Acknowledgements
This communication is in response to applicant’s response filed on 01/13/2021.
Claims 1, 6, and 15 have been amended. 
Claims 1, 6-9, 12-22, and 25-26 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Regarding applicant’s arguments:	
Regarding applicant’s arguments under Claim Rejections - 35 USC § 103 that the combination of Park (WO 2012043963 A1) in view of Varadarajan (US 20130124855) in further view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) does not disclose “the portable authentication terminal checks whether financial transaction information is included in the decrypted second QR code information, and extracts the financial transaction information from the decrypted second QR code information
Applicant argues dependent claims 2, 6-9, 12-14, 16-22, and 25-26 are allowable based on their dependence upon allowable base claims, examiner respectfully argues applicant’s arguments are moot in light of the amendments made to claims 1 and 15.

Priority
This application claims the benefit of PCT/KR2014/010929 filed on 11/13/2014. Applicant’s claim for the benefit of this prior-filed application is acknowledged. This application claims the benefit of foreign application KR10-2013-0160027 filed on 12/20/2013. Applicant’s claim for the benefit of this prior-filed application is acknowledged.

Claim Interpretation 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
the portable authentication terminal performs data communication with the QR authentication server, scans the QR code image displayed on the computer terminal, detects the second QR code information from the scanned QR code image, displays the detected second QR code information, and transmits the second QR code information; detects the scanned QR code image, acquires the second OR code information from the detected QR code image, receives a password corresponding to the security key from the user, and decrypts the acquired and encrypted second QR code information; checks an integrity of the QR code using a hash value included in the decrypted second QR code information, and transmits the second QR code information to the QR authentication server when the integrity check is passed in Claims 1 and 15; This element is interpreted under 112(f) as the portable authentication terminal 120, which is a device including a scanning means capable of scanning the QR code image19 displayed on the computer terminal 110, and may be a smart device, such as a smart pad or a smart phone having unique terminal identification information (Page 19, lines 23-24 and Page 20, lines 1-3).
portable authentication terminal is configured to, when transmitting the second QR code information to the QR authentication server, encrypt again the second QR code information using a password and transmit the encrypted second QR code information in Claim 6; This element is interpreted under 112(f) as the portable authentication terminal 120, which is a device including a scanning means capable of scanning the QR code image19 displayed on the computer terminal 110, and may be a smart device, such as a smart pad or a smart phone having unique terminal identification information (Page 19, lines 23-24 and Page 20, lines 1-3).
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Therefore, by choosing to use a means-plus-function limitation and invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant limits that claim limitation to the disclosed 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 6-9, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of Varadarajan (US 20130124855) in further view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Heo (KR 101209448 B1) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043).

Regarding Claim 1, Park teaches an authentication system using a Quick Response (QR) code (Paragraph 1 teaches an authentication method and server and, more particularly, a method of authenticating a user using an electronic terminal connected to an authentication server via a communication connection and a server for performing the method), comprising: a computer terminal (Paragraphs 27 and 29 teach a client terminal, wherein the client terminal is a personal computer); a portable authentication terminal (Paragraphs 27 and 30 teach an authentication terminal, wherein the authentication terminal is a smartphone), a legacy authentication server (Paragraphs 27 teaches a service provision server), and a QR authentication server (Paragraph 27 teaches an authentication server); the computer terminal transmits a QR code authentication request including user identification information and authentication scheme selection information, to the legacy authentication server (Paragraphs 31-32, 29, 34 and 36 teach user authentication is requested from a service provision server (i.e., legacy authentication server) by a client terminal (i.e., personal computer), wherein the client terminal receives a service from the service provision server, and the authentication key generation unit (i.e., of the authentication server) generates an authentication key, wherein the the QR authentication server stores authentication service subscription information including user information, user terminal identification (ID) information, and user terminal password information (Paragraphs 44-45 teach a user information database is connected to the authentication server, wherein the user information database stores a user ID and an authentication terminal ID; the user ID and the authentication terminal ID may be input and stored when the user subscribes to the authentication system; example of the user include a resident registration number, an Internet Personal Identification Number (i-PIN), or a personal ID, and examples of the authentication terminal ID include a unique value to the terminal, such as the serial number (SN) of the authentication terminal, or a MAC Address; however, it is not necessarily limited thereto, the authentication terminal ID may be a Universal Subscriber Identity Module (USIM) card number, a mobile phone number, or an ID which is required when the authentication terminal accesses the authentication server; alternatively, the authentication terminal ID may be a combination of at least two of the above-described serial number, MAC address, USIM card number, mobile phone number and ID, for example, a single authentication terminal ID may be generated by combining the serial number of a smart phone, a USIM card number and a mobile phone number and may be stored in the user information DB); the legacy authentication server selects a QR code authentication for a service based on the authentication scheme selection information, and transmits a QR code generation request signal that includes QR code generation information, via the selected QR code authentication (Paragraphs 31 and 32 teach the service provision server may request authentication from the authentication server when user authentication is requested from the service provision server by the client terminal; the authentication key generation unit (i.e., of the authentication server) generates an authentication key, wherein the authentication key is a QR code (i.e., authentication scheme) in response to the reception of the authentication request from the service provision server); the legacy authentication server transmits the QR code image transmitted from the QR authentication server, to the computer terminal, the computer terminal displays the QR code image transmitted from the legacy authentication server (Paragraphs 33-34 teach the service provision server transmits the received authentication key to the client terminal, and the client terminal displays the received authentication key); the portable authentication terminal scans the QR code image (Paragraph 35 teaches when the client terminal displays the authentication key, the user may perform an authentication procedure by scanning the QR code displayed on the screen of the client terminal with an authentication terminal (i.e., mobile device), then the authentication terminal receives a character string included in the QR code), and transmits second QR code information acquired from the scanned QR code image, to the QR authentication server (Paragraphs 38-39 teach the authentication validation key reception unit of the authentication server receives the authentication validation key from the authentication terminal, and the approval unit of the authentication server may determine whether the received the QR authentication server performs authentication by comparing the first QR code information and the second QR code information, and transmits a result of the authentication to both the legacy authentication server and the portable authentication terminal (Paragraphs 40 and 55 teach the approval processing unit transmits authentication approval information to the service provision server; additionally, the approval processing unit of the authentication server may transmit authentication success information to the authentication terminal); and the legacy authentication server receives the result of the authentication from the QR authentication server, and approves providing the service by the computer terminal when the received result indicates that the user is authenticated (Paragraph 41 teaches when the service provision server receives the authentication approval information, the service provision server establishes an authentication session with the client terminal so that the user can use the service), wherein the portable authentication terminal performs communication with the QR authentication server over a wired/wireless data communication network (Paragraph 27 teaches the authentication server is connected to the authentication terminal via a wired/wireless communication connection, and therefore can send and receive data), scans the QR code image displayed on the computer terminal (Paragraph 35 teaches the authentication detects the second QR code information from the scanned QR code image, display the detected second QR code information (Paragraph 35 teaches the authentication terminal scans the QR code and receives a character string included in the QR code in compliance with QR code reverse conversion rules, so that the authentication validation key corresponding to the authentication key generated by the authentication server can be input to the authentication terminal); and transmits the second QR code information (Paragraph 38 teaches the authentication terminal transmits the received authentication validation key to the authentication server).
However, Park does not explicitly teach transmits a QR code generation request signal that includes the user identification information.
Varadarajan from same or similar field of endeavor teaches transmits a QR code generation request signal that includes the user identification information (Paragraph 0046 teaches the user initiates a transaction at the personal computer by navigating to a consumer portal with a web browser on the personal computer or inputting his/her user name and password into the corresponding text boxes), wherein the portable authentication terminal checks an integrity of the QR code using a hash value included in the decrypted second QR code information, and transmits the second QR code information to the QR authentication server when the integrity check is passed (Paragraphs 0054-0055 and 0061 teach the I/O device of the mobile device may comprise a sensor that detects the two-dimensional digital image of the QR code and converts it into an electronic signal and the processor of the mobile 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Park to incorporate the teachings of Varadarajan to transmit a QR code generation request signal that includes the user identification information.
There is motivation to combine Varadarajan into Park because users can easily login to their retail, banking or other sensitive accounts by just scanning a QR code displayed on the login page of these websites using their mobile phone. By marrying the security of a two factor credential on a mobile device with the convenience and user-friendliness of scanning a QR code, this approach reduces the barriers to the adoption of multi-factor credentials (Varadarajan Paragraph 0025).
However, the combination of Park and Varadarajan does not explicitly teach the QR authentication server collects first QR code information, encrypts the collected first QR code information using a security key, generates a QR code image corresponding to the encrypted first QR2Application No. 15/104,880 code information, stores the generated QR code image and the collected first QR code information in a QR code generation DB included in the QR authentication server, and transmits the generated QR code image to the legacy authentication server.
 the QR authentication server collects first QR code information, encrypts the collected first QR code information using a security key, generates a QR code image corresponding to the encrypted first QR2Application No. 15/104,880 code information (Paragraphs 0028-0029 teach an identity provider (i.e., QR authentication server) receives a request for a QR code for a login session from website server (i.e., legacy authentication server); the QR code may encrypt information to allow identity provider to uniquely identity website server and to enable identity provider to associate user/trusted device with a login session on website server; for example, the QR code may contain a key for retrieval of the security token associated with user/trusted device for the login session, an identifier for website server, and a time stamp; a QR code generation unit of the identity provider generates the QR code; the QR code generation unit may encrypt an amount of data and size the QR code such that the QR code may be scanned and decoded from a reasonable distance by trusted device), stores the generated QR code image and the collected first QR code information in a QR code generation DB included in the QR authentication server, and transmits the generated QR code image to the legacy authentication server (Paragraphs 0041-0042 teach website server (i.e., legacy authentication server) requests the identity provider (i.e., QR authentication server) to generate a QR code; the website server may provide information that identifies website server and untrusted device to the identity provider; in addition, the website server may provide metadata that identifies the type of information requested by website server; the identity provider may generate a QR code that uniquely identifies website server  and that ties a 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park and Varadarajan to incorporate the teachings of Desoto for the QR authentication server to collect first QR code information, encrypt the collected first QR code information using a security key, generate a QR code image corresponding to the encrypted first QR2Application No. 15/104,880 code information, store the generated QR code image and the collected first QR code information in a QR code generation DB included in the QR authentication server, and transmit the generated QR code image to the legacy authentication server.
There is motivation to combine DeSoto into the combination of Park and Varadarajan because advantageously, the user may securely access websites from devices that may be unsecure, or have no or limited input capabilities. Security is enhanced because the user is not required to enter login credentials or other sensitive information into the unsecured devices that may be stolen, seen, or copied. The QR code itself does not need to contain an URL of the website, but may be encrypted to contain just enough information to uniquely identify the website and to tie the transactions together. The trusted application from the identity provider running on the trusted device and the identity provider provide a bridge through which the user may provide sensitive information to the website securely, conveniently, and efficiently (DeSoto Paragraph 0015).
However, the combination of Park, Varadarajan, and DeSoto does not explicitly teach the legacy authentication server receives the QR code authentication request from the computer terminal, and transmits a subscription query whether a user is a subscriber or non-subscriber of a QR code authentication service, to the QR authentication server; and the QR authentication server receives the subscription query from the legacy authentication server, determines whether the user is the subscriber or non-subscriber of the QR code authentication service, based on the stored authentication service subscription information, and transmits a result of the determination whether the user is the subscriber or non-subscriber of the QR code authentication service, to the legacy authentication server.
Woo from same or similar field of endeavor teaches the legacy authentication server receives the QR code authentication request from the computer terminal, and transmits a subscription query whether a user is a subscriber or non-subscriber of a QR code authentication service, to the QR authentication server (Paragraphs 0033-0034 teach when the member company server receives a user authentication processing request signal including a user's mobile phone number and identification information, the mobile phone number of the user and the mobile phone number of the user to the authentication server to verify (i.e., query a subscriber DB) the identity of the user who requested user authentication processing); and the QR authentication server receives the subscription query from the legacy authentication server, determines whether the user is the subscriber or non-subscriber of the QR code authentication service, based on the stored authentication service subscription information, and transmits a result of the determination whether the user is the subscriber or non-subscriber of the QR code authentication service, to the legacy authentication server (Paragraph 0034 teaches the authentication server transmits the mobile phone number and identification information to the mobile communication system to request the identity verification authentication service of the subscriber requesting confirmation of the match, wherein the mobile communication system queries the subscriber DB, checks whether the mobile phone number of the requested user matches the identification information, and provides the result as the subscriber's identity verification information; the mobile communication system may provide the subscriber's identity verification information to the authentication server, or may directly provide the subscriber's identity verification information to the member company server).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, and DeSoto to incorporate the teachings of Woo for the legacy authentication server to receive the QR code authentication request from the computer terminal, and transmits a subscription query whether a user is a subscriber or non-subscriber of a QR code authentication service, to the QR authentication server; and the QR authentication server receives the subscription query from the legacy authentication server, determines whether the user is the subscriber or non-subscriber of the QR code authentication service, based on the stored authentication service subscription information, and transmits a result of the determination whether the user is the subscriber or non- subscriber of the QR code authentication service, to the legacy authentication server.

