DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	This action is in response to the communication filed on May 14, 2020.  Claims 1-27 were originally received for consideration.  Per the received preliminary amendment, received on September 14, 2020, claims 1-27 have been cancelled, and claims 28-47 have been newly added.
2.	Claims 28-47 are currently pending consideration.




Information Disclosure Statement

3.	Initialed and dated copies of Applicant’s IDS (form 1449), received on 8/26/2020 and 10/27/2020, are attached to this Office Action.




Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


s 28-47 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,678,898.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘898 Patent anticipate or render obvious the claims of the present application as mapped below. 
 
Application Claims 28-47
U.S. Patent 10,678,898

28.  A method for securely authenticating a user operating a user computing device, the user computing device executing a biometric authentication application for confirming the user's identity as a function of a biometric feature of the user, the method comprising the steps of:

receiving, by the trusted server from the user computing device, a representation of the user's identity and a representation of at least one component of the user computing device, and wherein the user computing device is the user's personal mobile computing device;










testing the representation of the user's identity against a trusted set of user identification information to verify the user’s identity;


providing a unique identifier that is assigned to the user based on verifying the user's identity;


causing, by the trusted server during user enrollment, generation of a key-pair comprising a private key and a corresponding public key, wherein the private key and the unique identifier is stored by a user device;

storing, by the trusted server in a storage medium, the public key in association with the assigned unique identifier thereby creating a registered user identity instance as a function of verifying the user's identity, and generation of the key-pair;


receiving, by the trusted server from the user device, a communication including: information asserting an identity of one or more of the user and the user device, a representation of the private key, and a current biometric representation of the user’s biometric features captured by the user device using an associated biometric capture device;

authenticating the user, wherein the step of authenticating comprises:

identifying, by the trusted server based on the received information asserting an identity of one or more of the user and the user device, the user identity instance,

verifying, by the trusted server based on the public key associated with the identified user identity instance, that the representation of the private key corresponds to the public key, and

confirming, by the trusted server, that the current biometric representation captured by the user device matches a registered biometric representation of the user previously stored by the server in association with the identified user identity instance; and

transmitting, by the trusted server to one or more remote computing devices, a result of the step of authenticating.


29.    The method of claim 28, wherein the key-pair is unique to the user device and the corresponding user identity instance stored on a back-end storage such that the private key is useable by the user device to securely assert the user's identity and the public key is useable by the trusted server to identify the user's identity.

30.    The method of claim 28, wherein the key-pair is generated using one or more of the user device and the trusted server.

31.    The method of claim 28, further comprising the steps of:

receiving, by the trusted server subsequent to creating the user identity instance for the user, a request to authenticate the user in connection with the user accessing an access controlled environment (ACE), wherein the request identifies the ACE and the user.





32.    The method of claim 31, wherein the request identifies a requested transaction to be performed by the user accessing the ACE and wherein the step of authenticating is performed according to a level of security defined by the ACE for the requested transaction.

33.    The method of claim 32, further comprising the step of performing additional biometrics-based user authentication as a function of the level of security.

34.    The method of claim 31, wherein the step of transmitting comprises transmitting an authorization notification to a legacy authentication system of the ACE.




35.    The method of claim 34, further comprising:

facilitating the user's access to the ACE, wherein the step of facilitating includes:

retrieving by the trusted server from a secure data store, account information associated with the user identity instance and the ACE; and

transmitting the account information to the legacy authentication system.

36.    The method of claim 28, wherein the step of testing comprises testing, by the trusted server, the representation of the user’s identity against the trusted set of user identification information, wherein the trusted set of user identification information is maintained by a legacy authentication system of an access controlled environment (ACE).


37.    The method of claim 28, wherein the unique identifier is stored by the trusted server in the storage medium and is associated with access account information that is useable to provide the user with access to an access controlled environment (ACE).

38.     The method of claim 37, wherein communications from the user device that are encoded using the private key securely assert the user's identity to the trusted server and are useable to identify any associated access account information.

39.    A system for securely authenticating a user operating a user computing device, the user computing device being the user’s personal mobile computing device and executing a biometric authentication application for confirming the user’s identity as a function of a biometric feature of the user, the system comprising:

a network communication interface; a computer-readable storage medium;

one or more processors configured to interact with the network communication interface and the computer-readable storage medium and execute one or more software modules stored on the storage medium, the one or more processors including;

an enrollment module that, when executed, configures the one or more processors to perform the steps of:

receiving, from the user computing device, a representation of the user’s identity,








testing the representation of the user’s identity against a trusted set of user identification information to verify the user’s identity,


providing a unique identifier that is assigned to the user based on verifying the representation of the user’s identity, and

causing generation of a key pair comprising a private key and a corresponding public key, wherein the private key is stored by a user device;

