challenge response as defined by a specified challenge-response protocol;
	(Frantz et al., Paragraph [0019], “The authentication challenge 114 and client credentials 120 are then passed to a response computation module 122, which generates an authentication response 124 based on the authentication challenge 114 and client credentials 120. For example, the response computation module 122 may transform the authentication challenge 114 (e.g., a random number of B bits) with the client credentials 120. Any suitable algorithm, such as an MD5 or SHA1 hash, may be used for the foregoing transformation performed by the response computation module 122. Again, if the SSS module 118 is already running and the client 102 previously entered the client credentials 120, then the SSS module 118 automatically passes the client credentials 120 to the response computation module 122 for transformation of the authentication challenge 114. In either case, the system 100 then transmits the authentication response 124 to the server 104 for validation.”).

- the authentication engine to transmit the challenge response to a server, and the server to validate the challenge response, at least in part, by determining whether the challenge was generated within a specified time window. 
	(Frantz et al., Paragraph [0016], “The server 104 processes the service request 110 by initializing a client authentication module 112, which generates an authentication challenge 114 to the service request 110 and transmits the challenge 114 to the client computer 12. For example, the client authentication module 112 may comprise a random number module 116, which obtains or generates a unique, non-predictable, and non-repeating number for generating the authentication challenge 114. Accordingly, the authentication challenge 114 may embody a random number with a length of B bits, such as 128 to 512 bits. For additional security, the system 100 also may control the timing of the authentication challenges 114. For example, the server 104 may limit the number N of authentication challenges 114 to a given client 102 over a period of time T1 (e.g., five authentication challenges 114 over a 300 second time interval). The server 104 also may invalidate the authentication challenges 114 after a period of time T2, such as 60 seconds.”).
	(Frantz et al., Paragraph [0019], “The authentication challenge 114 and client credentials 120 are then passed to a response computation module 122, which generates an authentication response 124 based on the authentication challenge 114 and client credentials 120. For example, the response computation module 122 may transform the authentication challenge 114 (e.g., a random number of B bits) with the client credentials 120. Any suitable algorithm, such as an MD5 or SHA1 hash, may be used for the foregoing transformation performed by the response computation module 122. Again, if the SSS module 118 is already running and the client 102 previously entered the client credentials 120, then the SSS module 118 automatically passes the client credentials 120 to the response computation module 122 for transformation of the authentication challenge 114. In either case, the system 100 then transmits the authentication response 124 to the server 104 for validation.”).
	(Frantz et al., Paragraph [0020], “The server 104 evaluates the authentication response 124 by performing the same transformation as described above. Accordingly, the server 104 has a response computation module 126 and a copy of the client credentials 120 (e.g., within a set of client credentials 128) for independent transformation of the authentication challenge 114 transmitted to the client computer 12 in response to the service request 110. Accordingly, the present technique avoids transmitting the client credentials 120 across the network 14, thereby improving security and reducing the need for data encryption. The present technique also may utilize another remote server, such as the directory server 28, to facilitate the authentication process. For example, the system 100 may use the directory server 28 to retain the client credentials 102 along with a plurality of other client credentials. Moreover, the directory server 28 may comprise the single sign-on service (SSS) module 118 and the response computation module 126. In any case, the system 100 evaluates the authentication response 124 independently from the client computer 12 by transforming the authentication challenge 114 with the appropriate one (i.e., the client credentials 120) of the set of client credentials 128.”).

As Per Claim 2: The rejection of claim 1 is incorporated and further Frantz et al. teaches:
- the authentication engine is to generate the challenge response by generating a cryptographic signature over the challenge with a private key and wherein the server is to validate the challenge response using a corresponding public key, the server to reject any response with an invalid cryptographic signature. 
	(Frantz et al., Paragraph [0026], “In either case, the process 200 then proceeds to compute the response for authentication by transforming the authentication challenge using the client credentials at the client side (block 218). As described above, the process 200 may use any suitable transformation algorithm, such as an MD5 or SHA1 hash. The process 200 also may use both the client credentials and an authentication token/key (e.g., public and private keys, a smart card, etc.) to increase the security for the foregoing transformation. The process 200 then transmits the response computed at the client side to the server for evaluation (block 220). At the server side, the process 200 computes an answer for authentication by transforming the same authentication challenge transmitted to the client using the same client credentials stored at the server side (block 222). Again, the process 200 may use both the client credentials and a suitable authentication token to increase the security of the foregoing transformation. The process 200 then proceeds to grant or deny the authentication request from the client by comparing the response generated at the client side against the answer generated at the server side (block 224). It should be noted that the server will transmit some unpredictable data to seed the calculated response in order to avoid replaying a response to gain access to other devices, or the same device, at a future point in time. As described above, the process 200 may identify the appropriate client credentials at the server side by retrieving the client's identity from the client side. Alternatively, if a relatively low number of client credentials are stored at the server side, then the process 200 may proceed to transform the authentication challenge using each of the server side client credentials until a match is found with the response from the client side. If the response is identical to the answer, then the process 200 authenticates the client (block 226). Otherwise, the process 200 rejects the client's authentication request (block 228).”).

