DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This initial written action is responding to the communication dated on 12/17/2019.
Claims 1-19 are submitted for examination. Claims 20-27 are canceled.
Claims 1-19 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Priority
This application filed on December 17, 2019 claims priority from a continuing application 15/126, 434 field on September 15, 2016 which claims priority of Australian application AU2014900894 filed on March 03, 2014, 371 application PCT AU2015/000149 filed on March 16, 2015.

Drawings
The drawings are objected to under 37 CFR 1.83(a) because they fail to show details for Figure 1 and Figure 4 as described in the specification.  Any structural detail that is essential for a proper understanding of the disclosed invention should be shown 
Claim Objections
Claims 1, 5, 9, 11 and 16 are objected to because of the following informalities:  Claims lacks proper punctuation(s) to define preamble properly.    For example Claim 1 requires a semicolon after claim recitation, “…the method comprising”, Appropriate correction is required.
Claim 8 recites a limitation, “Communication for a subsequent session is enabled only if there is a match between this server stored public key and the public key on the client matched to that user (user ID..”. Examiner suggests replacing “if” with “when” or in response to”.  There is a full stop in the middle of the claim. Examiner suggest replacing the full stop with a semi colon. Please refer to mpep 608.01( m ) and 37 CFR 1.75( i ) for the proper form for claim.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 5, 9. 11 and 16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites maintaining a continuous authentication for a user of a client device. The password is not stored on the server and a password unique to the user and client side application. The passcode is renewed at least one time for a session. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the limitation of utilizing an unbroken chain of one-time passcodes, each pass code in the chain being unique to the username and client side application, each pass code renewed at least once during each said session covers remembering and creating a unique phrase each time a conversation happens between a human being and other system in the mind but for the recitation of generic computer components. For example a person can remember “apple1” as a unique pass code and every time the pass code requires a refresh incrementing a number so the next time pass code will be “apple2”.  Thus these claim limitations falls under the mental process. Accordingly, the claim recites an abstract idea. 
i.e., as a generic processor performing a generic computer function of storing information) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. 
The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of session initiated between a client side application residing on a client side platform and a server, and where in the password is not stored on the server amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible. The US Patent Publication (US 2014/0316984) by Schwartz discloses in paragraph 35, that, it is well known to authenticate a user as a continuous authentication. Turgeman. (US PGPUB. # 
The dependent claims 2-4, 6-8, 10, 12-15 and 17-19do not represent significantly more and are too directed to non-statutory subject matter.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1, 3, 5-9, 11, 16 and 18 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 4-5, 8 and 15 of U.S. Patent No.10,541815. Although the claims at issue are not identical, they are not patentably distinct from each other. 

 
Instant Application 16/717,878
 
US PAT. # US 10,541815 (App. # 15/126434) 
 
 
 PERSISTENT AUTHENTICATION SYSTEM INCORPORATING ONE TIME PASS CODES
 
 PERSISTENT AUTHENTICATION SYSTEM INCORPORATING ONE TIME PASS CODES
 
 
 
 
 
 
1
A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server; and wherein the password is not stored on the server; the method comprising utilising an unbroken chain of one-time pass codes; each pass code in the chain being unique to the username and client side application; each pass code renewed at least once during each said session.
1
A method of maintaining ongoing authentication between a server and a user of a client side application residing on a client side platform, the method comprising the following steps: step a: connecting, by the client side platform, to the server that is known to use persistent one time pass codes; step b: establishing, by the client side platform and the sever, a current secure session using a secure socket layer (SSL) or a transport layer security (TLS); step c: retrieving, by the client side platform, a current key pair that was generated in a previous session and a unique user ID associated with the user; step d: providing, by the client side platform, the unique user ID and a current client public key of the current key pair to the server; step e: retrieving, by the server, a previously stored client public key by searching a user database using the unique user ID; 
 
 