a database module that, when executed, configures the one or more processors to store the public key in association with the assigned unique identifier thereby creating a registered user identity instance as a function of verifying the user's identity and generation of the key pair;


a communication module that, when executed, configures the one or more processors to receive, from the user device, a communication including: information asserting an identity of one or more of the user and the user device, a representation of the private key, and a current biometric representation of the user’s biometric features captured by the user device using an associated biometric capture device; and

an authorization module that, when executed, configures the one or more processors to authenticate the user based on the received communication, wherein the authentication includes the steps of:

identifying, based on the received information asserting an identity of one or more of the user and the user device, the user identity instance,

verifying, based on the public key associated with the identified user identity instance, that the representation of the private key corresponds to the public key,

confirming that the current biometric representation captured by the user device matches a registered biometric representation of the user previously stored by the server in association with the identified user identity instance, and

transmitting, based on the authentication of the user, by a trusted server to one or more remote computing devices, a result of the authentication of the user.



40. The system of claim 39, wherein the key-pair is unique to the user device and the corresponding user identity instance stored on the back-end storage such that the private key is useable by the user device to securely assert the user identity and the public key is useable by the trusted server to identify the user identity.

41.    The system of claim 39, wherein the key-pair is generated using one or more of the user device and the trusted server.

42.    The system of claim 39, wherein the communication module further configures the one or more processors of the trusted server to receive, by the trusted server subsequent to creating the user identity instance for the user, a request to authenticate the user in connection with the user accessing an access controlled environment (ACE), wherein the request identifies the ACE and the user.









43.     The system of claim 42, wherein the request identifies a requested transaction to be performed by the user accessing the ACE and wherein the authentication of the user is performed by the trusted server according to a level of security defined by the ACE for the requested transaction.

44.  The system of claim 43, wherein the one or more processors are further configured to perform the step of performing additional biometrics-based user authentication as a function of the level of security.

45.     The system of claim 39, wherein the network communication interface communicatively connects the one or more processors of the trusted server with a legacy authentication system of an access controlled environment (ACE) and wherein the authorization module configures the one or more processors to facilitate the user's access by transmitting an authorization notification to the legacy authentication system of the ACE.

46.     The system of claim 45, wherein the authorization module configures the one or more processors to facilitate the user's access by retrieving account information associated with the user identity instance and the ACE from a secure data store and transmitting the account information to the legacy authentication system.


47. The system of claim 45, wherein the enrollment module configures the one or more processors to test the representation of the user’s identity to verify the user is authorized to access the ACE by comparing the representation of the user’s identity to a trusted set of user identification information maintained by the legacy authentication system of the ACE.





receiving, by a trusted server from a user computing device, an application certificate that uniquely identifies a particular biometric authentication application executing on the user device, wherein the user computing device is the user's personal mobile computing device; 

verifying, by a trusted server, that the received application certificate is valid; 

receiving, by the trusted server from the user computing device, a representation of the user's identity and a representation of at least a component of the user computing device; 


testing the representation of the user's identity against a trusted set of user identification information to verify the user is authorized to access the ACE;

 providing a unique identifier that is assigned for the user based on the representation of the user's identity; 

causing, by the trusted server during user enrollment, generation of a key pair comprising a private key and a corresponding public key, wherein the private key and the unique identifier is stored by the user device; 

storing, by the trusted server in a storage medium, the public key in association with the assigned unique identifier thereby creating a registered instance of a user identity, wherein the identity instance is created as a function of verifying the application certificate, verifying the user identity and generation of the key pair; 

receiving, by the trusted server from the user device, a communication including: information asserting an identity of one or more of the user and the user device, a representation of the private key and a current biometric representation of the user's biometric features captured by the user device using an associated biometric capture device; authorizing the user to 


identifying, by the trusted server based on the identification information, the user instance, 



verifying, by the trusted server based on the public key associated with the identified user instance,  that the representation of the private key corresponds to the public key, and 

confirming, by the trusted server, that the current biometric representation captured by the user device matches a registered biometric representation of the user previously stored by the server in association with the identified user instance; and 

based on the authorizing step, facilitating the user access to the ACE using the trusted server in conjunction with one or more remote computing devices.
 
    2. The method of claim 1, wherein the key-pair is unique to the user device and the corresponding user identity instance stored on the back-end storage such that the private key is useable by the user device to securely assert the 

    3. The method of claim 1, wherein the key-pair is generated using one or more of the user device and the trusted server.
 
    4. The method of claim 1, further comprising: receiving, by the trusted server subsequent to creating the identity instance for the user, a request to access the ACE, wherein the request identifies the ACE and the user; and transmitting a prompt, by the trusted server to the user device in response to the request, prompting the user device to capture the user's biometrics using the biometric authentication application and an associated capture device, generate the current biometric representation and, as a result, transmit the communication to the trusted server that includes the current biometric representation. 
    5. The method of claim 4, wherein the request identifies a requested transaction to be performed by the user accessing the ACE and wherein the user authorization step is performed according to a level of security defined by the ACE for the requested transaction. 


