DETAILED ACTION
This Office Action is in response to the application 16/204,350 filed on 11/29/2018.
Claims 1-20 are currently pending; claims 1, 9, and 17 are independent claims; claims 1-20 have been examined.  
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Action is made Non-FINAL.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claims 1-8 are directed to a system; however, the body of the claims do not explicitly recite any hardware embodiments. As recited in the body of the claims, the claimed system includes “an authentication portal,” “an authentication service,” and “an authentication application.”  The specification does not explicitly define the aforementioned elements are implemented only in hardware. One of ordinary skill in the art 
The nominal recitation of the machine/device in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101.  See Ex parte McCanne (10/618,369), Ex parte Strauss (13/271,1431) and Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010).  The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned 

Claims 1 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Rathbun (US20130055362), filed August 22, 2011.
Regarding claim 1, Gomi discloses a system for facilitating secure access to an electronic portal comprising (Gomi, paragraph 0262, “Alice makes a purchase request for tour-related goods to service mediating apparatus 201 of the tour portal using terminal apparatus 203 (step S317).”);
an authentication portal configured to (Gomi, paragraph 0240, “Next, Alice sends a service access request for a tour reservation to service mediating apparatus 201 of the tour portal site (step S301).”);
receive an access request from a user device (Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
(Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
transmit the authentication request to an authentication service (Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
the authentication service configured to (Gomi, paragraph 0124, “Terminal apparatus 4 is provided with a communication function directly operated by a user for transmitting credential information requested by user authentication means 10 of authentication apparatus 1 to authenticate a user and using a service provided by service mediating apparatus 2.”).
Gomi does not explicitly disclose a transaction ID; receive the authentication request and generate and transmit a notification to an authentication application associated with the user device, wherein the notification is configured to prompt the user device for a simple passcode; the authentication application configured to: receive the notification and accept user input of the simple passcode; authenticate the user input of the simple passcode and upon successful authentication, grant access to the authentication portal.
However, in an analogous art, Rathbun discloses a transaction ID (Rathbun, paragraph 0020, “Web server 130 may transmit a log-in web page to computer terminal 120 for the user to access the web service/initiate the transaction via the website.  Web server 130 may request authentication server 140 to invoke mobile device 110, and request a wireless authentication, of the user, based on a non-secret unique identifier that is selected/entered via the log-in web page.  Web server 130 may generate and transmit an authentication request to authentication server 140 to authenticate the user before providing the access to the web service via the website.  Web server 130 may receive, from authentication server 140, an approval for the transaction [i.e. authentication request included the transaction ID] and an authentication response that indicates that the user has been successfully authenticated.”);
receive the authentication request and generate and transmit a notification to an authentication application associated with the user device, wherein the notification is configured to prompt the user device for a simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
the authentication application configured to: (Rathbun, paragraph 0021, “Authentication server 140 may transmit a notification to mobile device 110 to notify the user of mobile device 110 when a new authentication request is added to the queue associated with mobile device 110.”; paragraph 0023, “Authentication server 140 may transmit a message to mobile device 110 for the user to provide the authentication information.”; paragraph 0066, “As shown in FIG. 7, process 700 may include receiving an access request to access a queue of a user (block 710) and providing a list of pending authentication requests in the queue (block 720).  For example, a user may use mobile device 110 to access a customer client via a browser or a dedicated application.  The customer client may prompt the user to use mobile device 110 to enter a non-secret user identifier (e.g., a username) and a secret credential (e.g., a password).  Mobile device 110 may transmit, to authentication server 140, the non-secret user identifier and the secret credential as part of an access request to access a queue of the user.”);
receive the notification and accept user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
authenticate the user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”; paragraph 0024, “Authentication server 140 may receive the authentication information (e.g., with/in a request to accept/approve or reject the selected authentication request) from mobile device 110, and authenticate the user based on the authentication information.”);