However the combination does not explicitly teach the portable authentication terminal 3Application No. 15/104,880Docket No. 601700-000020 detects the scanned QR code image, acquires the second QR code information from the detected QR code image, receives a password corresponding to the security key from the user, and decrypts the acquired and encrypted second QR code information.
Heo from same or similar field of endeavor teaches the portable authentication terminal 3Application No. 15/104,880Docket No. 601700-000020 detects the scanned QR code image, acquires the second QR code information from the detected QR code image, receives a password corresponding to the security key from the user, and decrypts the acquired and encrypted second QR code information (Paragraphs 0049, 0051, and 0054 teach the MOTP terminal (i.e., portable authentication terminal) according to an embodiment of the present invention downloads an installation application and is installed as a MOTP generating program, and then the user registration module is used for transmitting and registering the service usage information of the user in the initial execution; each time the MOTP generating program is executed, the password input module receives a password from the user and the QR code input module scans the QR code from the screen of the user 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto and Woo to incorporate the teachings of Heo for the analyzing the scanned QR code image and extracting the second QR code information to comprise: requesting, after the second QR code information has been extracted, the user to input a password corresponding to the security key; receiving the password from the user; and then decrypting the encrypted second QR code information using the password.
There is motivation to combine Heo into the combination of Park, Varadarajan, DeSoto and Woo because the present invention solves the problems of the conventional user authentication system. For example, in the conventional system, the ARS or SMS communication costs are involved every time the 
However the combination does not explicitly teach wherein the QR authentication server: collects first QR code information including financial transaction information; encrypts the collected first QR code information including the financial transaction information, using the security key; and generates the QR code image corresponding to the encrypted first QR code information including the financial transaction information; displays, after the financial transaction information has been displayed a message prompting the user to decide whether to approve a corresponding, and when the user selects approval in response to the prompt message, adds details of the approval to the second QR code information, and transmits the second QR code information to the QR authentication server, and wherein the financial transaction information includes multiple pieces of information among bank transit information, sender account information, recipient account information, transfer amount information, transfer sender information, and recipient information when the financial transaction information is with respect to an account transfer service, and includes multiple pieces of information among card company information, a card number, and payment amount information when the financial transaction information is with respect to a payment service.
Morgan from same or similar field of endeavor teaches wherein the QR authentication server: collects first QR code information including financial transaction information; encrypts the collected first QR code information including the financial transaction information, using the security key (Paragraphs 0027, 0049, and 0061 teach an account code may or may not be associated with an electronic wallet account, or e-wallet account; further still, an account code may not be visible to any person or party; that is, an account code may be encoded and/or encrypted in a QR code or other encoded data; QR codes are known in the art and may be encoded with a variety of data, including text and uniform resource locators (URLs); the data encoded in a QR code may also be encrypted; security may be improved by encrypting transaction account data and/or mobile device identification information; encryption may be performed by way of any of the techniques now available in the art or which may become available—e.g., Twofish, RSA, El Gamal, Schorr signature, DSA, PGP, PKI, and symmetric and asymmetric cryptosystems); and generates the QR code image corresponding to the encrypted first QR code information including the financial transaction information (Paragraphs 0065 and 0050 teach the QR code may be encrypted; a consumer is presented with encoded data, because a QR code (and more broadly, encoded data) comprises a transition point; a unique QR code may be associated with a particular transaction); displays, after the financial transaction information has been displayed a message prompting the user to decide whether to approve a corresponding transaction (Paragraphs 0066 and 0070 teach a consumer may view her purchase data or shopping cart with her mobile device; a consumer may initiate this stage of the checkout process by way of a “verify,” “submit,” “buy,” or “checkout” option presented on a display portion of a mobile device).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, and Heo to incorporate the teachings of Morgan for the QR authentication server: to collect first QR code information including financial transaction information; encrypt the collected first QR code information including the financial transaction information, using the security key; and generate the QR code image corresponding to the encrypted first QR code information including the financial transaction information; wherein the portable authentication terminal checks whether financial transaction information is included in the decrypted second QR code information; extracts the financial transaction information from the decrypted second QR code information and displays the financial transaction information on the display; displays, after the financial transaction information has been displayed a message prompting the user to decide whether to approve a corresponding, and when the user selects approval in response to the prompt message, adds details of the approval to the second QR code information, and transmits the second QR code information to the QR authentication server, and wherein the financial transaction information includes multiple pieces of information among bank transit information, sender account 
There is motivation to combine Morgan into the combination of Park, Varadarajan, DeSoto, Woo, and Heo because one or more groups of unique QR codes may be associated with a group or groups of transactions. In this way, the potential for fraud may be minimized or reduced. For example, where each transaction is associated with a unique QR code, the difficulty associated with forging or generating a fraudulent QR code is greater. Thus, individuals who would commit transaction fraud by presenting to a consumer a fraudulent/forged QR code will encounter some difficulty in receiving payment based upon the fraudulent QR code, as a code may never be recycled. A QR code may reduce or eliminate the need for traditional prior art payment methods. In particular, a QR code may permit a consumer to partially or fully bypass or circumvent merchant payment processing systems entirely. Additionally, a QR code is not necessarily presented by a mobile device, but scanned by a mobile device. Thus, the present disclosure illustrates systems and methods that may be considered the reverse of current systems, which continue to needlessly and dangerously rely upon merchants to facilitate payment (Morgan Paragraphs 0051-0052).
However, the combination does not explicitly teach the portable authentication terminal checks whether financial transaction information is included in the decrypted second QR code information, extracts the financial transaction information from the decrypted second QR code information and displays the financial transaction information on the display, and when the user selects approval in response to the prompt message, adds details of the approval to the second QR code information, and transmits the second QR code information to the QR authentication server, and the financial transaction information includes multiple pieces of information among bank transit information, sender account information, recipient account information, transfer amount information, transfer sender information, and recipient information when the financial transaction information is with respect to an account transfer service, and includes multiple pieces of information among card company information, a card number, and payment amount information when the financial transaction information is with respect to a payment service.
Goldstone from same or similar field of endeavor teaches the portable authentication terminal checks whether financial transaction information is included in the decrypted second QR code information (Paragraphs 0046 and 0099 teach the consumer may then use the app on the mobile device to scan the QR code; the QR code comprises merchant information, the basket amount and the tracking reference, as well as any attribute queries and policy decisions that there may be, so that when the app scans the QR code, that information is imported into the app; if the information is verified, the app may then proceed directly to data transfer and execute the transaction on the basis of the information obtained from the QR code), extracts the financial transaction information from the decrypted second QR code information and displays the financial transaction information on the display (Paragraphs 0046, 0048, and 0101 teach the mobile device scans the QR code and extract the transaction identifier, thus transferring the transaction identifier from the browser to the app in data transfer; the app may have access and/or hold the necessary tools, for example the symmetric key etc, to carry out decryption and verification of the transaction information in the QR code; the received transaction information is displayed to the consumer by the app; in particular, the name of the merchant and the basket amount are displayed to the consumer so that the consumer may confirm that the merchant name is correct before completing the transaction), and when the user selects approval in response to the prompt message, adds details of the approval to the second QR code information, and transmits the second QR code information to the QR authentication server (Paragraphs 0049 teaches in order to complete the transaction, the consumer may select a ‘confirm’ button on the app, which transmits an instruction from the app to the communications gateway in data transfer so that the communications gateway may execute the transaction), and the financial transaction information includes multiple pieces of information among bank transit information, sender account information, recipient account information, transfer amount information, transfer sender information, and recipient information when the financial transaction information is with respect to an account transfer service, and includes multiple pieces of information among card company information, a card number, and payment amount information when the financial transaction information is with respect to a payment service (Paragraph 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, and Morgan to incorporate the teachings of Goldstone for the portable authentication terminal to check whether financial transaction information is included in the decrypted second QR code information, extract the financial transaction information from the decrypted second QR code information and display the financial transaction information on the display, and when the user selects approval in response to the prompt message, adds details of the approval to the second QR code information, and transmits the second QR code information to the QR authentication server, and the financial transaction information includes multiple pieces of information among bank transit information, sender account information, recipient account information, transfer amount information, transfer sender information, and recipient information when the financial transaction information is with respect to an account transfer service, and includes multiple pieces of information among card company information, a 
There is motivation to combine Goldstone into the combination of Park, Varadarajan, DeSoto, Woo, Heo, and Morgan because use of this transaction service means that the consumer can save time because they do not need to spend time entering their payment details into the terminal in order to execute the transaction. It also improves security for the consumer because their payment details are not being transferred to a merchant, where the security of the payment details may be compromised either in transfer or whilst with the merchant (Goldstone Paragraph 0051).

