DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendment filed 14 JAN 2021 has been entered. Claims 1-2, 4-15, and 17-20 remain pending in the application. 

Claim Objections
Claim 12 is objected to because of the following informalities:  
In claim 12, line 22, “verification of user authentication credentials” should read --verification of the user authentication credentials--.  
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:



Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the user authentication credentials" in line 20.  There is insufficient antecedent basis for this limitation in the claim.
	Claim 1 recites the limitation "the public key" in line 26.  There is insufficient antecedent basis for this limitation in the claim.
Appropriate correction/clarification is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-2, 4-15, and 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial 
Claims 1-2 and 4-11 are drawn to a method which is within the four statutory categories (i.e., a process). Claims 12-15 and 17-20 are drawn to a computing server or one or more computer-readable memory devices which is within the four statutory categories (i.e. a machine).
Since the claims are directed toward statutory categories, it must be determined if the claims are directed towards a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea). Based on consideration of all of the relevant factors with respect to the claim as a whole, claims 1-2, 4-15, and 17-20 are determined to be directed to an abstract idea. The rationale for this determination is explained below:  
With respect to claims 1 and 12:
Claims 1 and 12 are drawn to an abstract idea without significantly more. The claims recite providing the web browser application on the computing device with a WebAuthN (Web Authentication) API (application program interface), personalizing the computing device by cryptographically binding the computing device with a user account using the private key of the WebAuthN keypair, using the web browser application to initiate a transaction for goods or services, encrypting a digital signature utilizing the private key, transmitting the 
The limitations of providing the web browser application, personalizing the computing device, using the web browser application to initiate a transaction for goods or services, providing a response to an attestation challenge, receiving user authentication credentials, verifying the user authentication credentials, identifying security measures, transmitting the identified security measures, receiving security credentials, and authorizing a transaction responsive to the security credentials, as stated, are processes that, under its broadest reasonable interpretation, cover Certain Methods Of Organizing Human Activity such as fundamental economic principles or practices (including hedging, insurance, mitigating risk) or commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations). For example, 

The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements in the process amounts to no more than mere instructions to apply the exception using generic computer components. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible.
With respect to claims 2, 4-11, 13-15, and 17-20:
Dependent claims 2, 4-11, 13-15, and 17-20 include additional limitations, for example, generating a confirmation cryptogram, configuring the WebAuthN API, receiving another security criteria, establishing the WebAuthN private key and public key, and establishing and identifying authorized computing device, but none of these limitations are deemed significantly more than the abstract idea because, as stated above, they require no more than generic computer structures or signals to be executed, and do not recite any Improvements to the functioning of a computer, e.g., a modification of conventional Internet hyperlink protocol to dynamically produce 
	Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Furthermore, looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology, and their collective functions merely provide conventional computer implementation or implementing the judicial exception on a generic computer. 
Therefore, whether taken individually or as an ordered combination, claims 2, 4-11, 13-15, and 17-20 are nonetheless rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5-7, 9, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Bharadwaj et al. (“Web Authentication An API for accessing Scoped Credentials”, September 28, 2016; already of record in IDS; hereinafter Bharadwaj) in view of Leyva (US 2016/0180333 A1; hereinafter Leyva), in further view of Park et al. (US 2016/0253651 A1; hereinafter Park), and in still further view of Kirsch (US 20120323717 A1; hereinafter Kirsch).