upon successful authentication, grant access to the authentication portal (Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rathbun with the system/method of Gomi to include a transaction ID; receive the authentication request and generate and transmit a notification to an authentication application associated with the user device, wherein the notification is configured to prompt the user device for a simple passcode; the authentication application configured to: receive the notification and accept user input of the simple passcode; authenticate the user input of the simple passcode and upon successful authentication, grant access to the authentication portal.
One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).
Regarding claim 9, Gomi discloses a computer implemented method for facilitating secure access to an electronic portal comprising (Gomi, paragraph 0262, “Alice makes a purchase request for tour-related goods to service mediating apparatus 201 of the tour portal using terminal apparatus 203 (step S317).”);
at an authentication portal (Gomi, paragraph 0240, “Next, Alice sends a service access request for a tour reservation to service mediating apparatus 201 of the tour portal site (step S301).”);
receiving an access request from a user device; generating an authentication request (Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
transmitting the authentication request to an authentication service (Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
at the authentication service (Gomi, paragraph 0124, “Terminal apparatus 4 is provided with a communication function directly operated by a user for transmitting credential information requested by user authentication means 10 of authentication apparatus 1 to authenticate a user and using a service provided by service mediating apparatus 2.”);
(Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
transmitting the notification to an authentication application (Gomi, paragraph 0124, “Terminal apparatus 4 is provided with a communication function directly operated by a user for transmitting credential information requested by user authentication means 10 of authentication apparatus 1 to authenticate a user and using a service provided by service mediating apparatus 2.”).
Gomi does not explicitly disclose including a transaction ID; generating a notification configured to prompt the user device for input of a simple passcode; at the authentication application:  receiving the notification and accepting user input of the simple passcode; authenticating the user input of the simple passcode and upon successful authentication, granting access to the authentication portal.
However, in an analogous art, Rathbun discloses including a transaction ID (Rathbun, paragraph 0020, “Web server 130 may transmit a log-in web page to computer terminal 120 for the user to access the web service/initiate the transaction via the website.  Web server 130 may request authentication server 140 to invoke mobile device 110, and request a wireless authentication, of the user, based on a non-secret unique identifier that is selected/entered via the log-in web page.  Web server 130 may generate and transmit an authentication request to authentication server 140 to authenticate the user before providing the access to the web service via the website.  Web server 130 may receive, from authentication server 140, an approval for the transaction [i.e. authentication request included the transaction ID] and an authentication response that indicates that the user has been successfully authenticated.”);
generating a notification configured to prompt the user device for input of a simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
at the authentication application (Rathbun, paragraph 0021, “Authentication server 140 may transmit a notification to mobile device 110 to notify the user of mobile device 110 when a new authentication request is added to the queue associated with mobile device 110.”; paragraph 0023, “Authentication server 140 may transmit a message to mobile device 110 for the user to provide the authentication information.”; paragraph 0066, “As shown in FIG. 7, process 700 may include receiving an access request to access a queue of a user (block 710) and providing a list of pending authentication requests in the queue (block 720).  For example, a user may use mobile device 110 to access a customer client via a browser or a dedicated application.  The customer client may prompt the user to use mobile device 110 to enter a non-secret user identifier (e.g., a username) and a secret credential (e.g., a password).  Mobile device 110 may transmit, to authentication server 140, the non-secret user identifier and the secret credential as part of an access request to access a queue of the user.”);
receiving the notification and accepting user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
authenticating the user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a onetime passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”; paragraph 0024, “Authentication server 140 may receive the authentication information (e.g., with/in a request to accept/approve or reject the selected authentication request) from mobile device 110, and authenticate the user based on the authentication information.”);
(Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rathbun with the method of Gomi including a transaction ID; generating a notification configured to prompt the user device for input of a simple passcode; at the authentication application:  receiving the notification and accepting user input of the simple passcode; authenticating the user input of the simple passcode and upon successful authentication, granting access to the authentication portal.
One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).

Claims 2, 3, 10, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Schneider (US20140250518), filed March 29, 2013.
Regarding claim 2, Gomi and Rathbun disclose the system of claim 1. 