Regarding Claim 6, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claim 1 above; however the combination does not explicitly teach wherein the portable authentication terminal is configured to, when transmitting the second QR code information to the QR authentication server, encrypt again the second QR code information using a password and transmit the encrypted second QR code information.
Varadarajan further teaches wherein the portable authentication terminal is configured to, when transmitting the second QR code information to the QR authentication server, encrypt again the second QR code information using a password and transmit the encrypted second QR code information (Paragraphs 0060-0061 teach the key holder recovers the seed key identified and utilizes that seed key to generate an OTP and a challenge (i.e., 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan for the portable authentication terminal to be configured to, when transmitting the second QR code information to the QR authentication server, encrypt again the second QR code information using a password and transmit the encrypted second QR code information.
There is motivation to further combine Varadarajan into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone for the same reasons listed above for claims 1 and 15.

Regarding Claim 7, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claim 1 above; however the combination does not explicitly teach wherein the legacy authentication server includes a legacy authentication information database (DB) that stores pieces of legacy authentication information for respective pieces of user identification (ID) information, and a session ID information DB that stores Docket No. 601700-000020authentication service information including pieces of session ID information for respective pieces of user ID information, determines an authentication request scheme based on the authentication scheme selection information for the authentication request, performs legacy authentication with reference to the legacy authentication information DB when the authentication request scheme is found to be legacy authentication upon a determination of the authentication type; determines whether the user of the user ID information is a subscriber to the QR code authentication service through the QR authentication server when the authentication request scheme is found to be QR code authentication upon a determination of the authentication type, request, when the user is the subscriber to the QR code authentication service, issuance of a QR code by transmitting the QR code generation request signal including the user ID information, and transmits the QR code image received in response to the request signal to the computer terminal, and wherein the legacy authentication server is configured to, when the result of QR code authentication depending on transmission of the QR code image are received from the QR authentication server and indicate success, approve provision of the service.
Varadarajan further teaches wherein the legacy authentication server includes a legacy authentication information database (DB) that stores pieces of legacy authentication information for respective pieces of user identification (ID) information, and a session ID information DB that stores Docket No. 601700-000020authentication service information including pieces of session ID information for respective pieces of user ID information, determines an authentication request scheme based on the authentication scheme selection information for the authentication request, performs legacy authentication with reference to the legacy authentication information DB when the authentication request scheme is found to be legacy authentication upon a determination of the authentication type (Paragraphs 0030-0031 and 0047-0048 teach the transaction server comprises a memory a processor, wherein the processor is configured to execute the computer program code embodied on memory and to perform the various functions of the corresponding transaction server; the user initiating the transaction is identified with information that is unique to that user and/or his/her mobile device, for example, the user may be identified from the user name and password he/she inputs in the corresponding text boxes of a consumer portal using the personal computer and that user information is transmitted from the security client to the security server, wherein the security server utilizes the transaction server (i.e., legacy authentication server) to generate transaction information that includes a session identifier that identifies the log on session that requires authentication), determines whether the user of the user ID information is a subscriber to the QR code authentication service through the QR authentication server when the authentication request scheme is found to be QR code authentication upon a determination of the authentication type, request, when the user is the subscriber to the QR code authentication service, issuance of a QR code by transmitting the QR code generation request signal including the user ID information, and transmits the QR code image received in response to the request signal to the computer terminal, and wherein the legacy authentication server is configured to, when the result of QR code authentication depending on transmission of the QR code image are received from the QR authentication server and indicate success, approve provision of the service (Paragraphs 0039-0040 teach a consumer portal is illustrated that comprises transaction information presented in the form of a QR code as well as text boxes where a user is prompted to input his/her user name and password and the QR code may be generated based on the user name and password input into those text boxes; the user then may utilize the I/O device of his/her mobile device to scan or otherwise read the QR code into his/her mobile device to generate an OTP and a message comprising that OTP and the transaction information then may be transmitted automatically to the consumer portal to complete authentication, wherein the consumer portal may be hosted on a web server that comprises the transaction server, the encryption/decryption server, and the authentication server; the transaction server generates transaction information that determines the level of authentication required for a particular transaction and transmits that transaction information to the security client (i.e., personal computer); the encryption/decryption server decrypts that message and transmits the decrypted OTP and transaction information to the authentication server; and the authentication server validates the OTP utilizing the transaction information that was presented in the QR code).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan for the legacy authentication server to include a legacy authentication information database (DB) that stores pieces of legacy authentication information for respective pieces of user identification (ID) information, and a session ID information DB that stores 
There is motivation to further combine Varadarajan into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone for the same reasons listed above for claims 1 and 15.