    6. The method of claim 5, further comprising: performing additional biometrics-based user 

    7. The method of claim 1, wherein the step of facilitating the user access to the access-controlled environment using the trusted server in conjunction with one or more remote computing devices comprises: transmitting an authorization notification to a legacy authentication system of the ACE. 

    8. The method of claim 7, wherein the step of facilitating the user access to the ACE comprises: 




retrieving by the trusted server from a secure data store, account information associated with the user instance and the ACE, and 

transmitting the access account information to the legacy authentication system. 

    9. The method of claim 1, wherein the step of testing the representation of the user's identity to verify the user is authorized to access the access-controlled environment comprises: testing, by the trusted server, the representation of the user's identity against the trusted set of user identification information, wherein the trusted set of user identification information is 
    10. The method of claim 1, wherein the unique identifier is stored by the trusted server in the storage and is associated with access account information that is useable to provide the user access to the ACE. 


    11. The method of claim 10, wherein communications from the user device that are encoded using the private key and thereby securely asserts the user identity to the trusted server and is useable to identify any associated access account information. 

    12. A system for securely coordinating access to an access-controlled environment (ACE) for a user operating a user computing device executing a biometric authentication application for confirming the user's identity as a function of a biometric of the user, the system comprising: 



a network communication interface; a computer-readable storage medium; 

one or more processors configured to interact with the network communication interface and the computer-readable storage medium and execute one or more software modules stored on 




receive, from a user computing device, an application certificate that uniquely identifies a particular biometric authentication application executing on the user device, a representation of the user's identity and a representation of at least a component of the user computing device, wherein the user computing device is the user's personal mobile computing device, verify that the received application certificate is valid; 

test the representation of the user's identity against a trusted set of user identification information to verify the user is authorized to access the ACE, and

 provide a unique identifier that is assigned for the user based on the representation of the user's identity; 

cause generation of a key pair comprising a private key and a corresponding public key, wherein the private key and the unique identifier is stored by the user device; 



 a communication module that when executed configures the one or more processors to receive, from the user device, a communication including: information asserting an identity of one or more of the user and the user device, a representation of the private key and a current biometric representation of the user's biometric features captured by the user device using an associated biometric capture device; and 

an authorization module that that when executed configures the one or more processors to authorize the user to access the ACE based on the received communication, wherein authorization includes: 

identifying, based on the identification information, the user instance, 


verifying, based on the public key associated with the identified user instance, that the 

confirming that the current biometric representation captured by the user device matches a registered biometric representation of the user previously stored by the server in association with the identified user instance, and 


facilitating, based on the authorization of the user, the user access to the ACE using the trusted server in conjunction with one or more remote computing devices. 



    13. The system of claim 12, wherein the key-pair is unique to the user device and the corresponding user identity instance stored on the back-end storage such that the private key is useable by the user device to securely assert the user identity and the public key is useable by the trusted server to identify the user identity. 

    14. The system of claim 12, wherein the key-pair is generated using one or more of the user device and the trusted server. 

    15. The system of claim 12, wherein the communication module further configures the one or more processors of the trusted server to: 

    16. The system of claim 15, wherein the request identifies a requested transaction to be performed by the user accessing the ACE and wherein user authorization is performed by the trusted server according to a level of security defined by the ACE for the requested transaction.

 
    17. The system of claim 16, further comprising: performing additional biometrics-based user authorization as a function of the level of security. 


    18. The system of claim 12, wherein the network communication interface communicatively connects the one or more 


    19. The system of claim 18, wherein the authorization module configures the one or more processors to facilitate the user access by retrieving account information associated with the user instance and the ACE from a secure data store and transmitting the access account information to the legacy authentication system. 
 


20. The system of claim 18, wherein the enrollment module configures the one or more processors to test the representation of the user's identity to verify the user is authorized to access the access-controlled environment by comparing the representation of the user's identity to a trusted set of user identification information maintained by the legacy authentication system of the ACE.





Claims 29-47 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 9,996,684.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘684 patent anticipate the limitations of the current application.  Claim 1 of ‘684 discloses all the limitations of the current application, but also provides that there key-pair is generated as a function of verifying that the received application certificate is valid and establishing the user’s identity as a function of biometrics using the biometric authentication application.  Otherwise, the ‘684 Patent anticipates the receiving, verifying, providing, causing, storing, receiving, authorizing, identifying and confirming steps of claim 1 of the present application.
	Therefore, the claims are subject to a Double Patenting rejection and a Terminal Disclaimer is required.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is (571)272-3786.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KAVEH ABRISHAMKAR/
05/08/2021Primary Examiner, Art Unit 3649