DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on October 8, 2020 has been entered.
 

Status of the Claims
The office action is being examined in response to the amendments submitted by the applicant on October 8, 2020.
Claims 1, 10, and 19 have been amended and are hereby entered.
Claims 1-19 are pending and have been examined. 
This action is made NON-FINAL.
The examiner would like to note that this application is now being handled by examiner Michael Anderson.  

Response to Arguments
Applicant's arguments filed have been fully considered but they are not persuasive.  
Applicant’s arguments with respect to the prior art rejection(s) pertain to amendments to the claims; and these arguments and amendments are addressed in the rejection(s) below therefore the arguments are moot in view of the new rejection shown below.
		
Claim Objections

Claims 3 and 12 are objected to because of the following informalities:

Claims 3 and 12 recite “QR CODE” which is abbreviation.

The first occurrence of all acronyms or abbreviations should be written out for clarity, whether or not they may be considered well known. Appropriate correction is required.
	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Sadacharam et al. (U.S. 9,300,658) in view of Jennings et al. (U.S. Pub. No. 2008/0072304) in view of PALZER (US 20130019096 A1).

With respect to claims 1, 10, and 19:
Sadacharam teaches:
a processor that communicates with the memory (Sadacharam “at least one processor, one or more memories” Col. 2 lines 45-50; [C.10 L.28-43]; Fig. 5 (820-824))
generating, by a server, a master authentication code based on an authorization request for a transaction ("A QR code 108 containing the authentication query is created 106." Sadacharam [C.5 L.17-18] and fig. 2: Sadacharam’s QR code 108, illustrated in fig. 2, is interpreted as a master authentication code, and it is generated in response to a user performing a bank transaction 100 that causes a bank to initiate an authorization 102. Sadacharam [C.4 L.28-31] and fig. 1: a server computer.),
wherein a user initiates the transaction from an account by using a transaction application [of a plurality of transaction applications] installed on a user-computing device (Sadacharam [C.4 L.57-61], [C.4 L.27-39], and figs. 2 & 3: Sadacharam discloses a user initiating a financial transaction on a user device. Sadacharam [C.6 L.34-36]: Sadacharam discloses conducting transactions against a user’s account using the transaction application for authentication of a transaction.);
splitting, by the server, the master authentication code into a first authentication code and a second authentication code; communicating, by the server, the first authentication code to the transaction application and the second authentication code to the user by way of registered contact information linked to the account, [wherein the second authentication code is accessible to another transaction application of the plurality of transaction applications at the user-computing device]; ("FIG. 2 shows an example of secure authentication of a user's identity through the insertion of authentication queries into a QR code which is disassembled and sent to the user through multiple communication channels for reassembly by the user to obtain the authentication query for response." Sadacharam [C.4 L.53-57] and fig. 2: Sadacharam discloses a server splitting a master QR code 106 into four QR codes 108A-D (i.e., at least a first and second authentication code) and communicating the codes to a user via separate communications channels. 
receiving, by the server, a response code from [a corresponding at least one of the plurality of transaction applications, the at least one of the plurality of transaction applications comprising] the transaction application, wherein the transaction application generates the response code based on the first authentication code and the second authentication code ("the QR code program 66 generates a QR code including the user received response and sends the QR code to the banking institution." Sadacharam [C.6 L.23-25] and fig. 2: Sadacharam discloses a QR code program, on a user’s computer, sending a QR code, which is generated after reassembling QR code pieces 108A-D (i.e., at least first and second authentication codes), to a bank for authentication.); 
processing, by the server, the transaction based on a match between the response code and the master authentication code ("the QR code program 66 generates a QR code including the user received response and sends the QR code to the banking institution." Sadacharam [C.6 L.23-25] and fig. 2: Sadacharam discloses a QR code program, on a user’s computer, sending a QR code, which is generated by reassembling QR code pieces 108A-D (i.e., at least first and second authentication codes), back to a bank for authentication of a transaction. “If the response was sent as a QR code, the authentication program 67 reads the QR code to receive the user's response to the authentication query (step 212). The user's input is compared to the information associated with the user in the repository (step 213). If the input from the users matches (step 214) the information associated with the user in the repository, the authentication program 67 allows the continuation of the activity" Sadacharam [C.7 L.17-24]. "FIG. 2 uses access to a banking institution as an example of a secure transaction which requires authentication" Sadacharam [C.6 L.45-47]: Sadacharam discloses allowed activity in the form of a financial transaction.).
Sadacharam does teach, ("the QR code program 66 generates a QR code including the user received response and sends the QR code to the banking institution." Sadacharam [C.6 L.23-25] and fig. Sadacharam does not teach; however, Jennings teaches:
determining, by the server, whether the master authentication code itself matches the response code generated by and received from the transaction application; ("Once all parts of the authentication data has been obtained, at step 404, the user authentication data parts are assembled into the user authentication data. At step 405 the authenticity of the user authentication data is checked by comparing it with a copy of the authentication data for the user which is held by the server in storage." [0034] & fig. 4.).
It would have been obvious to one of ordinary skill in the art at the time of filing to have modified Sadacharam’s teachings to incorporate Jennings’ teachings of comparing assembled authentication data to a copy of authentication data in order to provide greater protection against a replay attack in which a message comprising, for example a password, is recorded and re-sent to a server because the process mitigates risk from unauthorized access attempts. See Jennings [0006] – [0007].
The combination of Sadacharam and Jennings do not teach but PALZER does teach:
of a plurality of transaction applications (“mobile phone applications” [0018]; Fig. 5 and assoc text)
wherein the second authentication code is accessible to another transaction application of the plurality of transaction applications at the user-computing device; (“the second message as a side information or is sent to the third entity as a separate message.” [0013]   
a corresponding at least one of the plurality of transaction applications, the at least one of the plurality of transaction applications comprising (“mobile phone applications” [0018]; Fig. 5 and assoc text)
 It would have been obvious to one of ordinary skill in the art at the time of filing to have modified Sadacharam’s teachings to incorporate Palzer teachings because “two independent ways transmission is really difficult to attack” . [0002].