Regarding Claims 8, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claims 7 and 15 above; however the combination does not explicitly teach wherein the legacy authentication server compares session ID information of user ID information and the session ID information, which are included in the result of the QR code authentication when the QR code authentication result are received, with session ID information registered in a session ID information DB for the user ID information, and performs session authentication based on whether the pieces of session ID information match each other, wherein approval of provision of the service is determined when session authentication is succeeded.
Woo further teaches wherein the legacy authentication server compares session ID information of user ID information and the session ID information, which are included in the result of the QR code authentication when the QR code authentication result are received, with session ID information registered in a session ID information DB for the user ID information (Paragraphs 0034, 0064, 0039, and 0041 teach the authentication server transmits a push message requesting an identity verification process to the mobile terminal of the user, and waits for a response signal for the push message from the user, when the response signal is received, wherein the authentication server proceeds with waiting for the reception of the push response signal for a predetermined time (e.g., the reception waiting time of the push response signal may be about 5 to 15 seconds) (i.e., the signal comprises session ID information); when the response signal is received, the mobile phone number and identification information is transmitted to the mobile communication system; the identity verification processing module of the authentication server is connected with the application of the user's mobile terminal and transmits a push message requesting , and performs session authentication based on whether the pieces of session ID information match each other, wherein approval of provision of the service is determined when session authentication is succeeded (Paragraphs 0042, 0034, and 0053 teach the identity verification processing module of the authentication server, when the identity is verified through the identity verification processing module (successful identity verification), uses the mobile phone number and identification information of the target user through the interworking mobile communication system for a subscription query; if the registered mobile number and identification information in the identity verification results match, the identity verification process of the user is performed).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Woo for the legacy authentication server to compare session ID information of user ID information and the session ID information, which are included in the result of the QR code authentication when the QR code authentication result are received, with session ID information registered in a session ID information DB for the user ID information, and perform session authentication based on whether the pieces of session ID information match each other, wherein approval of provision of the service is determined when session authentication is succeeded.


Regarding Claim 9, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claim 7 above; however the combination does not explicitly teach wherein the legacy authentication server compares, when a type of authentication service for the authentication request is one of a transfer, a purchase and payment, and a stock trade, financial transaction information of user ID information and the financial transaction information included in the authentication result with financial transaction information stored in the session ID information DB for the user ID information, and performs authentication of financial transaction information depending on whether the pieces of financial transaction information match each other, wherein approval of provision of the service is determined when authentication of the financial transaction information is succeeded.
Woo further teaches wherein the legacy authentication server compares, when a type of authentication service for the authentication request is one of a transfer, a purchase and payment, and a stock trade, financial transaction information of user ID information and the financial transaction information included in the authentication result with financial transaction information stored in the session ID information DB for the user ID information (Paragraphs 0030, 0039, and 0034 teach when using a , and performs authentication of financial transaction information depending on whether the pieces of financial transaction information match each other, wherein approval of provision of the service is determined when authentication of the financial transaction information is succeeded (Paragraphs 0042, 0034, and 0053 teach the identity verification processing module of the authentication server, when the identity is verified through the identity verification processing module (successful identity verification), uses the mobile phone number and identification information of the target user through the interworking mobile communication system for a subscription query; if the registered mobile number 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Woo for the legacy authentication server to compare, when a type of authentication service for the authentication request is one of a transfer, a purchase and payment, and a stock trade, financial transaction information of user ID information and the financial transaction information included in the authentication result with financial transaction information stored in the session ID information DB for the user ID information, and perform authentication of financial transaction information depending on whether the pieces of financial transaction information match each other, wherein approval of provision of the service is determined when authentication of the financial transaction information is succeeded.
There is motivation to further combine Woo into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone for the same reasons listed above for claims 1 and 15.

	Regarding Claim 14, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claim 1 above; and Park further teaches wherein the QR authentication server performs, when the second QR code information is received from the portable authentication terminal, authentication based on whether terminal ID information of the portable authentication terminal, which is received from the portable authentication terminal, matches terminal ID information, which is mapped to the user ID information of the user of the portable authentication terminal and is stored in the QR authentication service subscriber DB (Paragraph 45, 50, and 53 teach a user information database stores a user ID and an authentication terminal ID, wherein the authentication terminal ID is an ID which enables the authentication terminal to be distinguished from other authentication terminals, and may be, for example, a unique value to the terminal; the authentication terminal may transmit an authentication terminal ID, together with the authentication validation key (i.e., QR code) to the authentication server, and the approval unit of the authentication server may transmit approval information which may include a result indicative that the extracted ID corresponds to the authentication terminal ID extracted from the authentication key storage and therefore the authentication is approved).

Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of Varadarajan (US 20130124855) in further view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Heo (KR 101209448 B1) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043) in further view of Zhang (US 20140033286).

Regarding Claim 12, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claims 1 above; and Park transmitting the QR code image to the legacy authentication server (Park Paragraphs 32-33 teach the authentication key generation unit generates an authentication key in response to the reception of the authentication request from the service provision server and the authentication key transmission unit transmits the generated authentication key to the service provision server).
However, the combination does not explicitly teach wherein the QR authentication server collects QR code generation information in response to the QR code generation request signal, wherein the QR code generation information includes a site name of a service server, an authentication service type, financial transaction information, user ID information, and session ID information. 
Varadarajan further teaches wherein the QR authentication server collects QR code generation information in response to the QR code generation request signal, wherein the QR code generation information includes a site name of a service server, an authentication service type, financial transaction information, user ID information, and session ID information (Varadarajan Paragraphs 0057 and 0048-0049 teach the transaction information received by the key holder (i.e., mobile app) may include the value of the money being exchanged and/or the identity of the merchant with whom that money is being exchanged, as well as any other information that may be pertinent to the level of authentication required and/or the key selected (e.g., user name, address, account number, credit card number, CVV value, etc.); and the security server utilizes the transaction server to generate transaction information mentioned above along with a session identifier that identifies the log on session (i.e., where 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan for the QR authentication server to collect QR code generation information in response to the QR code generation request signal, wherein the QR code generation information includes a site name of a service server, an authentication service type, financial transaction information, user ID information, and session ID information.
There is motivation to further combine Varadarajan into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone for the same reasons listed above for claim 1.
However, the combination does not explicitly teach generates the first QR code information that includes the QR code generation information, a timestamp, which is a time of issuance of the QR code, and QR ID information and generates the QR code image corresponding to the generated first QR code information.
Zhang from same or similar field of endeavor teaches generates the first QR code information that includes the QR code generation information, a timestamp, which is a time of issuance of the QR code, and QR ID information and generates the QR code image corresponding to the generated first QR code information (Zhang Paragraphs 0109-0110 teach a client authentication module for authenticating an information access request from  was generated, wherein this information is used to generate the unique identifier).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan to generate the first QR code information that includes the QR code generation information, a timestamp, which is a time of issuance of the QR code, and QR ID information and generates the QR code image corresponding to the generated first QR code information.
There is motivation to combine Zhang into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone because the server is able to determine whether time shown in the identification code exceeds a predefined waiting time (Zhang Paragraph 0077).

Regarding Claim 13, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, Goldstone, and Zhang teaches all the limitations of claims 12 above; however the combination does not explicitly teach wherein the QR authentication server further: encrypts the generated first QR code information using a password registered in the QR authentication service subscriber DB for the user ID information of the QR code generation ii   nformation, wherein the QR code image generation unit generates the QR code image for the encrypted first QR code information. 
Varadarajan further teaches wherein the QR authentication server further: encrypts the generated first QR code information using a password registered in the QR authentication service subscriber DB for the user ID information of the QR code generation ii   nformation, wherein the QR code image generation unit generates the QR code image for the encrypted first QR code information (Paragraphs 0048 and 0058 teach the security server utilizes the transaction server to generate transaction information that includes a challenge to which the user must respond to authenticate the transaction; the key holder (i.e., part of the mobile application) may select a seed key that is stored utilizing key protection techniques, such as cryptographic camouflaging, wherein the user may be prompted to input a PIN or some other information (e.g., password, answer to a security question, biometric data, etc.) to recover the seed key).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, Goldstone, and Zhang to incorporate the further teachings of Varadarajan for the QR authentication server to further: encrypt the generated first QR code information using a password registered in the QR authentication service subscriber DB for the user ID information of the QR code generation ii   nformation, wherein the QR code image 
There is motivation to further combine Varadarajan into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, Goldstone, and Zhang for the same reasons listed above for claim 1.