1
step f: comparing, by the server, the retrieved previously stored client public key with the current client public key received from the client, wherein authentication is enabled between the client side platform and the server when the retrieved previously stored client public key and the current client public key match for the current secure session; step g: requesting, by the server, that the client side platform or the server generate a next key pair; step h: generating, by the client side platform or the server, the next key pair that is securely stored at the client for use in a next session, wherein a corresponding client side private key is not stored on the server; step i: sharing, between the client side platform and the server, a next client public key of the next key pair for use in the next session; step j: storing, by the server, the next client public key in the user database in association with the unique user ID; step k: maintaining ongoing communication between the client and the server utilizing the current key pair and a server key pair until the current secure session is terminated or times out; step l: replacing, by the client side platform, the current key pair with the next key pair; and repeating the steps a through l for each next session to perpetuate a secure connection between the client side platform and the server over multiple and ongoing sessions without requiring the user to enter and re-enter a username and corresponding password for each session, whereby an unbroken chain of current client public keys are generated and maintained persistent until replaced by the next client public key. 
 
3
The method of claim 2 wherein the client side public key comprises a public key of a PKI key pair.
3
The method of claim 2 wherein the client side public key comprises a public key of a PKI key pair.
 
5
A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server, the method deriving a first and second item of data; said first item data comprising: "Something you have" which in a preferred form is the client side public key The second item of data comprising "Something you know".
1
A method of maintaining ongoing authentication between a server and a user of a client side application residing on a client side platform, the method comprising the following steps: step a: connecting, by the client side platform, to the server that is known to use persistent one time pass codes; step b: establishing, by the client side platform and the sever, a current secure session using a secure socket layer (SSL) or a transport layer security (TLS); step c: retrieving, by the client side platform, a current key pair that was generated in a previous session and a unique user ID associated with the user; step d: providing, by the client side platform, the unique user ID and a current client public key of the current key pair to the server; step e: retrieving, by the server, a previously stored client public key by searching a user database using the unique user ID; 
 
 

1
step f: comparing, by the server, the retrieved previously stored client public key with the current client public key received from the client, wherein authentication is enabled between the client side platform and the server when the retrieved previously stored client public key and the current client public key match for the current secure session; step g: requesting, by the server, that the client side platform or the server generate a next key pair; step h: generating, by the client side platform or the server, the next key pair that is securely stored at the client for use in a next session, wherein a corresponding client side private key is not stored on the server; step i: sharing, between the client side platform and the server, a next client public key of the next key pair for use in the 
 
6
 The method of claim 5 wherein said second item of data comprises a user PIN/password which is used to create a private key for any given session.
4
The method of claim 2, further comprising: requiring, by the client side platform, the user to enter a first and a second item of data, wherein said first item of data comprises "Something you have" which is a client side public key, and wherein said second item of data comprises "Something you know" which is a user PIN or password that is used to create a private key for any given session. 
 
7
The method of claim 6 wherein said second item of data comprises any form of personally identifiable information including but not limited to thumb prints or other biometrics which is used to create a private key for any given session.
5
The method of claim 4, wherein said second item of data comprises any form of personally identifiable information including thumb prints or other biometric data which is used to create a private key for any given session. 
 
8
The method of claim 6 or claim 7 wherein a new key pair is generated by the client and passed to the server for each session. Communication for a subsequent session is enabled only if there is a match between this server stored public key and the public key on the client matched to that user (user ID).
8
The method of claim 4, further comprising: generating a new key pair by the client side platform and passing the new key pair to the server for each session, wherein communication for a subsequent session is enabled only if there is a match between a server side public key and the client side public key matched to the user (user ID). 
 
9
A method of authentication of a user; said method comprising effecting an unbroken chain of one-time pass codes to characterise the user when using a client side application which communicates with a server.
1
A method of maintaining ongoing authentication between a server and a user of a client side application residing on a client side platform, the method comprising the following steps: step a: connecting, by the client side platform, to the server that is known to use persistent one time pass codes; step b: establishing, by the client side platform and the sever, a current secure session using a secure socket layer (SSL) or a transport layer security (TLS); step c: retrieving, by the client side platform, a current key pair that was generated in a previous session and a unique user ID associated with the user; step d: providing, by the client side platform, the unique user ID and a current client public key of the current key pair to the server; step e: retrieving, by the server, a previously stored 
 