With respect to claims 2 and 11:
The combination of Sadacharam, Jennings, adn Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
receiving, by the server, the authorization request from the transaction application installed on the user-computing device (Sadacharam [C.4 L.57-61], [C.4 L.27-39], and fig. 2: An authorization request is received by a server from a user computing device.).

With respect to claims 3 and 12:
The combination of Sadacharam, Jennings, adn Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
wherein the master authentication code is a QR CODE, and wherein the first authentication code is a first portion of the QR CODE and the second authentication code is a second portion of the QR CODE ("A QR code 108 containing the authentication query is created 106... The QR code 108 is then split 110 into multiple pieces. In this example shown, the QR code was split into four pieces (1-4) corresponding to 108 a-108 d respectively." Sadacharam [C.5 L.17-22].).

With respect to claims 4 and 13:
The combination of Sadacharam, Jennings, adn Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
wherein the registered contact information includes at least one of a registered contact number or a registered email address of the user (Sadacharam [C.4 L.53-57] and fig. 2: Sadacharam discloses a server splitting a master QR code into four QR codes and communicating the codes back to a user via separate communications channels, such as SMTP, MMS, and fax. Communication to a user via Simple Mail Transfer Protocol (SMTP) 116 

With respect to claims 5 and 14:
The combination of Sadacharam, Jennings, and Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
wherein the user submits the second authentication code to the transaction application ("The device computer 52 of the user, through a QR code assembly program 68 reassembles the QR code pieces 108 a-108 d to form a complete QR code 108" Sadacharam [C.5 L.58-60].).