Claims 25 is rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043) in further view of Marsico (US 20150170164).

Regarding Claim 25, the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone teaches all the limitations of claim 1 above; and Park further teaches selects the QR code authentication and transmits the QR code generation request signal to the QR authentication server (Park Paragraph 31 teaches the service provision server may request authentication from the authentication server).
However, the combination does not explicitly teach wherein the legacy authentication server, only when the received result of the determination indicates that the user is the subscriber of the QR code authentication service, selects the authentication.
Woo further teaches wherein the legacy authentication server, only when the received result of the determination indicates that the user is the subscriber of the QR code authentication service, selects the authentication (0066-0068 teach the authentication server transmits the mobile phone number and identification information of the user to the mobile communication system only when a push response signal is received from the mobile terminal, and confirms whether or not the identity is verified by confirming whether it matches the subscriber information registered in the mobile communication system (i.e., a verification procedure (i.e., subscription query) is performed); the authentication server provides the identity verification processing result of the user to the member company server, and the member company server proceeds with the user authentication process for the user whose identity verification process is completed (i.e., user is a subscriber) to provide a normal service to the user).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the further teachings of Woo for the legacy authentication server, only when the received result of the determination indicates that the user is the subscriber of the QR code authentication service, to select the authentication.
There is motivation to further combine Woo into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone because of the same reasons listed above for claims 1 and 15.
However, the combination does not explicitly teach wherein the legacy authentication server, when the received result of the determination indicates that the user is the non-subscriber of the QR code authentication service, transmits, to the computer terminal, a message prompting the user to decide whether to subscribe to the QR code authentication service.
Marsico from same or similar field of endeavor teaches wherein the legacy authentication server, when the received result of the determination indicates that the user is the non-subscriber of the QR code authentication service, transmits, to the computer terminal, a message prompting the user to decide whether to subscribe to the QR code authentication service (Paragraph 0047 teaches a user scans a virgin Sherpa Square scan code/tag, and user identifying information and SherpaSquareID information extracted from the scan code/tag is communicated to server; in the case where the scanning user is not a subscriber of scan-triggered services provided by scan-triggered server, then the user may be prompted to enter scan-triggered service subscription information (i.e., become a registered user of the scan-triggered service provider, etc.)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone to incorporate the teachings of Marsico for the legacy authentication server, when the received result of the determination indicates that the user is the non-subscriber of the QR code authentication service, to transmit, to the computer terminal, a message prompting the user to decide whether to subscribe to the QR code authentication service.
There is motivation to combine Marsico into the combination of Park, Varadarajan, DeSoto, Woo, Heo, Morgan, and Goldstone because a user may register himself as the owner of a Sherpa Square code/tag without interaction with .

Claims 15, 19, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043).