 

1
step f: comparing, by the server, the retrieved previously stored client public key with the current client public key received from the client, wherein authentication is enabled between the client side platform and the server when the retrieved previously stored client public key and the current client public key match for the current secure session; step g: requesting, by the server, that the client side platform or the server generate a next key pair; step h: generating, by the client side platform or the server, the next key pair that is securely stored at the client for use in a next session, wherein a corresponding client side private key is not stored on the server; step i: sharing, between the client side platform and the server, a next client public key of the next key pair for use in the next session; step j: storing, by the server, the next client public key in the user database in association with the unique user ID; step k: maintaining ongoing communication between the client and the server utilizing the current key pair and a server key pair until the current secure session is terminated or times out; step l: replacing, by the client side platform, the current key pair with the next key pair; and repeating the steps a through l for each next session to perpetuate a secure connection between the client side platform and the server over multiple and ongoing sessions without requiring the user to enter and re-enter a username and corresponding password for each session, whereby an unbroken chain of current client public keys are generated and maintained persistent until replaced by the next client public key. 
 
11
A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server, said method comprising utilising a string of one time passcodes which are renewable and wherein renewal is effected by the passcodes being replaced at regular intervals.
1
A method of maintaining ongoing authentication between a server and a user of a client side application residing on a client side platform, the method comprising the following steps: step a: connecting, by the client side platform, to the server that is known to use persistent one time pass codes; step b: establishing, by the client side platform and the sever, a current secure session using a secure socket layer (SSL) or a transport layer security (TLS); step c: retrieving, by the client side platform, a current key pair that was generated in a previous session and a unique user ID associated with the user; step d: providing, by the client side platform, the unique user ID and a current client public key of the current key pair to the server; step e: retrieving, by the server, a previously stored 
 
 

1
step f: comparing, by the server, the retrieved previously stored client public key with the current client public key received from the client, wherein authentication is enabled between the client side platform and the server when the retrieved previously stored client public key and the current client public key match for the current secure session; step g: requesting, by the server, that the client side platform or the server generate a next key pair; step h: generating, by the client side platform or the server, the next key pair that is securely stored at the client for use in a next session, wherein a corresponding client side private key is not stored on the server; step i: sharing, between the client side platform and the server, a next client public key of the next key pair for use in the next session; step j: storing, by the server, the next client public key in the user database in association with the unique user ID; step k: maintaining ongoing communication between the client and the server utilizing the current key pair and a server key pair until the current secure session is terminated or times out; step l: replacing, by the client side platform, the current key pair with the next key pair; and repeating the steps a through l for each next session to perpetuate a secure connection between the client side platform and the server over multiple and ongoing sessions without requiring the user to enter and re-enter a username and corresponding password for each session, whereby an unbroken chain of current client public keys are generated and maintained persistent until replaced by the next client public key. 
 
16
A device including a processor in communication with a memory adapted to execute an application; said device maintaining ongoing authentication of a user of an application executable on the device without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform on the device and a remote server; and wherein the password is not stored on the server; the method comprising utilising an unbroken chain of one t :pe pass codes; each pass code in the chain being unique to the username and client side application; each pass code renewed at least once during each said session.
1
A method of maintaining ongoing authentication between a server and a user of a client side application residing on a client side platform, the method comprising the following steps: step a: connecting, by the client side platform, to the server that is known to use persistent one time pass codes; step b: establishing, by the client side platform and the sever, a current secure session using a secure socket layer (SSL) or a transport layer security (TLS); step c: retrieving, by the client side platform, a current key pair that was generated in a previous session and a unique user ID associated with the user; step d: providing, by the client side platform, the unique user ID and a current client public key of the current key pair to the server; step e: retrieving, by the server, a previously stored client public key by searching a user database using the unique user ID; 
 
 

