DETAILED ACTION
This communication is in respond to application filed on October 31, 2018 in which claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claims 1, 12, 14 and 20 are objected to for a number of intended use recitations in the claims (“adapted to” in claims 1, 12, 14 and 20); the use of the intended use terms suggests or makes optional the steps following the terms. Language that suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure does not limit the scope of a claim or claimed limitations (See MPEP § 2106 and MPEP § 2111.04).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 4-6, 12, 14-15, and 20 are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by US PG-PUB No. 2015/0188913 A1 to Teixeron et al. (hereinafter Teixeron).
As per claim 1, Teixeron disclosed a computer implemented method of generating a Time based One Time Password (TOTP) comprising a risk assessment index (Teixeron, par 0008, “a method for generating an enhanced one-time password(OTP)”, the enhanced OTP being combined with risk information data, further par 0010-0011, “...generating the cryptographic OTP data may comprise cryptographically combining the risk information data and the first value of the dynamic variable with a cryptographic secret... the dynamic variable may be time-based”), comprising: 
using at least one processor of a code generation device for: monitoring an authentication process in which a user provides authentication credentials to enable the code generation device to generate a TOTP for use by a client device associated with the user to access a secure service (Teixeron, par 0005, “The client devices to generate the OTPs include dedicated hardware authentication tokens with their own display and sometimes with a keypad for entry of a PIN (Personal Identification Number)...”, also par 0031, client device analyzing the process of user entering PIN to determine risk factor for generating OTP); 
calculating a risk index indicating an estimated risk level of the authentication process based on data collected during the authentication process (Teixeron, par 0031, client device analyzing the process of user entering PIN to determine risk factor for generating OTP, further par 0027, the client device determine for each of a set of risk factors a score, and “the client device may combine the various scores of the separate risk factors into a single overall risk analysis score”, the risk analysis score determined by client device corresponds to a risk index); 
generating the TOTP based on a unique secret key assigned to the code generation device (Teixeron, par 0010, “...generating the cryptographic OTP data may comprise 
outputting the encoded TOTP for transmission to an authentication system adapted to generate an authentication score for the user attempting to access the secure service based on verification of the TOTP and according to the risk index (Teixeron, par 0037-0044, client device provides enhanced OTP to the server, and “...the verification server may, upon receiving the Enhanced OTP, extract the risk information bits from the received Enhanced OTP, verify the cryptographic validity of (the remainder of) the Enhanced OTP and perform a second server-side risk analysis using the risk information bits extracted from the received Enhanced OTP”, further par 0047, “...the server may reject the received Enhanced OTP in any case if the verification of the cryptographic validity of the OTP fails. In some embodiments, if the verification of the cryptographic validity of the OTP is successful, the server may accept the OTP as being cryptographically correct and may assign a quality level to the Enhanced OTP dependent on the outcome of the second risk analysis. Alternatively, the server may assign a risk level to the 

As per claim 2, Teixeron disclosed the computer implemented method of claim 1, wherein the authentication credentials include at least one member of a group consisting of: a key, a code, an answer to a security question and a biometric verification (Teixeron, par 0005, “The client devices to generate the OTPs include dedicated hardware authentication tokens with their own display and sometimes with a keypad for entry of a PIN (Personal Identification Number)...”, also par 0031, client device analyzing the process of user entering PIN to determine risk factor for generating OTP; the PIN corresponds to “a code”, further, par 0031, “...the client device may have a biometric component for capturing a measurement of certain biometric features of the user... The client device may be adapted to allow a certain number or retries if the user enters a wrong PIN or password...”).

As per claim 4, Teixeron disclosed the computer implemented method of claim 1, wherein the authentication process is conducted prior to a request from the authentication system to provide the TOTP (Teixeron, par 0019, “In some embodiments the enhanced OTP may be provided to an application together with a transaction request”, which implies the enhanced is generated prior to authentication request from server).

As per claim 5, Teixeron disclosed the computer implemented method of claim 1, wherein the data collected during the authentication process comprising at least one member of a group consisting of: user information, device information relating to the code generation device, 

As per claim 6, Teixeron disclosed the computer implemented method of claim 1, further comprising generating the encoded TOTP in a machine readable representation (Teixeron, par 0038, risk information bits as part of OTP being sent to server, which indicate the data is machine readable presentation).

Claim 12 recites substantially the same limitations as claim 1, in the form of a code generation device performing the corresponding method, therefore, it is rejected under the same rationale.