Regarding Claim 15, Park teaches an authentication method using a Quick Response (QR) code, comprising: transmitting, by a computer terminal, a QR code authentication request including user identification information and authentication scheme selection information, to a legacy authentication server (Paragraphs 31-32, 29, 34 and 36 teach user authentication is requested from a service provision server (i.e., legacy authentication server) by a client terminal (i.e., personal computer), wherein the client terminal receives a service from the service provision server, and the authentication key generation unit (i.e., of the authentication server) generates an authentication key, wherein the authentication key is a QR code (i.e., authentication scheme); although the present embodiment has the authentication key being displayed in the form of a QR code, the authentication key may be displayed in the form of text, 1D or 2D barcode, color barcode, or a smart tag); storing, by the QR authentication server, authentication service subscription information including user information, user terminal identification (ID) information, and user terminal password information (Paragraphs 44-45 teach a user information database is connected to the authentication server, wherein the user information database stores a user ID and an authentication terminal ID; the user ID and the authentication terminal ID may be input and stored when the user subscribes to the authentication system; example of the user include a resident registration number, an Internet Personal Identification Number (i-PIN), or a personal ID, and examples of the authentication terminal ID include a unique value to the terminal, such as the serial number (SN) of the authentication terminal, or a MAC Address; however, it is not necessarily limited thereto, the authentication terminal ID may be a Universal Subscriber Identity Module (USIM) card number, a mobile phone number, or an ID which is required when the authentication terminal accesses the authentication server; alternatively, the authentication terminal ID may be a combination of at least two of the above-described serial number, MAC address, USIM card number, mobile phone number and ID, for example, a single authentication terminal ID may be generated by combining the serial number of a smart phone, a USIM card number and a mobile phone number and may be stored in the user information DB); 7Application No. 15/104,880 selecting, by the legacy authentication server, a QR code authentication for a service based on the authentication scheme selection information; transmitting, by the legacy authentication server, a QR code generation request signal that includes QR code generation information including the user identification information, via the selected QR code authentication (Paragraphs 31 and 32 teach the service provision server may request authentication from the authentication server when user authentication is requested transmitting, by the legacy authentication server, the QR code image transmitted from the QR authentication server, to the computer terminal; displaying, by the legacy authentication server, the QR code image transmitted from the legacy authentication server (Paragraphs 33-34 teach the service provision server transmits the received authentication key to the client terminal, and the client terminal displays the received authentication key); scanning, by a portable authentication terminal, the QR code image (Paragraph 35 teaches when the client terminal displays the authentication key, the user may perform an authentication procedure by scanning the QR code displayed on the screen of the client terminal with an authentication terminal (i.e., mobile device), then the authentication terminal receives a character string included in the QR code); transmitting, by the portable authentication terminal, second QR code information acquired from the scanned QR code image, to the QR authentication server (Paragraphs 38-39 teach the authentication validation key reception unit of the authentication server receives the authentication validation key from the authentication terminal, and the approval unit of the authentication server may determine whether the received authentication validation key is valid by determining whether the authentication validation key corresponds to the previously generated authentication key; if the authentication validation key is the same as the previously generated authentication key, it is determined that the performing, by the QR authentication server, authentication by comparing the first QR code information and the second QR code information; transmitting, by the QR authentication server, a result of the authentication to both the legacy authentication server and the portable authentication terminal; receiving, by the legacy authentication server, the result of the authentication from the QR authentication server (Paragraphs 40 and 55 teach the approval processing unit transmits authentication approval information to the service provision server; additionally, the approval processing unit of the authentication server may transmit authentication success information to the authentication terminal); and approving, by the legacy authentication server, providing the service by the computer terminal when the received result indicates that the user is authenticated (Paragraph 41 teaches when the service provision server receives the authentication approval information, the service provision server establishes an authentication session with the client terminal so that the user can use the service).
However, Park does not explicitly teach collecting, by the QR authentication server, first QR code information; encrypting, by the QR authentication server, the collected first QR code information using a security key; generating, by the QR authentication server, a QR code image corresponding to the encrypted first QR code information; storing, by the QR authentication server, the generated QR code image and the collected first QR code information in a QR code generation DB included in the QR authentication server; transmitting, by the QR authentication server, the generated QR code image to the legacy authentication server.
DeSoto from same or similar field of endeavor teaches collecting, by the QR authentication server, first QR code information; encrypting, by the QR authentication server, the collected first QR code information using a security key; generating, by the QR authentication server, a QR code image corresponding to the encrypted first QR code information (Paragraphs 0028-0029 teach an identity provider (i.e., QR authentication server) receives a request for a QR code for a login session from website server (i.e., legacy authentication server); the QR code may encrypt information to allow identity provider to uniquely identity website server and to enable identity provider to associate user/trusted device with a login session on website server; for example, the QR code may contain a key for retrieval of the security token associated with user/trusted device for the login session, an identifier for website server, and a time stamp; a QR code generation unit of the identity provider generates the QR code; the QR code generation unit may encrypt an amount of data and size the QR code such that the QR code may be scanned and decoded from a reasonable distance by trusted device), storing, by the QR authentication server, the generated QR code image and the collected first QR code information in a QR code generation DB included in the QR authentication server; transmitting, by the QR authentication server, the generated QR code image to the legacy authentication server (Paragraphs 0041-0042 teach website server (i.e., legacy authentication server) requests the identity provider (i.e., QR authentication server) to generate a QR code; the website server may provide information that identifies 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have Park to incorporate the teachings of Desoto to collect, by the QR authentication server, first QR code information; encrypt, by the QR authentication server, the collected first QR code information using a security key; generate, by the QR authentication server, a QR code image corresponding to the encrypted first QR code information; store, by the QR authentication server, the generated QR code image and the collected first QR code information in a QR code generation DB included in the QR authentication server; and transmit, by the QR authentication server, the generated QR code image to the legacy authentication server.
There is motivation to combine DeSoto into Park because advantageously, the user may securely access websites from devices that may be unsecure, or have no or limited input capabilities. Security is enhanced because the user is not required to enter login credentials or other sensitive information into the unsecured devices that may be stolen, seen, or copied. The QR code itself does not need to contain an URL of the website, but may be encrypted to contain just enough information to uniquely identify the website and to tie the transactions together. The trusted application from the identity provider running on the trusted device and 
However, the combination of Park and DeSoto does not explicitly teach receiving, by the legacy authentication server, the QR code authentication request from the computer terminal; transmitting, by the legacy authentication server, a subscription query whether a user is a subscriber or non-subscriber of a QR code authentication service, to a QR authentication server; receiving, by the QR authentication server, the subscription query from the legacy authentication server; determining, by the QR authentication server, whether the user is the subscriber or non-subscriber of the QR code authentication service, based on the stored authentication service subscription information; transmitting, by the QR authentication server, a result of the determination whether the user is the subscriber or non-subscriber of the QR code authentication service, to the legacy authentication server, wherein the approving comprises: performing, when the result of the authentication is received from the QR authentication server, session authentication based on whether session ID information included in the result of the QR code authentication matches with session ID information stored in a session ID information DB to correspond to the user authentication information included in the result of the QR code authentication, and granting a final approval for the service when session authentication is succeeded.
receiving, by the legacy authentication server, the QR code authentication request from the computer terminal; transmitting, by the legacy authentication server, a subscription query whether a user is a subscriber or non-subscriber of a QR code authentication service, to a QR authentication server (Paragraphs 0033-0034 teach when the member company server receives a user authentication processing request signal including a user's mobile phone number and identification information, the mobile phone number of the user and the mobile phone number of the user to the authentication server to verify (i.e., query a subscriber DB) the identity of the user who requested user authentication processing); receiving, by the QR authentication server, the subscription query from the legacy authentication server; determining, by the QR authentication server, whether the user is the subscriber or non-subscriber of the QR code authentication service, based on the stored authentication service subscription information; transmitting, by the QR authentication server, a result of the determination whether the user is the subscriber or non-subscriber of the QR code authentication service, to the legacy authentication server (Paragraph 0034 teaches the authentication server transmits the mobile phone number and identification information to the mobile communication system to request the identity verification authentication service of the subscriber requesting confirmation of the match, wherein the mobile communication system queries the subscriber DB, checks whether the mobile phone number of the requested user matches the identification information, and provides the result as the subscriber's identity verification information; the mobile  wherein the approving comprises: performing, when the result of the authentication is received from the QR authentication server, session authentication based on whether session ID information included in the result of the QR code authentication matches with session ID information stored in a session ID information DB to correspond to the user authentication information included in the result of the QR code authentication (Paragraphs 0030, 0039, and 0034 teach when using a service that requires user authentication, the member company server requests user authentication (e.g., financial transactions, account services, payment services, and the like); the authentication request receiving module of the authentication server serves to receive a user authentication request signal including a mobile phone number and identification information of a user name (i.e., financial transaction information); here, the user authentication means to confirm and authenticate both the identity and the real name of the target user; the authentication server transmits the mobile phone number and identification information to the mobile communication system to request the identity verification authentication service of the subscriber requesting confirmation of the match, wherein the mobile communication system queries the subscriber DB, and provides the result as the subscriber's identity verification information; the mobile communication system may provide the subscriber's identity verification information to the authentication server, or may directly provide the subscriber's identity verification information to the member company server), and granting a final approval for the service when session authentication is succeeded (Paragraphs 0042, 0034, and 0053 teach the identity verification processing module of the authentication server, when the identity is verified through the identity verification processing module (successful identity verification), uses the mobile phone number and identification information of the target user through the interworking mobile communication system for a subscription query; if the registered mobile number and identification information in the identity verification results match, the identity verification process of the user is performed).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park and DeSoto to incorporate the teachings of Woo to receive, by the legacy authentication server, the QR code authentication request from the computer terminal; transmit, by the legacy authentication server, a subscription query whether a user is a subscriber or non-subscriber of a QR code authentication service, to a QR authentication server; receive, by the QR authentication server, the subscription query from the legacy authentication server; determine, by the QR authentication server, whether the user is the subscriber or non-subscriber of the QR code authentication service, based on the stored authentication service subscription information; transmit, by the QR authentication server, a result of the determination whether the user is the subscriber or non-subscriber of the QR code authentication service, to the legacy authentication server, wherein the approving comprises: perform, when the result of the authentication is received from the QR authentication server, session authentication based on whether session ID information included in the result of the QR code authentication matches with 
There is motivation to combine Woo into the combination of Park and DeSoto because if the member identification server authentication information of the subscriber is provided to the member company server, the member company server proceeds with the user authentication process based on the information, and if the authentication is successful for the service that requires user authentication, the member company server can provide normal service to the user (Woo Paragraph 0034).
However, the combination of Park, DeSoto, and Woo does not explicitly teach wherein the approving further comprises: comparing, when a type of authentication service in the authentication request is a financial transaction, with financial transaction information that is stored in the session ID information DB and is mapped to the session ID information, thus performing authentication of transaction information based on whether pieces of financial transaction information match each other, and granting the final approval when authentication of the transaction information is succeeded.
Morgan from same or similar field of endeavor teaches wherein the approving further comprises: comparing, when a type of authentication service in the authentication request is a financial transaction, with financial transaction information that is stored in the session ID information DB and is mapped to the session ID information, thus performing authentication of transaction information based on whether pieces of financial transaction information match each other (Paragraphs 0073 and 0058 teaches a mobile gateway is at least configured to receive an authorization request; the mobile gateway may be configured to transmit and receive data over one or more networks; in response to receiving an authorization request, mobile gateway may forward the authorization request to a payment processor authorization gateway; the mobile device may authenticate itself to a consumer's transaction account by way of mobile gateway and payment processor authorization gateway; for example, in an embodiment, mobile device may communicate a variety of data to mobile gateway, including a mobile device identifier, such as an electronic serial number (ESN), and a transaction account identifier (e.g., a 16 digit account number); the mobile gateway may forward data, including the ESN and transaction account identifier, from mobile device to payment processor authorization gateway; payment processor authorization gateway may authenticate mobile device to one or more transaction accounts held by the consumer by verifying that the mobile device is paired to a selected transaction account; to verify that a mobile device is paired to a transaction account, payment processor authorization gateway may verify that a transaction account identifier (e.g., a transaction account 16 digit number) and the ESN supplied by mobile device match a data record maintained by payment processor authorization gateway; that is, payment processor authorization gateway may compare a received transaction account identifier and mobile device identifier to verified records maintained by the gateway or in a database (not shown) coupled to the gateway), and granting the final approval when authentication of the transaction information is succeeded (Paragraph 0074 teaches payment processor authorization gateway may process an authorization request; payment processor authorization gateway may further transmit an authorization response to a merchant's e-commerce website server (or another merchant system) by way of an address or URL associated with the merchant's server; an authorization response may indicate approval or denial of an authorization request and may be based on a variety of factors and/or data, many associated with the internal business logic of a payment processor).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, and Woo to incorporate the teachings of Morgan for the approving further to comprise: comparing, when a type of authentication service in the authentication request is a financial transaction, with financial transaction information that is stored in the session ID information DB and is mapped to the session ID information, thus performing authentication of transaction information based on whether pieces of financial transaction information match each other, and granting the final approval when authentication of the transaction information is succeeded.
There is motivation to combine Morgan into the combination of Park, DeSoto, and Woo because one or more groups of unique QR codes may be associated with a group or groups of transactions. In this way, the potential for fraud may be minimized or reduced. For example, where each transaction is associated with a unique QR code, the difficulty associated with forging or generating a fraudulent QR code is greater. Thus, individuals who would commit transaction fraud by 
However, the combination of Park, DeSoto, Woo, and Morgan does not explicitly teach the financial transaction information is included in the result of QR code authentication, wherein the financial transaction information includes multiple pieces of information among bank transit information, sender account information, recipient account information, transfer amount information, transfer sender information, and recipient information when the financial transaction is an account transfer service, and includes multiple pieces of information among card company information, a card number, and payment amount information when the financial transaction is a payment service.
Goldstone from same or similar field of endeavor teaches the financial transaction information is included in the result of QR code authentication (Paragraphs 0046, 0048, and 0101 teach the mobile device scans the QR code and extract the transaction identifier, thus transferring the transaction identifier from , wherein the financial transaction information includes multiple pieces of information among bank transit information, sender account information, recipient account information, transfer amount information, transfer sender information, and recipient information when the financial transaction is an account transfer service, and includes multiple pieces of information among card company information, a card number, and payment amount information when the financial transaction is a payment service (Paragraph 0047 teaches the app transmits the transaction identifier to the communications gateway in data transfer; the communications gateway then uses the transaction identifier in data transfer to retrieve from the database all of the relevant transaction information associated with the transaction code; the database returns the relevant transaction information to the communications gateway; in particular, the merchant name and basket amount associated with the transaction code are retrieved, along with any other relevant information, such as the tracking reference, any delivery information and product description(s) and/or product photograph(s) that may be available).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the 
There is motivation to combine Goldstone into the combination of Park, DeSoto, Woo, and Morgan because use of this transaction service means that the consumer can save time because they do not need to spend time entering their payment details into the terminal in order to execute the transaction. It also improves security for the consumer because their payment details are not being transferred to a merchant, where the security of the payment details may be compromised either in transfer or whilst with the merchant (Goldstone Paragraph 0051).