However, in an analogous art, Schneider 518 discloses wherein the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider (US201402505180, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system. “).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Schneider 518 with the system / method of Gomi and Rathbun to include wherein the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern.
(Schneider 518: paragraph 0032).
Regarding claim 3, Gomi, Rathbun, and Schneider 518 disclose the system of claim 2.  Schneider 518 discloses wherein the simple passcode comprises a plurality of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider 518, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system.“).
Regarding claim 10, Gomi and Rathbun disclose the method of claim 9.
Gomi and Rathbun do not explicitly disclose One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).
However, in an analogous art, Schneider 518 discloses wherein at the simple passcode comprises at least one of a personal identification number (PIN), biometric (Schneider 518, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system. “).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Schneider 518 with the system / method of Gomi and Rathbun to include wherein at the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern.
One would have been motivated to provide users with the benefits for providing graduated access to a user (Schneider 518: paragraph 0032).
Regarding claim 11, Gomi, Rathbun, and Schneider 518 disclose the method of claim 10.  Schneider 518 discloses wherein the simple passcode comprises a plurality of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider 518, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system“).

Claims 4, 5, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Irwan (10104077), filed October 6, 2017.
Regarding claim 4, Gomi and Rathbun disclose the system of claim 1.
Rathbun discloses to the authentication application (Rathbun, paragraph 0021, “Authentication server 140 may transmit a notification to mobile device 110 to notify the user of mobile device 110 when a new authentication request is added to the queue associated with mobile device 110.”; paragraph 0023, “Authentication server 140 may transmit a message to mobile device 110 for the user to provide the authentication information.”; paragraph 0066, “As shown in FIG. 7, process 700 may include receiving an access request to access a queue of a user (block 710) and providing a list of pending authentication requests in the queue (block 720).  For example, a user may use mobile device 110 to access a customer client via a browser or a dedicated application.  The customer client may prompt the user to use mobile device 110 to enter a non-secret user identifier (e.g., a username) and a secret credential (e.g., a password).  Mobile device 110 may transmit, to authentication server 140, the non-secret user identifier and the secret credential as part of an access request to access a queue of the user.”).
Gomi and Rathbun do not explicitly disclose wherein the authentication service is further configured to: encrypt the transaction ID; transmit the encrypted transaction ID.
However, in an analogous art, Irwan discloses wherein the authentication service is further configured to: encrypt the transaction ID; transmit the encrypted transaction ID  (Irwan, col. 16, lines 10-31, “At step 530, in response to performing the second authentication service, the method further comprises encrypting and sending the first set of one or more transactions to the second computing device.  In an embodiment, once an application 310 has been authenticated, the security gateway 170 may allow the authenticated application 310 to selectively access the message queue 340 such that only queued timestamp-value pairs corresponding to the application 310 may be selected.  For example, an authenticated AGE application may only be allowed access to one or more transactions from AGE devices.  The application 310 may encrypt the one or more transactions from the AGE device using the PKI model.  For example, the application 310 may encrypt the transaction data using a public key that is accessible to the public and send the encrypted transaction data to the authenticated client device 161.  In an embodiment, the corresponding private key, or decryption key, used to decrypt the transaction data may be sent to the client device 161 or pre-provisioned such that only the client device 161 may decrypt the data.  In an embodiment, the private key or decryption key may be sent to the client device 161 during the authentication process of step 525 or pre-provisioned.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Irwan with the system / method of Gomi and Rathbun to include wherein the authentication service is further configured to: encrypt the transaction ID; transmit the encrypted transaction ID.
One would have been motivated to provide users with the benefits for improvements in the field of data security and access control regulation (Irwan: col. 1, lines 6-16).
Regarding claim 5, Gomi, Rathbun, and Irwan discloses the system of claim 4.  Irwan discloses wherein the encrypted transaction ID is transmitted with the notification (Irwan, col. 13, line 62, through col. 14, line 10, “Once an application 310 or client device 161 has been authenticated, and an enterprise device 180 has been authenticated, an application 310 or client device 161 may access the enterprise device 180 directly, or access data from the enterprise device 180 that has been stored locally in the security gateway 170.  The data may be stored in a message queue 340, for example.  The data transfer instructions 440 may be message queue processing instructions 330, in an embodiment, or any other instructions that transfer data from the enterprise device 180 to the security gateway 170 for regulated distribution only to users, applications, and/or client devices that are authorized to access the data.”).