With respect to claim 1:
	Bharadwaj teaches a method performed on a computing device with a web browser application, the computing device having access to a network, the method comprising: (See at least Bharadwaj: page 9, line 34 through page 10, line 17; page 5, lines 1-2 & 7-9; page 8, line 12; page 17, lines 11-12; page 31, line 6-21)
providing the web browser application on the computing device with a WebAuthN (Web Authentication) API (application program interface) to facilitate online user authentication for a transaction for goods or services using at least a private/public WebAuthN keypair with a host service that is instantiated on a first remote computing platform..., wherein a private key of the WebAuthN keypair is protected in a secure cryptoprocessor in the computing device: (By disclosing, the credentials belong to the user (1st entity) and are managed by an authenticator (2nd entity), with which the Relying Party (3rd entity) interacts through the client (consisting of the browser and underlying OS platform). In addition, the attestation private key and the Relying Party-specific public key are established, and the authenticator itself contains a cryptographic module (TPM). See at least Bharadwaj: page 9, line 34 through page 10, line 17; page 5, lines 1-2 & 7-9; page 8, line 9-12; page 17, lines 11-12; page 31, line 6-21; page 6, lines 17-20; page 26, lines 19-25; page 38, lines 23-25; Abstract)
personalizing the computing device the computing device by cryptographically binding the computing device with a user account using the private key of the WebAuthN keypair; (By disclosing, the user navigates to example.com (remote computing platform), and the user’s computing device is registered by creating a scoped credential on an authenticator and associating it with the user’s Relying Party account. In addition, the authenticator maps the private key to the Relying Party’s RP ID and stores it. See at least Bharadwaj: page 5, lines 25-30; page 8, lines 34-37; page 9, lines 11-20)
using the web browser application on the computing device to initiate the transaction for goods and services at a merchant's website instantiated on the host service on the first remote computing platform;... (By disclosing, the user is prompted (initiating) for authorization gesture in order to authorize a single transaction in example.com (merchant’s website). See at least Bharadwaj: page 6, lines 17-20)
transmitting the encrypted digital signature from the web browser application on the computing device to an authentication service on a second remote computing device which verifies the user authentication credentials by successfully decrypting the encrypted digital signature using the public key of the WebAuthN keypair, in which encryption of the private key at the computing device and successful decryption of the private key at the second remote computing device provides the computing device with emulation of a chip-enabled physical card according to an EMV (Europay, Mastercard, and Visa) standard...; and... (By disclosing, the scoped credentials produce a cryptographic signature providing proof of possession of a private key for web authentication assertion. The clientData member contains the parameters sent to the authenticator by the client. In addition, the Relying Party uses its copy of the stored public key to verify the resultant WebAuthN Assertion. See at least Bharadwaj: page 18, lines 4-17; page 9, lines 11-20 & 29-31; page 8, lines 12-16)
	However, Bharadwaj does not teach explicitly 
...a host service... operated by a merchant of the goods or services...,
...at the computing device, encrypting a digital signature utilizing the private key of the WebAuthN keypair to provide the user authentication credentials.
...in which encryption of the private key at the computing device and successful decryption of the private key at the second remote computing device provides the computing device with emulation of a chip-enabled physical card according to an EMV (Europay, Mastercard, and Visa) standard as a first factor in two-factor authentication of the user account according to the EMV standard, and

	Leyva, directed to single sign-on using a secure authentication system and thus in the same field of endeavor, teaches 
...a host service... operated by a merchant of the goods or services,... (By disclosing, the user may utilize an interface provided by the online banking server computer 104 to select goods or services of a merchant and initiate a checkout process for a transaction. The "wallet application" may be a software application that is provided to perform a variety of transactions, such as but not limited to eCommerce, social networks, money transfer/personal payments, mobile commerce, proximity payments, gaming, and/or the like for retail purchases, digital goods purchases, utility payments, purchasing games or gaming credits from gaming websites, transferring funds between users, and/or the like. Fig. 2 shows a buyer computer 50 (computing device), a seller server 51 (host service), and a commerce gateway 52 (authentication service). See at least Leyva: paragraph(s) [0065] & [0033]; Figs. 1-3)

Park, directed to electronic payment system and thus in the same field of endeavor, teaches 
...transmitting the encrypted digital signature from the web browser application on the computing device to an authentication service on a second remote computing device which verifies the user authentication credentials by successfully decrypting the encrypted digital signature using the public key of the WebAuthN keypair, in which encryption of the private key at the computing device and successful decryption of the private key at the second remote computing device provides the computing device with emulation of a chip-enabled physical card according to an EMV (Europay, Mastercard, and Visa) standard as a first factor in two-factor authentication of the user account according to the EMV standard. (By disclosing, the payment relay module 1841 having acquired a token or key, using an SDK of VISA.RTM. credit card, may transfer the token or key to the 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bharadwaj and Leyva to incorporate the electronic payment system teachings of Park for the benefit of user authentication. (See at least Park: paragraph(s) [0248])