1
step f: comparing, by the server, the retrieved previously stored client public key with the current client public key received from the client, wherein authentication is enabled between the client side platform and the server when the retrieved previously stored client public key and the current client public key match for the current secure session; step g: requesting, by the server, that the client side platform or the server generate a next key pair; step h: generating, by the client side platform or the server, the next key pair that is securely stored at the client for use in a next session, wherein a corresponding client side private key is not stored on the server; step i: sharing, between the client side platform and the server, a next client public key of the next key pair for use in the next session; step j: storing, by the server, the next client public key in the user database in association with the unique user ID; step k: maintaining ongoing communication between the client and the server utilizing the current key pair and a server key pair until the current secure session is terminated or times out; step l: replacing, by the client side platform, the current key pair with the next key pair; and repeating the steps a through l for each next session to perpetuate a secure connection between the client side platform and the server over multiple and ongoing sessions without requiring the user to enter and re-enter a username and corresponding password for each session, whereby an unbroken chain of current client public keys are generated and maintained persistent until replaced by the next client public key. 
 
18
The device of claim 17 wherein the client side public key comprises a public key of a PKI key pair.
15
The system of claim 14, wherein a client side public key comprises a public key of a PKI key pair.
 



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 5, and 11 recites the limitation, “A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server….”. Claim 16 recites the limitation, “…said device maintaining ongoing authentication of a user of an application executable on the device without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform on the device and a remote server…” There is insufficient antecedent basis for this limitation in the claims.
Claim 13 recites the limitations, “The method of claim 11 wherein a key pair includes a private key which is stored locally on the client device and a public key…”, “…the server which then links a stored reference to the unique user ID of the person currently using the client with a stored copy of the clients public key..”. There is insufficient antecedent basis for this limitations in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 5, 9, 11-12, 16 are rejected under 35 U.S.C. 103 as being unpatentable over W. Daniel Hillis (US PGPUB. # US 2014/0359744, hereinafter "Hillis"), and further in view of Ting et al. (US PGPUB. # US 2012/0204245, hereinafter “Ting”).

Regarding Claim 1, Hillis teaches,
A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server (Abstract, ¶18); [and wherein the password is not stored on the server]; the method comprising utilising an unbroken chain of one-time pass codes (¶17, ¶18, “the cached knowledge factor may be retrieved from the memory by the authentication system, in response to any other authentication requests following the first authentication request and before the continuous user custody is broken”, i.e. indicate unbroken chain of one-time passcode); [each pass code in the chain being unique to the username and client side application; each pass code renewed at least once during each said session].
Hillis does not teach explicitly,
[A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server] ; and wherein the password is not stored on the server; [the method comprising utilising an unbroken chain of one-time pass codes]; each pass code in the chain being unique to the username and client side application; each pass code renewed at least once during each said session.
However, Ting teaches,
[A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server] ; and wherein the password is not stored on the server (¶39,”At the client 115, the OTP may be deleted from card 105 (via reader 113) and from user profile 137”, ¶47-¶48, i.e. tokens (passwords) are stored in the client and not on the server); [the method comprising utilising an unbroken chain of one-time pass codes]; each pass code in the chain being unique to the username and client side application (¶44, “SSO agent 145 uses the OTP extracted from the card 105 to automate local log-on to secure applications and/or remote log-on to one or more VPN/SSL applications. As the user clicks on an application and is challenged for log-on credentials, SSO agent 145 inserts the next dynamic password into the form and submits the form”, i.e. Examiner submits that otps are unique to the username and client side applications); each pass code renewed at least once during each said session (¶47-¶48).
Hillis and Ting are considered to be analogous art as they both pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique 
	The motivation/suggestion for doing so would be to provide a system having the security of OTP-based authentication and the convenience of SSO applications. (Ting - ¶7).

 Regarding Claim 9, it is also a method claim, therefore claim 9 is rejected with the same rationale applied as against claim 1 above.

Regarding Claim 11, it is also a method claim, therefor claim 11 is rejected with the same rationale applied as against claim 1 above.

Regarding Claim 16, it is a system claim of above method claim 1, therefor claim 16 is rejected with the same rationale applied as against claim 1 above.
Hillis further discloses, a processor (Fig. 6(602)) and a memory (Fig. 6(604)).