Regarding claim 12, Gomi and Rathbun disclose the method of claim 9.
(Rathbun, paragraph 0021, “Authentication server 140 may transmit a notification to mobile device 110 to notify the user of mobile device 110 when a new authentication request is added to the queue associated with mobile device 110.”; paragraph 0023, “Authentication server 140 may transmit a message to mobile device 110 for the user to provide the authentication information [i.e., authentication application encompasses to provide the authentication information].”; paragraph 0066, “As shown in FIG. 7, process 700 may include receiving an access request to access a queue of a user (block 710) and providing a list of pending authentication requests in the queue (block 720).  For example, a user may use mobile device 110 to access a customer client via a browser or a dedicated application.  The customer client may prompt the user to use mobile device 110 to enter a non-secret user identifier (e.g., a username) and a secret credential (e.g., a password).  Mobile device 110 may transmit, to authentication server 140, the non-secret user identifier and the secret credential as part of an access request to access a queue of the user.”).
Gomi and Rathbun do not explicitly disclose further comprising: at the authentication service, encrypting the transaction ID and transmitting the encrypted transaction ID.
However, in an analogous art, Irwan discloses further comprising: at the authentication service, encrypting the transaction ID and transmitting the encrypted transaction ID (Irwan, col. 16, lines 10-31, “At step 530, in response to performing the second authentication service, the method further comprises encrypting and sending the first set of one or more transactions to the second computing device.  In an embodiment, once an application 310 has been authenticated, the security gateway 170 may allow the authenticated application 310 to selectively access the message queue 340 such that only queued timestamp-value pairs corresponding to the application 310 may be selected.  For example, an authenticated AGE application may only be allowed access to one or more transactions from AGE devices.  The application 310 may encrypt the one or more transactions from the AGE device using the PKI model.  For example, the application 310 may encrypt the transaction data using a public key that is accessible to the public and send the encrypted transaction data to the authenticated client device 161.  In an embodiment, the corresponding private key, or decryption key, used to decrypt the transaction data may be sent to the client device 161 or pre-provisioned such that only the client device 161 may decrypt the data.  In an embodiment, the private key or decryption key may be sent to the client device 161 during the authentication process of step 525 or pre-provisioned.”)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Irwan with the system / method of Gomi and Rathbun to include further comprising: at the authentication service, encrypting the transaction ID and transmitting the encrypted transaction ID.
One would have been motivated to provide users with the benefits for improvements in the field of data security and access control regulation (Irwan: col. 1, lines 6-16).

Regarding claim 13, Gomi, Rathbun, and Irwan disclose the method of claim 12.  Irwan discloses further comprising: transmitting the encrypted transaction ID (Irwan, col. 16, lines 10-31, “At step 530, in response to performing the second authentication service, the method further comprises encrypting and sending the first set of one or more transactions to the second computing device.  In an embodiment, once an application 310 has been authenticated, the security gateway 170 may allow the authenticated application 310 to selectively access the message queue 340 such that only queued timestamp-value pairs corresponding to the application 310 may be selected.  For example, an authenticated AGE application may only be allowed access to one or more transactions from AGE devices.  The application 310 may encrypt the one or more transactions from the AGE device using the PKI model.  For example, the application 310 may encrypt the transaction data using a public key that is accessible to the public and send the encrypted transaction data to the authenticated client device 161.  In an embodiment, the corresponding private key, or decryption key, used to decrypt the transaction data may be sent to the client device 161 or pre-provisioned such that only the client device 161 may decrypt the data.  In an embodiment, the private key or decryption key may be sent to the client device 161 during the authentication process of step 525 or pre-provisioned.”).  Rathbun discloses  with the notification (Rathbun, paragraph 0012, “The authentication server may prompt [i.e., notification] the user to provide authentication information (e.g., a password, a personal identification number (PIN), a onetime passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”).

Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Aabaye (US20150220917), filed February 4, 2015.
Regarding claim 6, Gomi and Rathbun disclose the system of claim 1.
Gomi and Rathbun do not explicitly disclose wherein the transaction ID comprises a hash token.
However, in an analogous art, Aabaye discloses wherein the transaction ID comprises a hash token (Aabaye, paragraph 0103, “At step 705, a token certificate is generated using the determined token access restrictions.  The token certificate may include a token identifier (e.g., a hash of the token), and other data defining the use of the token, such as an expiration date, a transaction context identifier, or other access restrictions.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Aabaye with the system / method of Gomi and Rathbun to include wherein the transaction ID comprises a hash token.
One would have been motivated to provide users with the benefits for improvements in efficiency and security in verifying tokens (Aabaye: paragraph 0002).
Regarding claim 14, Gomi and Rathbun disclose the method of claim 9.
Gomi and Rathbun do not explicitly disclose wherein the transaction ID comprises a hash token.
(Aabaye, paragraph 0103, “At step 705, a token certificate is generated using the determined token access restrictions.  The token certificate may include a token identifier (e.g., a hash of the token), and other data defining the use of the token, such as an expiration date, a transaction context identifier, or other access restrictions.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Aabaye with the system / method of Gomi and Rathbun to include wherein the transaction ID comprises a hash token.
One would have been motivated to provide users with the benefits for improvements in efficiency and security in verifying tokens (Aabaye: paragraph 0002).

Claims 7, 8, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Shastri (US20170118025), filed October 21, 2016.
Regarding claim 7, Gomi and Rathbun disclose the system of claim 1.
Gomi and Rathbun do not explicitly disclose wherein the authentication portal is further configured to: generate a first authentication image.
However, in an analogous art, Shastri discloses wherein the authentication portal (Shastri, paragraph 0116, authentication portal encompasses access management system 140) is further configured to: generate a first authentication image (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shastri with the system / method of Gomi and Rathbun to include wherein the authentication portal is further configured to: generate a first authentication image.
One would have been motivated to provide users with the benefits of multi-stage authentication (Shastri: paragraph 0002).
Regarding claim 8, Gomi, Rathbun, and Shastri disclose the system of claim 7.  Shastri discloses wherein the authentication application is further configured to: scan and recognize the first authentication image generated by the authentication portal (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).

Regarding claim 15. Gomi and Rathbun disclose the method of claim 9.
Gomi and Rathbun do not explicitly disclose further comprising: at the authentication portal, generating a first authentication image.
However, in an analogous art, Shastri discloses further comprising: at the authentication portal, generating a first authentication image (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shastri with the system / method of Gomi and Rathbun to include further comprising: at the authentication portal, generating a first authentication image.
One would have been motivated to provide users with the benefits of multi-stage authentication (Shastri: paragraph 0002).
Regarding claim 16, Gomi, Rathbun, and Shastri disclose the method of claim 15.  Shastri discloses further comprising: at the authentication application, scanning and recognizing the first authentication image generated by the authentication portal (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).

