DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 19-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  Claim 19 recites "a computer readable storage medium”.  A memorandum from Director Kappos was issued January 26, 2010 entitled "Subject Matter Eligibility of Computer Readable Media" hereinafter "Kappos 1/26/2010". According to "Kappos 1/26/2010", in the absence of a definition in the specification explicitly excluding transitory propagating/transmission type memory medium, the broadest reasonable interpretation of "a computer readable medium" is interpreted to include both "non-transitory tangible media" and "transitory propagating signals" medium where the latter renders the claim non-statutory. "Kappos 1/26/2010" directs the patent community to overcome 101 rejections of this nature by amending the claim language to add the limitation "non- transitory" to the claim, for example "processor readable non-transitory media".  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Alan et al. (US Pub. 20150026796 A1) and further in view of Gordon et al. (US Pub. 20170318019 A1).

Regarding claim 1, Alan discloses a method of authenticating a user (abstract), the method comprising: 
obtaining a user authentication request for access to at least one application executed on an electronic device (para. 71- The method 300 begins at operation 302. In operation 302, the server computer 114 receives a request for authentication information, a request for a password, and/or a request for data that can be used to generate a challenge 136 and a response 138. As used in the claims, a "request for an authentication" includes a request for the challenge/response data 134 and/or a request for data that can be used to generate and/or present the challenge 136 and response 138 described herein.); 
identifying an actor and a task based on one or more context parameters associated with at least one of the electronic device or a user (para. 67, 72- The server computer 114 can be configured to identify a user and/or user device 102 associated with the request received in operation 302 and therefore can query the event data 116 stored at the data store 128 for event data 116 associated with the user and/or user device 102. Thus, in operation 304, the server computer 114 can access event data 116 to identify event data 116 associated with the user and/or user device 102.); 
generating a live challenge for authentication based on the identified actor and task (para. 76- In operation 308, the server computer 114 can generate data specifying a challenge and response. The server computer 114 can generate the challenge/response data 134 based upon the event data, preferences associated with the security application 110 and/or the security service 112, and/or difficulty level identified in operations 304-306); 
providing the generated live challenge to the user or the electronic device (para. 77- In operation 310, the server computer 114 provides the challenge 136 and response 138 to the requestor. In the embodiment shown in FIG. 1, the security service 112 can provide the challenge 136 and the response 138 to the resource 130. In some other embodiments, the server computer 114 can provide the challenge and the response to the resource 130 by transmitting the challenge/response data 134 to the resource 130.); and 
Alan does not specifically teach identifying whether to grant access to the at least one application based on whether the provided live challenge has been successfully performed.  However, this concept of granting access to an application/device based on a live challenge is notoriously well known and used in the art as evidenced by Gordon (see para. 44, ) and therefore, one skilled in the art would have found it obvious to utilize it in Alan as a simple alternative to achieve this desirable effect of preventing spoofing.  

	Regarding claim 2, Gordon discloses in the method of claim 1, further comprising identifying an object displayed in a field of view (FoV) of a camera provided in the electronic device, wherein the identifying of the actor and the task comprises identifying the actor and the task based on the identified object and the one or more context parameters. (para. 44, 46- For instance, the gaze-based password may be established using touch inputs (e.g., touch inputs on a touch screen) or gestures (e.g., gestures performed to point to or "touch" a virtual object) to set the gaze targets, and the user may be authenticated by tracking the user's gaze at the gaze targets; 47- the gaze-based authentication techniques described herein may include gaze targets that are specific to the user's real-world location (e.g., features or objects in a user's surroundings), making the techniques more secure against attacks by computers and bots.; Fig. 11)

Regarding claim 3, Alan discloses in the method of claim 2, wherein the identifying of the actor and the task comprises: identifying an actor corresponding to the identified object; and identifying a task capable of being performed by the identified actor, and the providing of the live challenge comprises: displaying a question prompting the identified task.  (para. 9- Some contemplated examples of challenges and/or responses include "where were you yesterday at 12:00 PM," "what was the last song you purchased on iTunes," "who was with you yesterday when you spent $53.45 at Costco," or the like)