As Per Claim 3: The rejection of claim 1 is incorporated and further Frantz et al. teaches:
- the challenge is generated using a key derivation function comprising a defined-prefix and dynamic-input-data as inputs, wherein the server knows or is configured to reproduce the defined-prefix and dynamic-input-data inputs. 
	(Frantz et al., Paragraph [0026], “In either case, the process 200 then proceeds to compute the response for authentication by transforming the authentication challenge using the client credentials at the client side (block 218). As described above, the process 200 may use any suitable transformation algorithm, such as an MD5 or SHA1 hash. The process 200 also may use both the client credentials and an authentication token/key (e.g., public and private keys, a smart card, etc.) to increase the security for the foregoing transformation. The process 200 then transmits the response computed at the client side to the server for evaluation (block 220). At the server side, the process 200 computes an answer for authentication by transforming the same authentication challenge transmitted to the client using the same client credentials stored at the server side (block 222). Again, the process 200 may use both the client credentials and a suitable authentication token to increase the security of the foregoing transformation. The process 200 then proceeds to grant or deny the authentication request from the client by comparing the response generated at the client side against the answer generated at the server side (block 224). It should be noted that the server will transmit some unpredictable data to seed the calculated response in order to avoid replaying a response to gain access to other devices, or the same device, at a future point in time. As described above, the process 200 may identify the appropriate client credentials at the server side by retrieving the client's identity from the client side. Alternatively, if a relatively low number of client credentials are stored at the server side, then the process 200 may proceed to transform the authentication challenge using each of the server side client credentials until a match is found with the response from the client side. If the response is identical to the answer, then the process 200 authenticates the client (block 226). Otherwise, the process 200 rejects the client's authentication request (block 228).”).


As Per Claim 4: The rejection of claim 3 is incorporated and further Frantz et al. teaches:
- the dynamic-input-data comprises a time usable by the server to determine whether the challenge was generated within the specified time window. 
	(Frantz et al., Paragraph [0016], “The server 104 processes the service request 110 by initializing a client authentication module 112, which generates an authentication challenge 114 to the service request 110 and transmits the challenge 114 to the client computer 12. For example, the client authentication module 112 may comprise a random number module 116, which obtains or generates a unique, non-predictable, and non-repeating number for generating the authentication challenge 114. Accordingly, the authentication challenge 114 may embody a random number with a length of B bits, such as 128 to 512 bits. For additional security, the system 100 also may control the timing of the authentication challenges 114. For example, the server 104 may limit the number N of authentication challenges 114 to a given client 102 over a period of time T1 (e.g., five authentication challenges 114 over a 300 second time interval). The server 104 also may invalidate the authentication challenges 114 after a period of time T2, such as 60 seconds.”).
	(Frantz et al., Paragraph [0026], “In either case, the process 200 then proceeds to compute the response for authentication by transforming the authentication challenge using the client credentials at the client side (block 218). As described above, the process 200 may use any suitable transformation algorithm, such as an MD5 or SHA1 hash. The process 200 also may use both the client credentials and an authentication token/key (e.g., public and private keys, a smart card, etc.) to increase the security for the foregoing transformation. The process 200 then transmits the response computed at the client side to the server for evaluation (block 220). At the server side, the process 200 computes an answer for authentication by transforming the same authentication challenge transmitted to the client using the same client credentials stored at the server side (block 222). Again, the process 200 may use both the client credentials and a suitable authentication token to increase the security of the foregoing transformation. The process 200 then proceeds to grant or deny the authentication request from the client by comparing the response generated at the client side against the answer generated at the server side (block 224). It should be noted that the server will transmit some unpredictable data to seed the calculated response in order to avoid replaying a response to gain access to other devices, or the same device, at a future point in time. As described above, the process 200 may identify the appropriate client credentials at the server side by retrieving the client's identity from the client side. Alternatively, if a relatively low number of client credentials are stored at the server side, then the process 200 may proceed to transform the authentication challenge using each of the server side client credentials until a match is found with the response from the client side. If the response is identical to the answer, then the process 200 authenticates the client (block 226). Otherwise, the process 200 rejects the client's authentication request (block 228).”).