Regarding claim 17, Gomi discloses a computer implemented method for facilitating secure access to an electronic portal though multifactor authentication, the method comprising  (Gomi, paragraph 0262, “Alice makes a purchase request for tour-related goods to service mediating apparatus 201 of the tour portal using terminal apparatus 203 (step S317).”);
(Gomi, paragraph 0240, “Next, Alice sends a service access request for a tour reservation to service mediating apparatus 201 of the tour portal site (step S301).”);
generating an authentication request (Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”);
transmitting the authentication request to an authentication service (Gomi, paragraph 0240, “Service mediating apparatus 201 receives the service access request from terminal apparatus 203 and sends an authentication request message for asking authentication apparatus 200 for authentication of the user (step S302).”).
Gomi does not explicitly disclose requesting an authentication image from a code generator; receiving an authentication image; displaying the authentication image at the authentication portal; receiving an authentication request from an authentication application in response to the authentication application recognizing the authentication image; receiving an authorized user token from the authentication application.
However, in an analogous art, Shastri discloses requesting an authentication image from a code generator (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.”);
(Shastri, paragraph 0110, “The security data may be presented 1402 (e.g., a QR code) at the device to enable another registered device, e.g., mobile device 1450 to be used for password-less authentication.  Device 1450 may be used to capture the security data.”);
displaying the authentication image at the authentication portal (Shastri, paragraph 0110, “The security data may be presented 1402 (e.g., a QR code) at the device to enable another registered device, e.g., mobile device 1450 to be used for password-less authentication.  Device 1450 may be used to capture the security data.”);
receiving an authentication request from an authentication application in response to the authentication application recognizing the authentication image (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.  The security data may be associated with one or more criteria (e.g., a time period) for further ensuring secure use according to the criteria.”; paragraph 0127, “At step 1922, a determination is made whether the data received from the second device matches an unencrypted form of the data embedded in the security data generated at step 1914.  The determination may include determining whether the data includes the information (e.g., related to the user) included in the data embedded in the security data.  The user may be authenticated with access upon determining that the data received from the second device matches the data embedded in the security data generated.  Access to the resource may be enabled by the access management system [i.e., access request received in response to authentication image recognition by second device] upon determining that the data includes the information (e.g., related to the user) included in the data embedded in the security data.”);
receiving an authorized user token from the authentication application (Shastri, paragraph 0005, “When the user is authenticated, the user's browser receives a cookie that represents a token that may be used to access the human resources application.”).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shastri with the system / method of Gomi to include requesting an authentication image from a code generator; receiving an authentication image; displaying the authentication image at the authentication portal; receiving an authentication request from an authentication application in response to the authentication application recognizing the authentication image; receiving an authorized user token from the authentication application.
One would have been motivated to provide users with the benefits of multi-stage authentication (Shastri: paragraph 0002).
Gomi and Shastri disclose generating an authentication request, but do not explicitly disclose including a transaction ID; granting access to the authentication portal.
However, in an analogous art, Rathbun discloses including a transaction ID (Rathbun, paragraph 0020, “Web server 130 may transmit a log-in web page to computer terminal 120 for the user to access the web service/initiate the transaction via the website.  Web server 130 may request authentication server 140 to invoke mobile device 110, and request a wireless authentication, of the user, based on a non-secret unique identifier that is selected/entered via the log-in web page.  Web server 130 may generate and transmit an authentication request to authentication server 140 to authenticate the user before providing the access to the web service via the website.  Web server 130 may receive, from authentication server 140, an approval for the transaction [i.e. authentication request included the transaction ID] and an authentication response that indicates that the user has been successfully authenticated.”);
granting access to the authentication portal (Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rathbun with the method of Gomi and Shastri including a transaction ID; granting access to the authentication portal.
One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).
Regarding claim 18, Gomi, Shastri, and Rathbun discloses the method of claim 17.  Shastri discloses wherein the authentication image comprises a quick response (QR) (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).


Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Shastri (US20170118025), filed October 21, 2016, and Rathbun (US20130055362), filed August 22, 2011, and further in view of Schneider 351 (US20130080351),  filed September 23, 2011.