Regarding Claim 19, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claim 15 above; and Park further teaches wherein the portable authentication terminal performs communication with the QR authentication server over a wired/wireless data communication network (Paragraph 27 teaches the authentication server is connected to the authentication terminal via a wired/wireless communication scans the QR code image displayed on the computer terminal (Paragraph 35 teaches the authentication terminal scans the QR code displayed on the client terminal), detects the second QR code information from the scanned QR code image, display the detected second QR code information (Paragraph 35 teaches the authentication terminal scans the QR code and receives a character string included in the QR code in compliance with QR code reverse conversion rules, so that the authentication validation key corresponding to the authentication key generated by the authentication server can be input to the authentication terminal); and transmits the second QR code information (Paragraph 38 teaches the authentication terminal transmits the received authentication validation key to the authentication server).

Regarding Claim 22, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claim 15 above; and Park further teaches wherein the QR authentication server performs, when the second QR code information is received from the portable authentication terminal, authentication based on whether terminal ID information of the portable authentication terminal, which is received from the portable authentication terminal, matches terminal ID information, which is mapped to the user ID information of the user of the portable authentication terminal and is stored in the QR authentication service subscriber DB (Paragraph 45, 50, and 53 teach a user information database stores a user ID and an authentication terminal ID, wherein the authentication terminal ID is an ID which enables the .

Claims 16-18, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043) in further view of Varadarajan (US 20130124855).

Regarding Claim 16, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claim 15 above; however the combination does not explicitly teach wherein the legacy authentication server includes a legacy authentication information database (DB) that stores pieces of legacy authentication information for respective pieces of user identification (ID) information, and a session ID information DB that stores Docket No. 601700-000020authentication service information including pieces of session ID information for respective pieces of user ID information, determines an authentication request scheme based on the authentication scheme selection information for the authentication request, performs legacy authentication with reference to the legacy authentication information DB when the authentication request scheme is found to be legacy authentication upon a determination of the authentication type; determines whether the user of the user ID information is a subscriber to the QR code authentication service through the QR authentication server when the authentication request scheme is found to be QR code authentication upon a determination of the authentication type, request, when the user is the subscriber to the QR code authentication service, issuance of a QR code by transmitting the QR code generation request signal including the user ID information, and transmits the QR code image received in response to the request signal to the computer terminal, and wherein the legacy authentication server is configured to, when the result of QR code authentication depending on transmission of the QR code image are received from the QR authentication server and indicate success, approve provision of the service.
Varadarajan from same or similar field of endeavor teaches wherein the legacy authentication server includes a legacy authentication information database (DB) that stores pieces of legacy authentication information for respective pieces of user identification (ID) information, and a session ID information DB that stores Docket No. 601700-000020authentication service information including pieces of session ID information for respective pieces of user ID information, determines an authentication request scheme based on the authentication scheme selection information for the authentication request, performs legacy authentication with reference to the legacy authentication information DB when the authentication request scheme is found to be legacy authentication upon a determination of the authentication type (Paragraphs 0030-0031 and 0047-0048 teach the transaction server comprises a memory a processor, wherein the processor is configured to execute the computer program code embodied on memory and to perform the various functions of the corresponding transaction server; the user initiating the transaction is identified with information that is unique to that user and/or his/her mobile device, for example, the user may be identified from the user name and password he/she inputs in the corresponding text boxes of a consumer portal using the personal computer and that user information is transmitted from the security client to the security server, wherein the security server utilizes the transaction server (i.e., legacy authentication server) to generate transaction information that includes a session identifier that identifies the log on session that requires authentication), determines whether the user of the user ID information is a subscriber to the QR code authentication service through the QR authentication server when the authentication request scheme is found to be QR code authentication upon a determination of the authentication type, request, when the user is the subscriber to the QR code authentication service, issuance of a QR code by transmitting the QR code generation request signal including the user ID information, and transmits the QR code image received in response to the request signal to the computer terminal, and wherein the legacy authentication server is configured to, when the result of QR code authentication depending on transmission of the QR code image are received from the QR authentication server and indicate success, approve provision of the service (Paragraphs 0039-0040 teach a consumer portal is illustrated that comprises transaction information presented in the form of a QR code as well as text boxes where a user is prompted to input his/her user name and password and the QR code may be generated based on the user name and password input into those text boxes; the user then may utilize the I/O device of his/her mobile device to scan or otherwise read the QR code into his/her mobile device to generate an OTP and a message comprising that OTP and the transaction information then may be transmitted automatically to the consumer portal to complete authentication, wherein the consumer portal may be hosted on a web server that comprises the transaction server, the encryption/decryption server, and the authentication server; the transaction server generates transaction information that determines the level of authentication required for a particular transaction and transmits that transaction information to the security client (i.e., personal computer); the encryption/decryption server decrypts that message and transmits the decrypted OTP and transaction information to the authentication server; and the authentication server validates the OTP utilizing the transaction information that was presented in the QR code).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, Woo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan for the legacy authentication server to include a legacy authentication information database (DB) that stores pieces of legacy 
There is motivation to further combine Varadarajan into the combination of Park, DeSoto, Woo, Morgan, and Goldstone users can easily login to their retail, banking or other sensitive accounts by just scanning a QR code displayed on the login page of these websites using their mobile phone. By marrying the security of a two factor credential on a mobile device with the convenience and user-

Regarding Claim 17, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claims 15 above; and Park further teaches wherein the generating the QR code image (Paragraphs 31-32 teach the service provision server may request authentication from the authentication server; the authentication key generation unit generates an authentication key in response to the reception of the authentication request from the service provision server Paragraph 33 teaches the authentication key transmission unit transmits the generated authentication key to the service provision server).
	However, the combination does not explicitly teach generating the first QR code information, which includes the collected QR code generation information; and generating the QR code image corresponding to the generated first QR code information.
	Varadarajan from same or similar field of endeavor teaches generating the first QR code information, which includes the collected QR code generation information; and generating the QR code image corresponding to the generated first QR code information (Paragraphs 0046 and 0048-0050 teach the user initiates a transaction at the personal computer by inputting his/her user name and password (i.e., transaction information), and the security server utilizes 
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, Woo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan to generate the first QR code information, which includes the collected QR code generation information; and generate the QR code image corresponding to the generated first QR code information.
There is motivation to further combine Varadarajan into the combination of Park, DeSoto, Woo, Morgan, and Goldstone for the same reasons listed above for claims 16.

Regarding Claim 18, the combination of Park, DeSoto, Woo, Morgan, Goldstone, and Varadarajan teaches all the limitations of claims 17 above; however the combination does not explicitly teach wherein the generating the QR code image further comprises: encrypting the first QR code information by applying a password corresponding to the user, which is registered in a QR authentication service subscriber DB, as a security key, and generating the QR code image based on the encrypted first QR code information.
Varadarajan further teaches wherein the generating the QR code image further comprises: encrypting the first QR code information by applying a password corresponding to the user, which is registered in a QR authentication service subscriber DB, as a security key, and generating the QR code image based on the encrypted first QR code information (Paragraphs 0048-0049 and 0058 teach the security server utilizes the transaction server to generate transaction information that includes a challenge to which the user must respond to authenticate the transaction and transmits the QR code to the security client (i.e., personal computer); the key holder (i.e., part of the mobile application) may select a seed key that is stored utilizing key protection techniques, such as cryptographic camouflaging, wherein the user may be prompted to input a PIN or some other information (e.g., password, answer to a security question, biometric data, etc.) to recover the seed key).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, Woo, Morgan, Goldstone, and Varadarajan to incorporate the further teachings of Varadarajan for generating the QR code image to further comprise: encrypting the first QR code information by applying a password corresponding to the user, which is registered in a QR authentication service subscriber DB, as a security key, and generating the QR code image based on the encrypted first QR code information.
There is motivation to further combine Varadarajan into the combination of Park, DeSoto, Woo, Morgan, Goldstone, and Varadarajan for the same reasons listed above for claims 1 and 15.