Kirsch, directed to a method for determining a transaction authentication level and thus in the same field of endeavor, teaches 
...at the computing device, encrypting a digital signature utilizing the private key of the WebAuthN keypair to provide the user authentication credentials. (By disclosing, “Sharing the encryption private”... on device initialization, a signature key 
...transmitting the encrypted digital signature from the web browser application on the computing device to an authentication service on a second remote computing device which verifies the user authentication credentials by successfully decrypting the encrypted digital signature using the public key of the WebAuthN keypair, in which encryption of the private key at the computing device and successful decryption of the private key at the second remote computing device provides the computing device with emulation of a chip-enabled physical card according to an EMV (Europay, Mastercard, and Visa) standard as a first factor in two-factor authentication of the user account according to the EMV standard (By disclosing, oneid.com then converses with the remote site to prove OneID has the user's credentials (i.e., we do a full mutual auth where the challenge is tied to the socket so it can't be reused anywhere and since the remote website has our public key, they can verify the 
...providing, from the computing device to the authentication service on the second remote computing device, a response from the user to an attestation challenge as a second factor in the two-factor authentication of the user account according to the EMV standard. (By disclosing, the OneID app can be asked by the remote website to sign an authorization which attests to the user agreeing to charge a credit card owned by the user. See at least Kirsch: paragraph(s) [0405] & [0549])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bharadwaj, Leyva, and Park to incorporate the method for determining a transaction authentication level teachings of Kirsch for the benefit of providing participating parties the opportunity to control the tradeoff between security and convenience and tailoring authentication levels to meet the security needs for different types of transactions. (See at least Kirsch: paragraph(s) [0012])
Examiner’s Note: 
The limitations “to facilitate online user authentication for a transaction for goods or services using at least a private/public WebAuthN keypair with a host service that is instantiated on a first remote computing platform and operated by a merchant of the goods or services” in claim 1, lines 5-8; “to initiate the transaction for goods and services at a merchant's website instantiated on the host service on the first remote computing platform” in claim 1, lines 16-18; “to provide the user authentication credentials” in claim 1, line 20; and “in which encryption of the private key at the computing device and successful decryption of the private key at the second remote computing device provides the computing device with emulation of a chip-enabled physical card according to an EMV (Europay, Mastercard, and Visa) standard as a first factor in two-factor authentication of the user account according to the EM standard” in claim 1, lines 26-31 are an intended use. No patentable weight is given. 
The recitation of the intended use of the claimed invention does not serve to differentiate the claim from the prior art. MPEP § 2103 I C states that language that suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure does not limit the scope of a claim or claim 
With respect to claim 2:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 1, as stated above.
Bharadwaj further teaches wherein the transaction is initiated at a website accessed by the web browser application, and the authentication service is unassociated with the website. (By disclosing, the user navigates to example.com in the browser, and the web page shows that the user is signed-in, and then navigates to the signed-in page (unassociated with the website example.com). See at least Bharadwaj: page 5, line 25 through page 6, line 1; page 6, lines 10-20; page 26, lines 15-20)
With respect to claim 5:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 2, as stated above.
Bharadwaj further teaches further including generating a confirmation cryptogram that is transmitted to one of a server associated with the website or the authentication service. (By disclosing, the authenticator returns the authenticationData and the raw signature back to the client, and the client returns clientDataJSON, authenticatorData and the signature to the Relying Party, which consists of a server component and a web-
With respect to claim 6:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 5, as stated above.
Leyva, in the same field of endeavor, further teaches wherein the generated confirmation cryptogram includes details about the transaction. (By disclosing, the cryptogram provides proof that the access control server computer 112A verified the user’s sing sign on data, and the single sign-on data may include the issuer identifier and payment account (details) used in the transaction. See at least Leyva: [0070] lines 10-13; [0066] lines 8-14. See also Leyva: paragraph(s) [0070], [0073] & [0099] and Park: paragraph(s) [0262])
With respect to claim 7:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 1, as stated above.
Bharadwaj further teaches further comprising configuring the WebAuthN API of the web browser application to include providing additional security information to the authentication service that is separate from the digital signature. (By disclosing, the WebAuthN authenticator is capable of dynamically 
With respect to claim 9:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 7, as stated above.
Bharadwaj further teaches wherein the WebAuthN API of the web browser application is re-configurable such that the additional security information provided to the authentication service is customizable based on proprietary programming. (By disclosing, the authorization gesture was configured previously based on the W3C (proprietary programming). See at least Bharadwaj: page 5, line 32; page 1, lines 1-3)
With respect to claim 11:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 1, as stated above.