As Per Claim 5: The rejection of claim 4 is incorporated and further Frantz et al. teaches:
- the server is to retain all used challenges related to the respective cryptographic public key for a defined time in order to prevent replay attacks. 
	(Frantz et al., Paragraph [0016], “The server 104 processes the service request 110 by initializing a client authentication module 112, which generates an authentication challenge 114 to the service request 110 and transmits the challenge 114 to the client computer 12. For example, the client authentication module 112 may comprise a random number module 116, which obtains or generates a unique, non-predictable, and non-repeating number for generating the authentication challenge 114. Accordingly, the authentication challenge 114 may embody a random number with a length of B bits, such as 128 to 512 bits. For additional security, the system 100 also may control the timing of the authentication challenges 114. For example, the server 104 may limit the number N of authentication challenges 114 to a given client 102 over a period of time T1 (e.g., five authentication challenges 114 over a 300 second time interval). The server 104 also may invalidate the authentication challenges 114 after a period of time T2, such as 60 seconds.”).
	(Frantz et al., Paragraph [0025], “Accordingly, if the query 208 determines that the single sign-on service is already operating, then the process 200 interacts with the single sign-on service to obtain the client credentials previously entered by the client 102 (block 216). For example, the single sign-on service may embody a JavaScript or VBScript routine that retains and provides the client credentials for automatic responding to authentication challenges from multiple network devices and services. The present technique also may use any other Web-based, or browser-based, code or routines to facilitate the single sign-on service.”).

As Per Claim 6: The rejection of claim 4 is incorporated and further Frantz et al. teaches:
- dynamic-input-data comprises the current time as known to the client apparatus and wherein the server determines the dynamic-input-data to be acceptable if it is within an acceptance window. 
	(Frantz et al., Paragraph [0016], “The server 104 processes the service request 110 by initializing a client authentication module 112, which generates an authentication challenge 114 to the service request 110 and transmits the challenge 114 to the client computer 12. For example, the client authentication module 112 may comprise a random number module 116, which obtains or generates a unique, non-predictable, and non-repeating number for generating the authentication challenge 114. Accordingly, the authentication challenge 114 may embody a random number with a length of B bits, such as 128 to 512 bits. For additional security, the system 100 also may control the timing of the authentication challenges 114. For example, the server 104 may limit the number N of authentication challenges 114 to a given client 102 over a period of time T1 (e.g., five authentication challenges 114 over a 300 second time interval). The server 104 also may invalidate the authentication challenges 114 after a period of time T2, such as 60 seconds.”).
	(Frantz et al., Paragraph [0026], “In either case, the process 200 then proceeds to compute the response for authentication by transforming the authentication challenge using the client credentials at the client side (block 218). As described above, the process 200 may use any suitable transformation algorithm, such as an MD5 or SHA1 hash. The process 200 also may use both the client credentials and an authentication token/key (e.g., public and private keys, a smart card, etc.) to increase the security for the foregoing transformation. The process 200 then transmits the response computed at the client side to the server for evaluation (block 220). At the server side, the process 200 computes an answer for authentication by transforming the same authentication challenge transmitted to the client using the same client credentials stored at the server side (block 222). Again, the process 200 may use both the client credentials and a suitable authentication token to increase the security of the foregoing transformation. The process 200 then proceeds to grant or deny the authentication request from the client by comparing the response generated at the client side against the answer generated at the server side (block 224). It should be noted that the server will transmit some unpredictable data to seed the calculated response in order to avoid replaying a response to gain access to other devices, or the same device, at a future point in time. As described above, the process 200 may identify the appropriate client credentials at the server side by retrieving the client's identity from the client side. Alternatively, if a relatively low number of client credentials are stored at the server side, then the process 200 may proceed to transform the authentication challenge using each of the server side client credentials until a match is found with the response from the client side. If the response is identical to the answer, then the process 200 authenticates the client (block 226). Otherwise, the process 200 rejects the client's authentication request (block 228).”).