Regarding Claim 21, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claim 19 above; however the combination wherein the portable authentication terminal checks an integrity of the QR code using a hash value included in the decrypted second QR code information, and transmits the second QR code information to the QR authentication server when the integrity check is passed.
Varadarajan from same or similar field of endeavor teaches wherein the portable authentication terminal checks an integrity of the QR code using a hash value included in the decrypted second QR code information, and transmits the second QR code information to the QR authentication server when the integrity check is passed (Paragraphs 0054-0055 and 0061 teach the I/O device of the mobile device may comprise a sensor that detects the two-dimensional digital image of the QR code and converts it into an electronic signal and the processor of the mobile device may detect the data corresponding to the small black squares of the image and convert said data to binary numbers and make a validity check with an error-correcting code; then the binary numbers are used to decode the transaction information from the QR code and used to create a signed message that is then transmitted from the key holder to the security server as authentication information).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, Woo, Morgan, and Goldstone to incorporate the further teachings of Varadarajan for the portable authentication terminal to check an integrity of the QR code using a hash value included in the decrypted second QR 
There is motivation to further combine Varadarajan into the combination of Park, DeSoto, Woo, Morgan, and Goldstone for the same reasons listed above for claim 16.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043) in further view of Heo (KR 101209448 B1).

Regarding Claim 20, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claim 19 above; however the combination does not explicitly teach wherein the generating the QR code image comprises: encrypting the first QR code information using a password preset for the user of the user ID information as the security key; and transmitting the encrypted first QR code information; wherein the analyzing the scanned QR code image and extracting the second QR code information comprises: requesting, after the second QR code information has been extracted, the user to input a password corresponding to the security key; receiving the password from the user; and then decrypting the encrypted second QR code information using the password.
Heo from same or similar field of endeavor teaches wherein the generating the QR code image comprises: encrypting the first QR code information using a password preset for the user of the user ID information as the security key (Paragraphs 0043, 0038, and 0046 teach registration of the user information is registered once as environment setting information at the time of initial driving after installation of the MOTP generation program; the application providing module stores user information (password), program information (program ID) and MOTP terminal information (telephone number, terminal unique number) in a DB by user information registration; the password is a user-configured password used for encryption in one-time symmetric key transmission; the authentication server generates a QR code by using MOTP terminal information (telephone number, terminal device number) and password already registered from the user as an encryption key; that is, the authentication server generates a QR code by encrypting the serial number of all transaction data with the encryption key, and the password is a user-set password used for encryption when transmitting a one-time symmetric key; the encryption process is that the application providing module encrypts the entire transaction information using the MOTP terminal information and the password registered by the user as the encryption key); and transmitting the encrypted first QR code information (Paragraph 0053 teaches the QR code input module scans the QR code displayed on the screen of the user Internet terminal (i.e., QR code was transmitted to user Internet terminal (i.e., computer terminal) and converts the image information into a serial number), wherein the analyzing the scanned QR code image and extracting the second QR code information comprises: requesting, after the second QR code information has been extracted, the user to input a password corresponding to the security key; receiving the password from the user; and then decrypting the encrypted second QR code information using the password (Paragraphs 0049, 0051, and 0054 teach the MOTP terminal (i.e., portable authentication terminal) according to an embodiment of the present invention downloads an installation application and is installed as a MOTP generating program, and then the user registration module is used for transmitting and registering the service usage information of the user in the initial execution; each time the MOTP generating program is executed, the password input module receives a password from the user and the QR code input module scans the QR code from the screen of the user Internet terminal (i.e., computer terminal) to receive the serial number of the received QR code; the QR code decryption module is used for decryption processing and MOTP generation module is user for generating a MOTP authentication number using the decrypted QR code as a one-time symmetric key; the above components may be implemented as sub programs constituting the MOTP generating program; the password input module receives a preset password from the user in the initial screen every time the MOTP generation program is executed to generate the MOTP authentication number; the password entered by the user is used to decrypt the scanned QR code and then removed from memory; the QR code decryption module decrypts the converted serial number using the terminal information and the input password as a decryption key; here, the decryption key corresponds to the encryption key of the QR code generation module).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, Woo, Morgan, and Goldstone to incorporate the 
There is motivation to combine Heo into the combination of Park, DeSoto, Woo, Morgan, and Goldstone because the present invention solves the problems of the conventional user authentication system. For example, in the conventional system, the ARS or SMS communication costs are involved every time the authentication code is issued. Since the mobile phone is based on communication, there is a problem that the authentication code is not issued in the communication shadow area. In addition, when the mobile phone is duplicated, the authentication code is also transmitted to the duplicated mobile phone, and a third party may make an illegal transaction with the duplicated OTP generator. The base invention is improved because the server provides a user with a one-time symmetric key with a QR code, and the user scans the QR code to provide a MOTP authentication system and a MOTP authentication method (Heo Paragraphs 0004-0005, 0007-0008).

Claims 26 is rejected under 35 U.S.C. 103 as being unpatentable over Park (WO 2012043963 A1) in view of DeSoto (US 20130219479) in further view of Woo (KR 20130093337) in further view of Morgan (US 20120203605) in further view of Goldstone (US 20160005043) in further view of Marsico (US 20150170164).

Regarding Claim 26, the combination of Park, DeSoto, Woo, Morgan, and Goldstone teaches all the limitations of claim 15 above; and Park further teaches selects the QR code authentication and transmits the QR code generation request signal to the QR authentication server (Park Paragraph 31 teaches the service provision server may request authentication from the authentication server).
However, the combination does not explicitly teach wherein the legacy authentication server, only when the received result of the determination indicates that the user is the subscriber of the QR code authentication service, selects the authentication.
Woo further teaches wherein the legacy authentication server, only when the received result of the determination indicates that the user is the subscriber of the QR code authentication service, selects the authentication (0066-0068 teach the authentication server transmits the mobile phone number and identification information of the user to the mobile communication system only when a push response signal is received from the mobile terminal, and confirms whether or not the identity is verified by confirming whether it matches the subscriber information registered in the mobile communication system (i.e., a verification procedure (i.e., subscription query) is performed); the authentication server provides the identity verification processing result of the user to the member company server, and the member company server proceeds with the user authentication process for the user whose identity verification process is completed (i.e., user is a subscriber) to provide a normal service to the user).

There is motivation to further combine Woo into the combination of Park, DeSoto, Woo, Morgan, and Goldstone because of the same reasons listed above for claims 1 and 15.
However, the combination does not explicitly teach wherein the legacy authentication server, when the received result of the determination indicates that the user is the non-subscriber of the QR code authentication service, transmits, to the computer terminal, a message prompting the user to decide whether to subscribe to the QR code authentication service.
Marsico from same or similar field of endeavor teaches wherein the legacy authentication server, when the received result of the determination indicates that the user is the non-subscriber of the QR code authentication service, transmits, to the computer terminal, a message prompting the user to decide whether to subscribe to the QR code authentication service (Paragraph 0047 teaches a user scans a virgin Sherpa Square scan code/tag, and user identifying information and SherpaSquareID information extracted from the scan code/tag is communicated to server; in the case where the scanning user is not a subscriber of scan-triggered services provided by scan-triggered server, then 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Park, DeSoto, Woo, Morgan, and Goldstone to incorporate the teachings of Marsico for the legacy authentication server, when the received result of the determination indicates that the user is the non-subscriber of the QR code authentication service, to transmit, to the computer terminal, a message prompting the user to decide whether to subscribe to the QR code authentication service.
There is motivation to combine Marsico into the combination of Park, DeSoto, Woo, Morgan, and Goldstone because a user may register himself as the owner of a Sherpa Square code/tag without interaction with or by a registration agent. This mode of operation may be used to provide a mode of operation that gives user's a “one-time” self-registration process (Marsico Paragraph 0047).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory 
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Glencross (US 20140058943) teaches initially, the ATM informs the user via the ATM display that a customized transaction is available for the user and can be executed by capturing an image of a barcode (in this embodiment, a QR code) presented a screen on the display. In response to this, the user launches the mobile phone app (step 242) and captures an image of the barcode using a camera (not shown) in the mobile phone (step 244). The mobile phone app decodes this captured image of the barcode (step 246) to produce a text string. When the mobile phone app parses the content of the barcode, it presents a sequence of screens to the user on the mobile phone's display that prompt the user to enter information or make selections (step 256). Each screen is populated by information decoded from the barcode. The barcode encodes information specific to the user that has been selected by the ATM owner or operator (or an institution maintaining the account for the user). For example, this information may include a special loan rate for a pre-approved amount of money. (Paragraphs 0106-0107 and 0112).
Chang et al. (US 20100211506) teaches an object of the present invention is to provide a mobile transaction system and method. A two-dimensional barcode image can be captured for a mobile transaction, and the two-dimensional barcode 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:00 pm CST (M-F).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.P.J./Examiner, Art Unit 3685
                                                                                                                             /JAY HUANG/Primary Examiner, Art Unit 3685