Bharadwaj further teaches wherein the personalizing includes establishing the WebAuthN private key and a WebAuthN public key, in which the private key is stored in a secure cryptoprocessor, including a trusted platform module (TPM). (By disclosing, the attestation private key and the Relying Party-specific public key are established, and the authenticator itself contains a cryptographic module (TPM). See at least 
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Bharadwaj in view of Leyva, and in further view of Park and Kirsch, as applied to claim 1, and in still further view of Laporta (US 2016/0283946 A1; hereinafter Laporta).
With respect to claim 4:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 1, as stated above.
Bharadwaj further teaches wherein the attestation challenge includes one or more of a PIN (personal identification number), password, ..., or biometric data including fingerprint verification, iris scan, or .... (By disclosing, the authenticator authorizes the invocation of the authenticatorGetAssertion operations through a touch plus pin code (PIN), a password, and a gesture (e.g., presenting a fingerprint) or other modality. See at least Bharadwaj: page 9, lines 25-28)
Park, in the same field of endeavor, further teaches wherein the attestation challenge includes one or more of a PIN (personal identification number), password, pattern input, or biometric data including fingerprint verification, iris scan, or ... (See at least Park: [0247], [1008] & [1624]).
... facial recognition.
Laporta, directed to system and method for mobile payment and personal identification and thus in the same field of endeavor, teaches ...biometric data including ...iris scan, or facial recognition... (Laporta: paragraph(s) [0040])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bharadwaj, Leyva, Park, and Kirsch to incorporate the system and method for mobile payment and personal identification of Laporta for the benefit of providing another option even when the user is not verified as a real person. (See at least Laporta: paragraph(s) [0040])
Claims 8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Bharadwaj in view of Leyva, in further view of Park and Kirsch, as applied to claims 1 and 7, and in still further view of Karmal et al. (US 2016/0005038 A1; already of record in IDS; hereinafter Karmal).
With respect to claim 8:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 7, as stated above. 
Bharadwaj further teaches wherein the additional security information includes one or more of a type of computing device, ... (By disclosing, each authenticator has an AAGUID, indicating the type (e.g., make and model) of the authenticator, which is used for certification level and strength of key protection. See at least Bharadwaj: page 9, lines 13-14; page 23, lines 16-20; page 30, line 30 through page 31, line 1)
Park, in the same field of endeavor, further teaches ... whether the computing device has been rooted, alterations to a boot sequence of the computing device, or .... (Park: paragraph(s) [0278])
	However, Bharadwaj, Leyva, Park, and Kirsch do not teach ... whether the computing device has been rooted, alterations to a boot sequence of the computing device, or verification of secure socket layer (SSL) certificates.
	Karmal, directed to enhanced user authentication platform and thus in the same field of endeavor, teaches ... verification of secure socket layer (SSL) certificates. (Karmal: paragraph(s) [0005]) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bharadwaj, Leyva, Park, and Kirsch to incorporate the enhanced user authentication platform teachings of Karmal for the benefit of providing an enhanced security against hacking. (See at least Karmal: paragraph(s) [0005])
With respect to claim 10:
	Bharadwaj, Leyva, Park, and Kirsch teach the method of claim 1, as stated above. 
Bharadwaj further teaches further comprising receiving additional security criteria from the authentication service, the additional security criteria including hardware requirements, network requirements, ..., application notification, ..., additional user authentication, encryption standards, or .... (See at least Bharadwaj: page 27, lines 16-17; page 6, lines 8-9; page 56, line 8, page 5, lines 15-18)
Park, in the same field of endeavor, teaches ...e-mail notification, ...website credibility ... (See at least Park: paragraph(s) [1038] & [1943])
	Karmal, in the same field of endeavor, teaches ... secure socket layer (SSL) check. (See at least Karmal: paragraph(s) [0005]) 
Claims 12-13, 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bharadwaj et al. (“Web Authentication An API for accessing Scoped Credentials”, September 28, 2016; already of record in IDS; hereinafter Bharadwaj) in view of Park et al. (US 2016/0253651 A1; hereinafter Park), in further view of Leyva (US 2016/0180333 A1; hereinafter Leyva), and in still further view of Kirsch (US 20120323717 A1; hereinafter Kirsch).