As Per Claim 7: The rejection of claim 3 is incorporated and further Frantz et al. teaches:
- dynamic-input-data comprises data exchanged previously between the client apparatus and server. 
	(Frantz et al., Paragraph [0017], “The server 104 and/or the client 12 also may have a single sign-on service (SSS) module 118 to facilitate multiple network sign-on authentications via a single sign-on routine by the client 102. A remote server, such as the directory server 28, also may have the SSS module 118 or another suitable single sign-on service module. The SSS module 118 may embody a Java applet, VBScript, or any other suitable executable format. As illustrated in FIG. 2, and discussed in further detail below, the SSS module 118 may comprise a variety of modules to facilitate a IF single sign-on for multiple devices or services. For example, the SSS module 118 comprises a data retention module 136, the data access module 138, an auto interaction module 140, and a data exchange module 142. The data retention and access modules 136 and 138 are provided for locally storing and accessing client credentials and other authentication data derived from a first authentication routine. For example, the data retention module 136 may store client credentials in Web browser cache, on a floppy disk, on the hard drive, in RAM, or in any suitable storage location, or in the data memory area of an applet running inside the web browser. The auto interaction module 140 is provided for interacting with a client authentication system or challenge, such as the authentication challenge 114. For example, the auto interaction module 140 may notify the SSS module 118 of its presence and identify whether the requisite authentication data is stored by the SSS module 118. The data exchange module 142 is provided for exchanging authentication data obtained or needed by the authentication system or challenge, such as the authentication challenge 114. For example, the data exchange module 142 may provide the client credentials 120 automatically to the client authentication system or challenge at the client-side.”).

As Per Claim 9: The rejection of claim 1 is incorporated and further Frantz et al. teaches:
- the derivation function comprises the Argon2 key derivation function or the pbkdf2 key derivation function. 
	(Frantz et al., Paragraph [0019], “The authentication challenge 114 and client credentials 120 are then passed to a response computation module 122, which generates an authentication response 124 based on the authentication challenge 114 and client credentials 120. For example, the response computation module 122 may transform the authentication challenge 114 (e.g., a random number of B bits) with the client credentials 120. Any suitable algorithm, such as an MD5 or SHA1 hash, may be used for the foregoing transformation performed by the response computation module 122. Again, if the SSS module 118 is already running and the client 102 previously entered the client credentials 120, then the SSS module 118 automatically passes the client credentials 120 to the response computation module 122 for transformation of the authentication challenge 114. In either case, the system 100 then transmits the authentication response 124 to the server 104 for validation.”).

As Per Claim 10: The rejection of claim 1 is incorporated and further Frantz et al. teaches:
- the derivation function comprises a hash function. 
	(Frantz et al., Paragraph [0019], “The authentication challenge 114 and client credentials 120 are then passed to a response computation module 122, which generates an authentication response 124 based on the authentication challenge 114 and client credentials 120. For example, the response computation module 122 may transform the authentication challenge 114 (e.g., a random number of B bits) with the client credentials 120. Any suitable algorithm, such as an MD5 or SHA1 hash, may be used for the foregoing transformation performed by the response computation module 122. Again, if the SSS module 118 is already running and the client 102 previously entered the client credentials 120, then the SSS module 118 automatically passes the client credentials 120 to the response computation module 122 for transformation of the authentication challenge 114. In either case, the system 100 then transmits the authentication response 124 to the server 104 for validation.”).

As Per Claims 13-19 and 21-22: Claims 13-19 and 21-22 are substantially a restatement of the system of claims 1-7 and 9-10 as a machine-readable medium and are rejected under substantially the same reasoning.

As Per Claim 25: Claim 25 is substantially a restatement of the system of claim 1 as a method and is rejected under substantially the same reasoning.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 8 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2003/0182551 A1 (Frantz et al.) in view of United States Patent Application Publication No.: US 2013/0080769 A1 (Cha et al.) .

As Per Claim 8: The rejection of claim 7 is incorporated and further Frantz et al. does not explicitly teach the following limitation however Cha et al. in analogous art does teach the following limitation:
- the data exchanged previously comprises data exchanged to establish a transport layer security (TLS) session between the client apparatus and the server. 
	(Cha et al., Paragraph [0088], “According to an example embodiment, a binding of the secure channel 608 to the challenge-response authentication 618-630 may be established. For example, the UE 602 may, after having received the authentication challenge 620 (e.g., the inner_auth_challenge), apply a digest algorithm H (e.g., an HMAC algorithm) with a TLS_key extracted from the TLS channel at 608 to obtain a modified challenge*. This may be represented as H(TLS_key, inner_auth_challenge)->challenge*, for example. An example embodiment of a key extraction method for TLS is illustrated, by the IETF, in RFC document 5705. The UE 608 may calculate the response to the challenge posed by BSF 604 at 622, and concurrently calculate a binding response Bres using the same, or similar algorighm. This may be represented as AKA-RESPONSE (inner_auth_challenge)->response; AKA-RESPONSE (challenge*, IK)->Bres, for example. The UE may send both the response and Bres back to BSF 604 at 624.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Cha et al. into the method of Frantz et al. as an obvious interchangeable variation enhancing the security of operation in Frantz et al. method.