Regarding Claim 5, Hillis teaches,
A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server (Abstract, ¶18), the method deriving [a first] and second item of data (¶53, i.e. a passcode, a PIN or a security answer is derived second item); [said first item data comprising: 
"Something you have" which in a preferred form is the client side public key] 
The second item of data comprising "Something you know" (¶53, i.e. a passcode, a PIN or a security answer is known by the user).
Hillis does not teach explicitly,
the method deriving a first [and second] item of data;
said first item data comprising: 
"Something you have" which in a preferred form is the client side public key.
However Ting teaches,
the method deriving a first [and second] item of data (¶37, “the digital certificate written onto card 105 may be a private key generated by password manager 125 during enrollment, and which corresponds to a public key (also generated by password manager 125) maintained in identity store 160”, i.e. a private key and a public key are generated (derived)).
said first item data comprising: 
"Something you have" which in a preferred form is the client side public key (¶37, “the digital certificate written onto card 105 may be a private key generated by password manager 125 during enrollment, and which corresponds to a public key (also generated by password manager 125) maintained in identity store 160. If the keys match (i.e., if one key decrypts a message encrypted with the other key), the card is authenticated”, i.e. public is used to authenticate client side card indicate that public key is a client side – “something you have”).
Hillis and Ting are considered to be analogous art as they both pertain to provide user convenient secured authentication to access the system resources. Therefore it 
	The motivation/suggestion for doing so would be to provide a system having the security of OTP-based authentication and the convenience of SSO applications. (Ting - ¶7).

Regarding Claim 12, rejection of Claim 11 is included and for the same motivation Hillis does not teach explicitly,
The method of claim 11 wherein an interval comprises once per session connection.
However, Ting teaches,
The method of claim 11 wherein an interval comprises once per session connection (¶8, “users frequently gain remote access to a secure network via a VPN--i.e., a communication session, or "VPN tunnel," that occurs over the public telecommunication infrastructure but nonetheless provides security comparable to a dedicated physical connection to the secure network”, i.e. Examiner submits that each VPN session is an interval and the user has to provide authentication information each time disconnects and connects with the VPN server for secure connection).

Claims 2-4, 10 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over W. Daniel Hillis (US PGPUB. # US 2014/0359744, hereinafter "Hillis"), and further in view of Ting et al. (US PGPUB. # US 2012/0204245, hereinafter “Ting”), and further in view of Kirkup et al. (US PGPUB. # US 2008/0120504, hereinafter “Kirkup”).

Referring to Claims 2 and 17:
Regarding Claim 2 rejection of Claim 1 is included and combination of Hillis and Ting does not teach explicitly,
The method of claim 1 wherein the pass code comprises a client side public key which is maintained persistent on both the client side platform and the server until replaced by the next client side public key in the chain of pass codes.
However, Kirkup teaches,
The method of claim 1 wherein the pass code comprises a client side public key which is maintained persistent on both the client side platform and the server until replaced by the next client side public key in the chain of pass codes (¶25, “The client device 10 or 100 may provide the public key Kpub and the message authentication code to the server 40 prior to a specific request for authorization or certification in accordance with the method described below, with reference to FIG. 2. The public key Kpub and message authentication code are received by the authentication server 40; using techniques known in the art, at step 185 the message authentication code is verified by the authentication server 40, which was already provided with the shared secret PIN as described above. The authentication server 40 then stores Kpub at step 190 in association with an indicator corresponding to the user of the client device 10 or 100”, i.e. public key is maintained both on the client and server).
Hillis, Ting and Kirkup are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and use public/private key as passcode system of Kirkup.
	The motivation/suggestion for doing so would be to provide a system for authenticating a user that does not require the transmission of authentication data either in the clear or in a hashed form. (Kirkup - ¶6).

Regarding Claim 17 rejection of Claim 16 is included and Claim 17 is rejected with the same rationale as applied against Claim 2 above.