With respect to claim 12:
 a computing server having connectivity to a network and a WebAuthN (Web Authentication) API (application program interface) for online user authentication for a transaction for goods or services between a user of a first remote computing device and a merchant of the goods or services that provides a website on a second remote computing device, comprising: ...(As stated above with respect to claim 1, and see also at least Bharadwaj: page 20, lines 10-13; page 26, lines 11-18)
receive user authentication credentials from the first remote computing device that includes a WebAuthN API within a browser application in which the WebAuthN API provides a private/public WebAuthN keypair..., in which the received user authentication credentials comprise a digital signature that is encrypted by the browser application utilizing a private key of the WebAuthN keypair to bind the first remote computing device to an account associated with the user, wherein the private key of the WebAuthN keypair is protected in a secure cryptoprocessor in the first remote computing device; (By disclosing, PIN is sent to the SmartMX. This is a two-factor authentication. See at least Kirsch: paragraph(s) [0479]. See also Laporta: paragraph [0048]); (By disclosing, the attestation structure contains all the information (user credentials) that the Relying Party’s server requires for validation. In addition, the user navigates 
identify at the computing server one or more security measures in response to the verification of user authentication credentials,...; (By disclosing, the created scoped credential can be accessed (identify) by original belonging to the Relying Party. Bharadwaj: page 4, line 31; page 5, lines 1-3 & 8-12)
transmit the identified security measures from the computing server to the first remote computing device; (By disclosing, the Relying Party is presented with (transmit) a WebAuthN Assertion proving the presence and consent of the user who registered the scoped credential. See at least Bharadwaj: page 5, lines 10-13) 
receive security credentials from the first remote computing device in response to the transmitted security measures at the computing server...; and (By disclosing, a scoped credential is created on an authenticator (first remote computing device), and the Relying Party is presented with a WehAuthN Assertion proving the presence and consent of the user 
authorize a transaction responsive to the security credentials being verified at the computing server, ... (By disclosing, upon successful authentication, the server does whatever it would do (transaction). See at least Bharadwaj: page 56, lines 16-23)
However, Bharadwaj does not teach 
...one or more processors; 
memory storing computer-readable instructions which, when executed by the one or more processors, perform a method comprising the steps of: ...
...that provides for emulation of functionality, at the first remote computing device, of a chip-enabled physical card in an EMV (Europay, Mastercard, and Visa) payment process using two-factor authentication,...;
verify the user authentication credentials by successfully decrypting the digital signature using a public key of the WebAuthN keypair at the computing server;
...in which encryption of the private key at the first remote computing device and successful decryption of the private key at the computing server emulates functionality of the chip in the EMV payment process as a first factor in the two-factor 
...as a second factor in the two-factor authentication of the user account according to the EMV payment process;
...in which authorizing the transaction enables the first remote computing device to generate a payment cryptogram that is transmitted to the second remote computing device to facilitate execution of the transaction with the merchant.
Park, directed to electronic payment system and thus in the same field of endeavor, teaches 
one or more processors; (Park: paragraph(s) [0095])
memory storing computer-readable instructions which, when executed by the one or more processors, perform a method comprising the steps of: (Park: paragraph(s) [0095])
...that provides for emulation of functionality, at the first remote computing device, of a chip-enabled physical card in an EMV (Europay, Mastercard, and Visa) payment process using two-factor authentication,...; (By disclosing, the payment relay module 1841 having acquired a token or key, using an SDK of VISA.RTM. credit card, may transfer the token or key to the payment module within the TEE 1820, using a Samsung SDK. According to an embodiment of the present disclosure, the payment relay module 1841 may further include, on a payment framework, a host card emulation (HCE) function which enables a 
...receive security credentials at the computing server from the first remote computing device in response to the transmitted security measures as a second factor in the two-factor authentication of the user account according to the EMV payment process; (By disclosing, the OneID app can be asked by the remote website to sign an authorization which attests to the user agreeing to charge a credit card owned by the user. Embodiments include a method for secure transmission of information between a requestor and a message for secure micropayments, a message for auth, a message sending information, a signed request for a credit card company to make a transfer of funds to a merchant, a QR code scan initiated request to call OneID passing it a URL which can start a transaction sequence, or the like. The transaction sequence can be initiated from a QR code reader which reads the QR code, deciphers a Oneid: protocol request, and calls Oneid: in order to process the transaction. The QR code being scanned causes it 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the web authentication teachings of Bharadwaj to incorporate the electronic payment system teachings of Park for the benefit of user authentication. (See at least Park: paragraph [0248])