Regarding claim 4, Gordon discloses in the method of claim 2, wherein the providing of the live challenge comprises, when an augmented reality (AR) mode is set in the electronic device, outputting an AR image of the live challenge constituted by the actor and the task on the identified object in a superimposing manner. (Fig. 9, para. 94- FIG. 9 illustrates example gaze-based password techniques using a mixed reality scene 900. The example of FIG. 9 is similar to the example of FIGS. 7 and 8, except that the scene 900 includes multiple three-dimensional virtual objects and the user selects the objects that form part of the gaze-based password. That is, the gaze-based password in this example spans multiple virtual objects, namely virtual objects 902, 904, 906, and 908, instead of being comprised of multiple locations within or on a single virtual object as shown in FIGS. 7 and 8. In some examples, a gaze-based password may include gaze targets multiple levels of granularity, similar to the example of FIG. 6, but in a three-dimensional mixed reality environment. In that case, a gaze-based password may include a portion of the password having a coarse granularity in which gaze targets correspond to multiple virtual objects (e.g., as shown in FIG. 9))

Regarding claim 5, Gordon discloses in the method of claim 4, further comprising identifying movement information about the electronic device or the user after object identification, wherein the outputting of the AR image comprises adjusting a location at which the AR image is output, based on the identified movement information. (para. 86)

Regarding claim 6, Gordon discloses in the method of claim 1, further comprising: identifying a location of the electronic device; and identifying an object around the electronic device based on the identified location of the electronic device, wherein the identifying of the actor and the task comprises: identifying the actor and the task based on the identified object and the one or more context parameters. (para. 44, 46- For instance, the gaze-based password may be established using touch inputs (e.g., touch inputs on a touch screen) or gestures (e.g., gestures performed to point to or "touch" a virtual object) to set the gaze targets, and the user may be authenticated by tracking the user's gaze at the gaze targets; 47- the gaze-based authentication techniques described herein may include gaze targets that are specific to the user's real-world location (e.g., features or objects in a user's surroundings), making the techniques more secure against attacks by computers and bots.; Fig. 11)

Regarding claim 8, Alan discloses in the method of claim 1, wherein the context parameters comprise: at least one of setting information about the electronic device, time information, a location at which the user authentication request has been obtained, an activity performed in the electronic device by the user, a notification obtained by the electronic device, social network service (SNS) information, surrounding environment information about the electronic device, a network to which the electronic device is connected, or the number of other electronic devices connected to the electronic device. (para. 6-7- An "event," as used herein can refer to a financial transaction such as a purchase, fund transfer, order, or the like; a telephone call made or received by the user device; a data transfer occurring via the user device; a social networking activity associated with a user or other entity associated with the user device; a person, device, system, or network detected at or near the device; or the like. The security application can monitor activity of the device and detect events when the events occur. Based upon settings and/or preferences associated with the security application, the user device can collect event data and/or the user device can be prompted by other applications and/or entities to collect the event data. The event data can include location information, transaction information, call information, local device information, and/or other information that may be used to provide event-based security challenges)

Regarding claim 9, Alan discloses in the method of claim 1, wherein the identifying of the actor and the task comprises identifying the actor and the task by using a preset learning network model based on the one or more context parameters. (Fig. 4B and associated paras.)

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Alan and Gordon and further in view of Steeves (US Pub. 20070143624 A1).

Regarding claim 7, the combination of Alan and Gordon does not specifically teach wherein the identifying of whether to access the at least one application comprises: based on the user's action corresponding to the live challenge not being identified within a predetermined time, denying the access to the at least one application; and based on the user's action corresponding to the live challenge being identified within the predetermined time, permitting the access to the at least one application. However, this concept of requiring a challenge to be completed within a predetermined amount of time in order to grant access is notoriously well known and used in the art as evidenced by Steeves (see para. 14, 24) and therefore, one skilled in the art would have found it obvious to utilize it in Alan as a simple alternative to achieve the desirable effect of verifying the user is authentic and not a nefarious actor trying to guess/determine a challenge answer.

Regarding claims 10-18, they are rejected as applied to claims 1-9 because a corresponding system would have been necessitated to carry forth the method steps of claims 1-9.  The applied prior art also discloses the corresponding architecture.  

Regarding claims 19-20, they merely recite a computer program that when executed, performs the functional steps of method claim 1-2, and thus, rejected for the same rationale. 




Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM A CORUM JR whose telephone number is (303)297-4234.  The examiner can normally be reached on Mon. - Fri. 8 AM - 5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM A CORUM JR/Examiner, Art Unit 2433         

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433