Referring to Claims 3 and 18:

Regarding Claim 3 rejection of claim 2 is included and for the same motivation combination of Hillis and Ting does not teach explicitly,
The method of claim 2 wherein the client side public key comprises a public key of a PKI key pair.
However, Kirkup teaches,
The method of claim 2 wherein the client side public key comprises a public key of a PKI key pair (Fig. 3(130), ¶23, “Once the user has chosen or been assigned a password P and the private/public key pair Kpriv, Kpub has been generated at the client device 10 or 100”, i.e. public key is a PKI key pair). 

Regarding Claim 18 rejection of Claim 17 is included and Claim 18 is rejected with the same rationale as applied against Claim 3 above.

Referring to Claims 4 and 19:

Regarding Claim 4 rejection of claim 3 is included and for the same motivation combination of Hillis and Ting does not teach explicitly,
The method of claim 3 wherein the corresponding client side private key is not shared with the server.
However Kirkup teaches,
The method of claim 3 wherein the corresponding client side private key is not shared with the server (Fig. 3(170), ¶24, i.e. private key is stored on Client and not shared with the server).

Regarding Claim 19 rejection of Claim 17 is included and Claim 19 is rejected with the same rationale as applied against Claim 4 above.

Regarding Claim 10 rejection of claim 9 is included and combination of Hillis and Ting does not teach explicitly,
The method of claim 9 wherein the one-time pass codes are the public key of the client generated key pair.
However, Kirkup teaches,
The method of claim 9 wherein the one-time pass codes are the public key of the client generated key pair (¶25, “The client device 10 or 100 may provide the public key Kpub and the message authentication code to the server 40 prior to a specific request for authorization or certification in accordance with the method described below, with reference to FIG. 2. The public key Kpub and message authentication code are received by the authentication server 40; using techniques known in the art, at step 185 the message authentication code is verified by the authentication server 40, which was already provided with the shared secret PIN as described above, i.e. Examiner submits that server authenticates client using a public key that was generated at the client indicates that public key is a one-time passcode).
Hillis, Ting and Kirkup are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and use public/private key as passcode system of Kirkup.
.

Claims 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over W. Daniel Hillis (US PGPUB. # US 2014/0359744, hereinafter "Hillis"), and further in view of Ting et al. (US PGPUB. # US 2012/0204245, hereinafter “Ting”), and further in view of Plotkin et al. (US PGPUB. # US 2015/0195278, hereinafter “Plotkin”).

Regarding Claim 6 rejection of Claim 5 is included and combination of Hillis and Ting does not teach explicitly,
The method of claim 5 wherein said second item of data comprises a user PIN/password which is used to create a private key for any given session.
However, Plotkin teaches,
The method of claim 5 wherein said second item of data comprises a user PIN/password which is used to create a private key for any given session (¶21, “Upon receiving a connection request at server 110 from client 130, server 110 may send an authorization request to client 130 including a server identifier associated with server 110. The authorization request may be analogous to a conventional access credential request for a user ID/password. However, upon receiving the authorization request, client 130 may prompt user 132 to perform a biometric scan using a biometric device (not shown in FIG. 1, see FIG. 2) associated with client 130”, ¶22, “client 130 may generate a key pair consisting of public key 104 and private key 106 using the biometrically generated BLOB (i.e., the biometric scan) and the server identifier for server 110”, i.e. Examiner submits that biometric input is provided when a user is prompted for user id/password, indicates that biometric input is a password which creates an asymmetric key pairs) .
Hillis, Ting and Plotkin are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and use password to create an asymmetric key pairs system of Plotkin.
	The motivation/suggestion for doing so would be to provide an access credentials that minimize or eliminate private data management by users and are not subject to the security vulnerabilities associated with the retention of private user information. (Plotkin - ¶7).