Leyva, directed to single sign-on using a secure authentication system and thus the same field of endeavor, further teaches 
...in which authorizing the transaction enables the first remote computing device to generate a payment cryptogram that is transmitted to the second remote computing device to facilitate execution of the transaction with the merchant. (By disclosing, an authorization request message may include at least a transaction amount, a primary account number or payment token, and the cryptogram. The issuer computer 112 may then check to see if the user has sufficient funds and/or credit in the account being used to conduct the transaction, and also checks to see if it received the cryptogram that it previously sent during the authentication process. See at least Leyva: paragraph(s) [0070], [0073] & [0099])

Kirsch, directed to a method for determining a transaction authentication level and thus in the same field of endeavor, teaches 
verify the user authentication credentials by successfully decrypting the digital signature using a public key of the WebAuthN keypair at the computing server; (By disclosing, the scoped credentials produce a cryptographic signature providing proof of possession of a private key for web authentication assertion. The clientData member contains the parameters sent to the authenticator by the client. In addition, the Relying Party uses its copy of the stored public key to verify the resultant WebAuthN Assertion. See at least Bharadwaj: page 18, lines 4-17; page 9, lines 11-20 & 29-31; page 8, lines 12-16)
...in which encryption of the private key at the first remote computing device and successful decryption of the private key at the computing server emulates functionality of the chip in the EMV payment process as a first factor in the two-factor authentication of the user account according to the EMV standard; (By disclosing, Oneid.com then converses with the remote site to prove OneID has the user's credentials (i.e., we do a full mutual auth where the challenge is tied to the socket so it can't be reused anywhere and since the remote website has our public key, they can verify the signature on the OneID in an embodiment). See at least Kirsch: paragraph(s) [0073], [0076], [0133], [0224], [0418] & [0479])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bharadwaj, Park, and Leyva to incorporate the method for determining a transaction authentication level teachings of Kirsch for the benefit of providing participating parties the opportunity to control the tradeoff between security and convenience and tailoring authentication levels to meet the security needs for different types of transactions. (See at least Kirsch: paragraph(s) [0012])
Examiner’s Note: 
The limitations “for online user authentication for a transaction for goods or services between a user of a first remote computing device and a merchant of the goods or services that provides a website on a second remote computing device” in claim 12, lines 2-5; “that provides for emulation of functionality, at the first remote computing device, of a chip-enabled physical card in an EMV (Europay, Mastercard, and Visa) payment process using two-factor authentication, in which the received user authentication credentials comprise a digital signature that is encrypted by the browser application utilizing a private key of the WebAuthN keypair to bind the first remote computing device to an account associated with the user” in claim 12, lines 11-17; “in which encryption of the private key at the first remote computing device and successful decryption of the private key at the computing server emulates functionality of the chip in the EMV payment process as a first factor in the two-factor authentication of the user account according to the EMV standard” in claim 12, lines 22-26; and “to generate a payment cryptogram that is transmitted to the second remote computing device to facilitate execution of the transaction with the merchant” in claim 12, lines 36-37 are an intended use. No patentable weight is given. 
The recitation of the intended use of the claimed invention does not serve to differentiate the claim from the prior art. MPEP § 2103 I C states that language that suggests or makes optional but does not require steps to be 
With respect to claim 13:
	Bharadwaj, Park, Leyva, and Kirsch teach the computing server of claim 12, as stated above.
Bharadwaj further teaches wherein the security measures are configurable such that the security measures are customizable based on proprietary programming. (By disclosing, the authorization gesture was configured previously based on the W3C (proprietary programming). See at least Bharadwaj: page 5, line 32; page 1, lines 1-3)
With respect to claim 15:
	Bharadwaj, Park, Leyva, and Kirsch teach the computing server of claim 12, as stated above.
Bharadwaj further teaches further comprising transmitting an attestation challenge to verify an authenticity of a user device, in which the attestation challenge is separate from the additional security measures. (By disclosing, the API is defined, enabling the creation and use of strong, “attested” cryptographic scoped credentials for the purpose of strongly authenticating users. Furthermore, the X.509 Certificate for a key pair used by an Authenticator to attest, and the 
With respect to claim 17:
	Bharadwaj, Park, Leyva, and Kirsch teach the computing server of claim 12, as stated above.