As Per Claim 20: The rejection of claim 19 is incorporated and further claim 20 is substantially a restatement of the system of claim 8 as a machine-readable medium and is rejected under substantially the same reasoning.

Claims 11-12 and 23-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2003/0182551 A1 (Frantz et al.) in view of United States Patent Application Publication No.: US 2018/0075231 A1 (SUBRAMANIAN et al.) .

As Per Claim 11: The rejection of claim 1 is incorporated and further Frantz et al. does not explicitly teach the following limitation however SUBRAMANIAN et al. in analogous art does teach the following limitation:
- the challenge response protocol comprises a Fast Identify Online (FIDO) registration/makeCredential operation, a FIDO authentication/getAssertion operation, the SafetyNet protocol, or the Android Protected Confirmation protocol. 
	(SUBRAMANIAN et al., Paragraph [0065], “One embodiment provides adaptive authentication and MFA. Generally, passwords and challenge questions have been seen as inadequate and susceptible to common attacks such as phishing. Most business entities today are looking at some form of MFA to reduce risk. To be successfully deployed, however, solutions need to be easily provisioned, maintained, and understood by the end user, as end users usually resist anything that interferes with their digital experience. Companies are looking for ways to securely incorporate bring your own device ("BYOD"), social identities, remote users, customers, and contractors, while making MFA an almost transparent component of a seamless user access experience. Within an MFA deployment, industry standards such as OAuth and OpenID Connect are essential to ensure integration of existing multifactor solutions and the incorporation of newer, adaptive authentication technology. Accordingly, embodiments define dynamic (or adaptive) authentication as the evaluation of available information (i.e., IP address, location, time of day, and biometrics) to prove an identity after a user session has been initiated. With the appropriate standards (e.g., open authentication ("OATH") and fast identity online ("FIDO")) integration and extensible identity management framework, embodiments provide MFA solutions that can be adopted, upgraded, and integrated easily within an IT organization as part of an end-to-end secure IAM deployment. When considering MFA and adaptive policies, organizations must implement consistent policies across on-premise and cloud resources, which in a hybrid IDCS and on-premise IAM environment requires integration between systems.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of SUBRAMANIAN et al. into the method of Frantz et al. as the use of standard challenge response authentication techniques would be an obvious interchangeable variation.

As Per Claim 12: The rejection of claim 11 is incorporated and further Frantz et al. does not explicitly teach the following limitation however SUBRAMANIAN et al. in analogous art does teach the following limitation:
- the define-prefix includes a FIDO AppID or Rpld. 
	(SUBRAMANIAN et al., Paragraph [0065], “One embodiment provides adaptive authentication and MFA. Generally, passwords and challenge questions have been seen as inadequate and susceptible to common attacks such as phishing. Most business entities today are looking at some form of MFA to reduce risk. To be successfully deployed, however, solutions need to be easily provisioned, maintained, and understood by the end user, as end users usually resist anything that interferes with their digital experience. Companies are looking for ways to securely incorporate bring your own device ("BYOD"), social identities, remote users, customers, and contractors, while making MFA an almost transparent component of a seamless user access experience. Within an MFA deployment, industry standards such as OAuth and OpenID Connect are essential to ensure integration of existing multifactor solutions and the incorporation of newer, adaptive authentication technology. Accordingly, embodiments define dynamic (or adaptive) authentication as the evaluation of available information (i.e., IP address, location, time of day, and biometrics) to prove an identity after a user session has been initiated. With the appropriate standards (e.g., open authentication ("OATH") and fast identity online ("FIDO")) integration and extensible identity management framework, embodiments provide MFA solutions that can be adopted, upgraded, and integrated easily within an IT organization as part of an end-to-end secure IAM deployment. When considering MFA and adaptive policies, organizations must implement consistent policies across on-premise and cloud resources, which in a hybrid IDCS and on-premise IAM environment requires integration between systems.”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of SUBRAMANIAN et al. into the method of Frantz et al. as the use of standard challenge response authentication techniques would be an obvious interchangeable variation.

As Per Claim 23: The rejection of claim 13 is incorporated and further claim 23 is substantially a restatement of the system of claim 11 as a machine-readable medium and is rejected under substantially the same reasoning.

As Per Claim 24: The rejection of claim 23 is incorporated and further claim 24 is substantially a restatement of the system of claim 12 as a machine-readable medium and is rejected under substantially the same reasoning.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BENJAMIN A KAPLAN/Examiner, Art Unit 2434