Regarding Claim 7 rejection of Claim 6 is included and for the same motivation combination of Hillis and Ting does not teach explicitly,
The method of claim 6 wherein said second item of data comprises any form of personally identifiable information including but not limited to thumb prints or other biometrics which is used to create a private key for any given session.
However, Plotkin teaches,
The method of claim 6 wherein said second item of data comprises any form of personally identifiable information including but not limited to thumb prints or other biometrics which is used to create a private key for any given session (¶21, “The unique biometric scan may be obtained from a biometric device that scans a fingerprint, a palm print, a blood vessel pattern, an iris, and/or a facial pattern, as non-limiting examples of biometric indicators that may be used to generate the BLOB”, ¶22).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over W. Daniel Hillis (US PGPUB. # US 2014/0359744, hereinafter "Hillis"), and further in view of Ting et al. (US PGPUB. # US 2012/0204245, hereinafter “Ting”), and further in view of Plotkin et al. (US PGPUB. # US 2015/0195278, hereinafter “Plotkin”), and further in view of Cameron et al. (US PGPUB. # US 2006/0198517, hereinafter “Cameron”).

Regarding Claim 8 rejection of Claim 6 is included and combination of Hillis, Ting and Plotkin does not teach explicitly,
The method of claim 6 wherein a new key pair is generated by the client and passed to the server for each session. Communication for a subsequent session is enabled only if there is a match between this server stored public key and the public key on the client matched to that user (user ID).
However, Cameron teaches,
The method of claim 6 wherein a new key pair is generated by the client and passed to the server for each session (¶19, “Client 102 may present a recreated asymmetric public key when accessing Server 1 106 again to validate the client 102 to Server 1 106”, i.e. asymmetric keys are recreated indicates that keys are generated for each session), Communication for a subsequent session is enabled only if there is a match between this server stored public key and the public key on the client matched to that user (user ID)  (Fig. 6(604, 606), ¶58, “Since the client may have saved a corresponding asymmetric public key, the asymmetric public key may be compared to determine if the server has been previously accessed, ¶59).
Hillis, Ting, Plotkin and Cameron are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and use password to create an asymmetric key pairs system of Plotkin and match public key generated by a client for communication system of Cameron.
	The motivation/suggestion for doing so would be to secure, easy and convenient authentication to a user. 

Claims 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over W. Daniel Hillis (US PGPUB. # US 2014/0359744, hereinafter "Hillis"), and further in view of Ting et al. (US PGPUB. # US 2012/0204245, hereinafter “Ting”), and further in view of Cameron et al. (US PGPUB. # US 2006/0198517, hereinafter “Cameron”), and further in view of Kirkup et al. (US PGPUB. # US 2008/0120504, hereinafter “Kirkup”).
Regarding Claim 13 rejection of claim 11 is included and combination of Hillis and Ting does not teach explicitly,
The method of claim 11 wherein a key pair includes a private key which is stored locally on the client device and a public key which is also stored locally and wherein the stored client public key is also shared with and transferred to the server which then links a stored reference to the unique user ID of the person currently using the client with a stored copy of the clients public key.
However, Cameron teaches,
The method of claim 11 wherein a key pair includes a private key which is stored locally on the client device and a public key which is also stored locally (¶18), and [wherein the stored client public key is also shared with and transferred to the server which then links a stored reference to the unique user ID of the person currently using the client with a stored copy of the clients public key].
Hillis, Ting and Cameron are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and match public key generated by a client for communication system of Cameron.
	The motivation/suggestion for doing so would be to secure, easy and convenient authentication to a user. 
	Combination of Hillis, Ting and Cameron does not teach explicitly,
wherein the stored client public key is also shared with and transferred to the server which then links a stored reference to the unique user ID of the person currently using the client with a stored copy of the clients public key
However, Kirkup teaches,
wherein the stored client public key is also shared with and transferred to the server which then links a stored reference to the unique user ID of the person currently using the client with a stored copy of the clients public key (¶25, “The authentication server 40 then stores Kpub at step 190 in association with an indicator corresponding to the user of the client device 10 or 100. The indicator may comprise a network address or e-mail address corresponding to the user of the client device 10 or 100, or another suitable indicator”).
Hillis, Ting, Cameron and Kirkup are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and match public key generated by a client for communication system of Cameron and use public/private key as passcode system of Kirkup.
	The motivation/suggestion for doing so would be to provide a system for authenticating a user that does not require the transmission of authentication data either in the clear or in a hashed form. (Kirkup - ¶6).