As per claim 14, Teixeron disclosed a computer implemented method of authenticating a user attempting to access a secure service according to a Time based One Time Password (TOTP) comprising a risk assessment index (Teixeron, par 0017, “a method for securing the interaction of a user with an application”, par 0008, “a method for generating an enhanced one-time 
using at least one processor of an authentication system for: 
receiving an encoded TOTP from a client device associated with a user (Teixeron, par 0037-0044, client device provides enhanced OTP to the server), the encoded TOTP is generated by a code generation device associated with the client device during an authentication process in which the user provides his authentication credentials to enable the code generating device to generate a TOTP for accessing a secure service (Teixeron, par 0005, “The client devices to generate the OTPs include dedicated hardware authentication tokens with their own display and sometimes with a keypad for entry of a PIN (Personal Identification Number)...”, also par 0031, client device analyzing the process of user entering PIN to determine risk factor for generating OTP), the TOTP which is based on a unique secret key assigned to the code generation device and a current time is encoded with a risk index to produce the encoded TOTP (Teixeron, par 0010, “...generating the cryptographic OTP data may comprise cryptographically combining the risk information data and the first value of the dynamic variable with a cryptographic secret”, the cryptographic secret corresponds to “a unique secret key assigned to the code generation device) and a current time (Teixeron, par 0011, “...the dynamic variable may be time-based. For example, the dynamic variable may comprise the value of a clock that may be comprised in a client device generating the enhanced OTP”, par 0038, “...the client device may be adapted to pass the risk information bits together with the generated OTP or as part of the OTP to the server for further analysis. In what follows an OTP comprising risk information bits may be referred to as an Enhanced OTP. An Enhanced OTP may therefore be viewed as comprising on 
decoding the encoded TOTP to extract the risk index and the TOTP (Teixeron, par 0037-0044, client device provides enhanced OTP to the server, and “...the verification server may, upon receiving the Enhanced OTP, extract the risk information bits from the received Enhanced OTP, verify the cryptographic validity of (the remainder of) the Enhanced OTP and perform a second server-side risk analysis using the risk information bits extracted from the received Enhanced OTP”); 
calculating an authentication score based on verification of the TOTP and according to the risk index  (Teixeron, par 0047, “...the server may reject the received Enhanced OTP in any case if the verification of the cryptographic validity of the OTP fails. In some embodiments, if the verification of the cryptographic validity of the OTP is successful, the server may accept the OTP as being cryptographically correct and may assign a quality level to the Enhanced OTP dependent on the outcome of the second risk analysis. Alternatively, the server may assign a risk level to the Enhanced OTP based on the outcome of the cryptographic verification and the second risk analysis”, the quality level /risk level generated by the verification server corresponds to the claimed authentication score); and 


As per claim 15, Teixeron disclosed the computer implemented method of claim 14, wherein granting the client device access to the secure service includes one member of a group consisting of: granting full access, granting limited access and denying access (Teixeron, par 0051, “....decide whether or not to grant access to the user or to accept the transaction submitted by the user and associated with that OTP”, par 0019, “In some embodiments said action may comprise granting access to said user, for example to some resource. In some embodiments said action may comprise logging in the user. In some embodiments said action may comprise granting the user some authorization, for example to perform certain actions or transactions.”).

Claim 20 recites substantially the same limitations as claim 14, in the form of a system implementing the corresponding method, therefore, it is rejected under the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Teixeron as applied to claim 1 above, and further in view of US PG-PUB No. 2016/0226862 A1 to Song (hereinafter Song).
As per claim 3, Teixeron disclosed the computer implemented method of claim 1; Teixeron does not explicitly disclose the authentication process is conducted in response to a request from the authentication system to provide the TOTP; however, in an analogous art in network based user authentication, Song disclosed generating OTP being in response to request from authentication system to provide the OTP (Song, par 0131, OTP event occur in response to reception of an OTP authentication request message from authentication server); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Teixeron to incorporate the concept of OTP event being in response to request of OTP from authentication server as disclosed by Song, in order to ensure a secure authentication process when an OTP is determined to be necessary.

Claims 7-10 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Teixeron as applied to claims 1 and 14 above, and further in view of US PG-PUB No. 2018/0270067 A1 to Woo (hereinafter Woo) and US Pat. No. 6,182,225 B2 to Hagiuda et al. (hereinafter Hagiuda).
As per claim 7, Teixeron disclosed the computer implemented method of claim 1, further comprising receiving a challenge (Teixeron, par 0031, user category risk factors including monitored user actions during authentication process such as entering PIN or password or biometric authentication, the request for user to enter PIN or password or biometric data correspond to challenges); Teixeron does not explicitly disclose the challenge being from the authentication system, i.e., Teixeron disclosed challenge being made to user from client device (e.g., par 0031) but does not explicitly disclose the challenge being from authentication server, however, in an analogous art in user authentication, Woo disclosed providing user challenge from authentication server (Woo, Fig. 18, step S2 and par 0202-0204, request user entering credential such as user ID and password); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Teixeron to incorporate the providing challenge from server to client terminal as disclosed by Woo, such modification allow server system to maintain more control of authentication process; Teixeron in view of Woo does not explicitly disclose the challenge comprising data indicative of at least one attribute identified for at least one of: the user and the client device, the at least one attribute is available to the authentication system from at least one previous session conducted between the client device and the authentication system; however, in an analogous art in user authentication, Hagiuda disclosed the concept of providing log-in challenge comprising data indicative of user attribute which is available to the authentication system from at least one previous session conducted between the client device and the authentication system (Hagiuda, col. 36, lines 9-15, login interface dialog with username name and password field, “When a 