Regarding claim 19, Gomi, Shastri, and Rathbun discloses the method of claim 18.  Gomi discloses further comprising: at the authentication portal: (Gomi, paragraph 0240, “Next, Alice sends a service access request for a tour reservation to service mediating apparatus 201 of the tour portal site (step S301).”);
Gomi, Shastri, and Rathbun do not explicitly disclose generating a promotion detail for a target customer; generating a hash token for the target customer; transmitting a promotion request to an authentication the authentication service.
However, in an analogous art, Schneider 351 discloses generating a promotion detail for a target customer (Schneider 351, paragraph 0125, “For example, at any given time, one or more of the transaction nodes can be designated as active enrollment nodes or sign-up nodes which allow users to enroll in the offering.  For example, there might be a sign-up node for West coast users and a sign-up node for East coast users.  When a sign-up node forms a new block of entries, it sends an advertisement as a "block status" message to the other active sign-up nodes, if any, and to a small randomly selected subset of the other, deactivated (non sign-up) transaction nodes [i.e., target customer].  The reason for sending block status messages to only a small subset (e.g., more generally, a strict subset--less than all) of the deactivated transaction nodes is that, during periods of high sign-up load, there will already be a lot of network traffic from the new users.”);
generating a hash token  (Schneider 351, paragraph 0099, “Further, the code can include a secure token which is generated by the non-home transaction node, e.g., by hashing the user login id, and digitally signing the hash with a key such as a public key of the home transaction network.”; paragraph 0122, “The transaction nodes can also communicate secure tokens with the advertisements and requests for blocks [i.e., promotion request encompasses advertisements and requests for blocks and promotion detail encompasses advertisements], which are used to authenticate the advertisements as coming from a trusted source.”)
for the target customer (Schneider 351, paragraph 0125, “When a sign-up node forms a new block of entries, it sends an advertisement as a "block status" message to the other active sign-up nodes, if any, and to a small randomly selected subset of the other, deactivated (non sign-up) transaction nodes [i.e., target customer].”);
transmitting a promotion request to an authentication the authentication service (Schneider 351, paragraph 0099, “Further, the code can include a secure token which is generated by the non-home transaction node, e.g., by hashing the user login id, and digitally signing the hash with a key such as a public key of the home transaction network.”; paragraph 0122, “The transaction nodes can also communicate secure tokens with the advertisements and requests for blocks [i.e., promotion request encompasses advertisements and requests for blocks and promotion detail encompasses advertisements], which are used to authenticate the advertisements as coming from a trusted source.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Schneider 351 with the method of Gomi, Shastri, and Rathbun including generating a promotion detail for a target customer; generating a hash token for the target customer; transmitting a promotion request to an authentication the authentication service.
One would have been motivated to provide users with the benefits of allowing users to participate in offering of shares of a stock (Schneider 351: paragraph 0003).



Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Gomi (US20110004753), filed September 17, 2008, in view of Shastri (US20170118025), filed October 21, 2016, Rathbun (US20130055362), filed August 22, 2011, and Schneider 351 (US20130080351),  filed September 23, 2011, and further in view of Purves (US20130346302), filed June 20, 2013.
Regarding claim 20, Gomi, Shastri, Rathbun, and Schneider 351 disclose the method of claim 19.
Gomi, Shastri, Rathbun, and Schneider 351 do not explicitly disclose wherein the promotion request comprises the hash token and a promotional message.
(Purves, paragraph 0440, “In one implementation, the merchant server may use the user sign as a trigger to request current user information from the wallet server.  The merchant server may generate and send a user information request message 20926 to the wallet server.  The user information request message [i.e., promotional message] 20926 may include, without limitation, the customer ID that is unique to the customer and the merchant relationship, a token [i.e., token], an API key, a digital certificate, and/or the like.  In one implementation, the token may be generated using one or more parameters such as the merchant's API key, customer ID, merchant ID, merchant name, customer name, and/or the like.  In a further implementation, the token may be encrypted.  In one implementation, the token may be a string that is created by the MD5 Message Digest algorithm hash of one or more of the parameters listed above.  In one implementation, the merchant server may utilize callbacks via APIs, inline widgets, etc., to pull user information from the wallet.  For example, the merchant server may call the getPayment API to obtain payment method details such as card nicknames, brand, last 4 digits, etc. An exemplary GET request method for making the call is provided below.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Purves with the method of Gomi, Shastri, Rathbun, and Schneider 351 including wherein the promotion request comprises the hash token and a promotional message.
One would have been motivated to provide users with the benefits of remote portal bill payment platforms (Purves: paragraph 0004).



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.









/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439