With respect to claims 6 and 15:
The combination of Sadacharam, Jennings, and Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
wherein the transaction application retrieves the second authentication code by accessing a message repository of the user-computing device ("The user is notified when the QR code pieces are received 122 by the user's device computer... If the pieces are sent fully electronically, the device computer 52 can process them internally without a need for user intervention." Sadacharam [C.5 L.47-57].).

With respect to claims 7 and 16:
The combination of Sadacharam, Jennings, and Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
wherein at least one of the first authentication code or the second authentication code includes position information, and wherein the transaction application generates the response code by merging the first authentication code and the second authentication code based on the position information ("The QR code assembly program 68 reassembles a complete QR code from the multiple QR code pieces (step 220)… the reassembly could be done using instructions sent along with the pieces as noted above, or could be reassembled by one of the known photo merge programs as are commonly used by photographers to assemble multiple photographs into panoramas." Sadacharam [C.7 L.41-48] and fig. 2: Merging QR code pieces into a full QR code requires information pertaining to the position of each piece.).

With respect to claims 8 and 17:
The combination of Sadacharam, Jennings, and Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
wherein determining whether the master authentication code [itself] matches the response code comprises comparing, by the server, the response code with the master authentication code for processing the transaction (Sadacharam figs. 2 & 3.).
Jennings further teaches:
determining whether the master authentication code itself matches the response code ("Once all parts of the authentication data has been obtained, at step 404, the user authentication data parts are assembled into the user authentication data. At step 405 the authenticity of the user authentication data is checked by comparing it with a copy of the authentication data for the user which is held by the server in storage." [0034] & fig. 4).
It would have been obvious to one of ordinary skill in the art at the time of filing to have modified The combination of Sadacharam, Jennings, and Palzer ’ teachings to incorporate Jennings’ teachings of comparing assembled authentication data to a copy of authentication data in order to provide greater protection against a replay attack in which a message comprising, for example a password, is recorded and re-sent to a server because the process mitigates risk from unauthorized access attempts. See Jennings [0006] – [0007].


With respect to claims 9 and 18:
The combination of Sadacharam, Jennings, and Palzer  renders obvious all the limitations of the rejections in claims 1 and 10, respectively.
Sadacharam further teaches:
declining, by the server, the transaction based on a mismatch between the response code and the master authentication code (Sadacharam [C.6 L.29-38]: Sadacharam discloses denying access to an account upon a mismatch.).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Torres (US20140040617A1) is relevant because it uses a method for generating a code and a method comprising the authorization of an operation carried out by a client on a first server. A second server generating an authorization code according to an encoding method is involved in the authorization. The operations can be transactions, access to a web page, user-to-user payments, user-to-business payments, online user-to-business payments, cash withdrawal in automated teller machines, etc.
Miyano (U.S. Pub. No. 2003/0070073) is relevant because it teaches a processor 106 that combines the data representing the scanned stripe image 500 and the data representing the scanned stripe image 600, and generates combined data representing the combined scanned image 700. At 908, the processor 106 retrieves from the data storage section 104 data representing the combined original stripe image 400 as a reference image. At 910, the processor 106 compares the data representing the scanned stripe image 700 with the data representing the reference image 400. See Miyano [0038].
Le Saint (U.S. Pub. No. 2015/0372811) is relevant because it teaches efficient methods for authenticated communication. In one embodiment, a first computing device can generate an ephemeral key pair comprising an ephemeral public key and an ephemeral private key. The first computing device can generate a first shared secret using the ephemeral private key and a static second device public key. The first computing device can encrypt request data using the first shared secret to obtain encrypted request data. The first computing device can send a request 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W ANDERSON whose telephone number is (571)270-0508.  The examiner can normally be reached on Monday - Thursday 9am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bennett Sigmond can be reached on (303) 297-4411.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


Mike Anderson
Primary Patent Examiner
Art Unit 3694



/Mike Anderson/Primary Patent Examiner, Art Unit 3694