Regarding Claim 14 rejection of claim 13 is included and combination of Hillis and Ting does not teach explicitly,
 The method of claim 13 wherein during subsequent connections between the client and the server, the stored and shared client public key, the servers public key and the stored private key on the client are used as current client side public key pairs and an additional key pair is then generated and stored for the follow on session.
However, Cameron teaches,
The method of claim 13 wherein during subsequent connections between the client and the server, the stored and shared client public key, the servers public key and the stored private key on the client are used as current client side public key pairs (Fig. 6(604), ¶58) and an additional key pair is then generated and stored for the follow on session (Fig. 5(504), ¶55, ¶59, “This indicates that the client has previously accessed the server and stored and/or associated an asymmetric public key with the server. The system authenticated may be the server and/or the client”, indicates that asymmetric key pairs were generated for the next session).
Hillis, Ting and Cameron are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and match public key generated by a client for communication system of Cameron.


Regarding Claim 15 rejection of claim 14 is included and combination of Hillis, Ting and Cameron does not teach explicitly,
The method of claim 14 wherein the unique ID is captured or retrieved from the user or from storage on the client and then the stored client key pair that was stored during the previous session is retrieved using the current users unique user ID following which the users unique ID and the previously stored client public key are shared with the server.
However, Kirkup teaches,
The method of claim 14 wherein the unique ID is captured or retrieved from the user or from storage on the client and then the stored client key pair that was stored during the previous session is retrieved using the current users unique user ID following which the users unique ID and the previously stored client public key are shared with the server (¶25, “The authentication server 40 then stores Kpub at step 190 in association with an indicator corresponding to the user of the client device 10 or 100. The indicator may comprise a network address or e-mail address corresponding to the user of the client device 10 or 100, or another suitable indicator”, Fig. 2(240), ¶28, “at step 230 the digital signature is verified using the public key K.sub.pub available at the server 40 at step 240. If necessary, the server 40 may retrieve the public key Kpub from a memory store external to the server itself”, i.e. Examiner submits that server uses user indicator to retrieve previously stored public key for verification).
Hillis, Ting, Cameron and Kirkup are considered to be analogous art as they all pertain to provide user convenient secured authentication to access the system resources. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the continuous authentication mechanism of Hillis to include unique tokens for user and applications stored on the client system being renewed each session system of Ting and match public key generated by a client for communication system of Cameron and use public/private key as passcode system of Kirkup.
	The motivation/suggestion for doing so would be to provide a system for authenticating a user that does not require the transmission of authentication data either in the clear or in a hashed form. (Kirkup - ¶6).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Berkman et al. (US PGPUB. # US 2014/0282942) discloses, authentication based on the user's private factors, while not revealing at the server side information allowing the server (or anyone with the server's information) to deduce the private answers. In example implementations, the user answers a questionnaire with authentication factors, wherein the answers are transformed in a one-way fashion and 
Hwang (US PGPUB. # US 2006/0036857) discloses, user authentication based on linking between a randomly generated authentication secret and a personalized secret.
Du et al. (US PGPUB. # US 2015/0242605) discloses, continuous authentication with an authenticating entity. The mobile device may include a set of biometric and non-biometric sensors and a processor. The processor may be configured to receive sensor data from the set of sensors, form authentication information from the received sensor data, and continuously update the authentication information.
Lee et al. (US PGPUB. # US 2011/0231912) discloses, authenticating a mobile device using an access token. These mechanisms and methods for authenticating a mobile device using an access token can provide authentication in an automated manner. The ability to provide authentication in an automated manner can enable repeated access to data by a user without requiring an associated repetitive manual authentication by the user.
Smith et al. (US PGPUB. # US 2016/0127351) discloses, authenticating a user via multiple authentication factors include a computing device for generating a continuous authentication assertion indicating that continuous authentication of a user is being monitored, sending the continuous authentication assertion to a key distribution center server, and requesting and receiving an initial ticket from the key distribution center server. Such technologies may also include requesting a service ticket from the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 






/DARSHAN I DHRUV/Examiner, Art Unit 2498