Bharadwaj further teaches wherein the one or more processors further cause the computing server to identify an additional computing device as an authorized computing device. (As stated above with respect to claim 16, see at least Bharadwaj: page 8, lines 34-37, 5-7, 9-11, 13-16 & 18-21; page 9, lines 12-20)
With respect to claim 18:
	Bharadwaj, Park, Leyva, and Kirsch teach the computing server of claim 17, as stated above.
Bharadwaj further teaches wherein the computing device, the additional computing device, and the computing server each include a separate instance of a WebAuthN API (Application Program Interface) that allows the computing server to establish and identify authorized computing devices. (By disclosing, the WebAuthN scoped credential is a { identifier, type } pair identifying authentication information established by the authenticator (computing devices) and the Relying Party 
With respect to claim 19:
	Bharadwaj, Park, Leyva, and Kirsch teach the computing server of claim 18, as stated above.
Bharadwaj further teaches wherein the WebAuthN API utilizes an encryption standard that is customizable. (By disclosing, the platform makes a best effort to create the most preferred credential (customizable). See at least Bharadwaj: Abstract, lines 1-2; page 11, lines 31-33)
With respect to claim 20:
	Bharadwaj, Park, Leyva, and Kirsch teach the computing server of claim 12, as stated above.
Bharadwaj further teaches wherein the computing server provides authorization for a transaction to be completed to one or more of the computing device or a remote server with which the computing device has interacted. (By disclosing, upon successful authentication, the server does whatever it would do (transaction). See at least Bharadwaj: page 56, lines 16-23)
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Bharadwaj in view of Leyva in further view of Park and Kirsch, as applied to claim 13, in still further view of Karmal.
With respect to claim 14:
the computing server of claim 13, as stated above.
 Bharadwaj further teaches wherein the customizable security measures include one or more of hardware requirements, network requirements, ..., ..., additional user authentication, .... (As stated above with respect to claim 10, see at least Bharadwaj: page 27, lines 16-17; page 6, lines 8-9; page 56, line 8, page 5, lines 15-18)
Park, in the same field of endeavor, further teaches ... transmitting an e-mail or notification to the device, ... credibility of website interacting with device ... (Park: [1038] lines 1-5; [1943] lines 1-4)
However, Bharadwaj, Park, Leyva, and Kirsch do not teach ... setting an encryption standard, or requesting SSL (secure socket layer) certificate viability.
	Karmal, in the same field of endeavor, teaches ... setting an encryption standard, or requesting SSL (secure socket layer) certificate viability. (Karmal: paragraph(s) [0005])  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bharadwaj, Park, Leyva, and Kirsch to incorporate the teachings of Karmal for the benefit of providing an enhanced security against hacking. (See at least Karmal: paragraph(s) [0005])

Response to Arguments
In response to applicant’s argument with respect to the 101 rejections that the amended claims and specification are directed to improving a basic function of computers operating on a network, namely, network security which is recognized as the basis for patent eligibility.. focuses on authentication of a user account on a computing device that is connected to a network using encryption and decryption of the private key to provide the first factor in the two-factor authentication, in combination with security credentials as the second factor, it is noted that the two-factor authentication using the chip and PIN can be done manually and its emulation using WebAuthN-compliant device may be interpreted as one of the cases that computing devices are used as tools to automate the abstract idea, especially when the additional elements such as WebAuthN API, WebAuthN keypair, and emulation of a chip-enabled physical card according to an EMV (Europay, Mastercard, and Visa) standard are recited at a high-level of generality and also when some limitations are recited in the ‘intended use’ language. In addition, the cryptoprocessor may be interpreted just as a storing device if no technical details is recited.
In response to applicant’s argument that none of the references deal with chip and pin emulation which provides two-in the phone app or the integrated keypad on the reader, or in the browser, and then that PIN is sent (from the phone or the single computing device) to the SmartMX. That is, Kirsch teaches “providing, from the computing device to the authentication service on the second remote computing device, a response from the user to an attestation challenge as a second factor in the two-factor authentication.” Also, the SmartMX chip may be embedded in the phone. In addition, the amended claim 1 includes the steps that are not following Fig. 4A. (See at least Kirsch: paragraph(s) [0479], [0408] & [0351]-[0358])  

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAY C LEE whose telephone number is (571)272-3309.  The examiner can normally be reached on Monday-Friday 7:30-5pm est.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval 




/C.C.L./Examiner, Art Unit 3685     

/NEHA PATEL/Supervisory Patent Examiner, Art Unit 3685