As per claim 8, Teixeron-Woo-Hagiuda disclosed the computer implemented method of claim 7, further comprising calculating the risk index according to a comparison between the data collected by the code generation device during the authentication process and the data included in the challenge (Teixeron, par 0031, e.g., comparing received PIN or password with stored reference to determine user category risk factor).

As per claim 9, Teixeron-Woo-Hagiuda disclosed the computer implemented method of claim 7, further comprising generating the encoded TOTP based on at least some of the challenge data (Teixeron, par 0031, user category risk factors based on challenges, and par 0029, 0037-0038, combine risk factors to generate risk information bits as part of enhanced OTP). 

As per claim 10, Teixeron-Woo-Hagiuda disclosed the computer implemented method of claim 7, further comprising the challenge is received in a machine readable representation (Teixeron, par 0038, risk information bits as part of OTP being sent to server, which indicate the data is machine readable presentation, which indicate the data is machine readable presentation).



As per claim 17, Teixeron-Woo-Hagiuda disclosed the computer implemented method of claim 16, further comprising transmitting the challenge in a machine readable representation (Teixeron, par 0038, risk information bits as part of OTP being sent to server, which indicate the data is machine readable presentation).

As per claim 18, Teixeron-Woo-Hagiuda disclosed the computer implemented method of claim 16, further comprising verifying the code generation device as originator of the encoded TOTP according to at least some of the challenge data used by the code generation device to generate .

Claims 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Teixeron as applied to claims 1 and 14 above, and further in view of US PG-PUB No. 2018/0183789 A1 to Tischart et al. (hereinafter Tischart).
As per claim 11, Teixeron disclosed the computer implemented method of claim 1; Teixeron does not explicitly disclose requesting the user to provide additional authentication information to the authentication system in case the risk index exceeds a predefined risk threshold; however, in an analogous art in network user authentication, Tischart disclosed requesting user to provide additional authentication information to the authentication system in case a risk level/index exceeds a predefined risk threshold (Tischart, par 0036, “When a user of device 202A attempts to access a computer network (e.g., the network 100 of FIG. 1, etc.), the context-aware decision logic/module 212 uses the information associated with the current authentication session (i.e., the current identity data and the current contextual data being used for the current authentication session) and the data stored in the security access database 210 to determine a risk level associated with the current authentication session. If the risk level fails to exceed a threshold, the decision logic/module 212 does not trigger additional authentication sessions for the user of device 202. That is, the decision logic/module 212 will "inform" the authentication entity 206 to grant the user of device 202 access to the secure network based on the current authentication session (assuming the identity data used by the user of device 202 is in fact the correct information for successful authentication). Alternatively, if the risk level exceeds the threshold, the decision logic/module 212 triggers additional authentication sessions 

As per claim 19, Teixeron-Tischart disclosed the computer implemented method of claim 14, further comprising transmitting to the client device a request to provide additional authentication information in case the risk index exceeds a predefined risk threshold (Tischart, par 0036, determining whether additional authentication session will be triggered based on risk level being compared with threshold; the reasons of obviousness have been noted in the rejection of claim 11 above and applicable herein).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Teixeron as applied to claims 1 and 12 above, and further in view of US PG-PUB No. 2011/0276495 A1 to Varadarajan et al. (hereinafter Varadarajan).
As per claim 13; Teixeron disclosed the code generation device of claim 12; Teixeron does not explicitly disclose the code generation device is integrated in the client device; however, in an analogous art in network based user authentication, Varadarajan disclosed an implementation where the code generation device is integrated in the client device (Varadarajan, par 0057, user device include software routines running on special or general purpose hardware for generating .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Bhabbur (US Pat. No. 10,554,652 B1) disclosed user authentication based on a partial password, by applying a mask to generated password.
Baghdasaryan (US Pat. No. 9,875,347 B2) disclosed a method and system for user authentication based on determined risk level calculated from collected data associated with user activity.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Linglan Edwards whose telephone number is (571)270-5440.  The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/LINGLAN E EDWARDS/Primary Examiner, Art Unit 2491