DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the application filed on 08/23/2019. Claims1-25 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
EXAMINER’S AMENDMENT
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given over the phone by Brienne Terril (Reg. No. 60,941) on 05/21/2021. 
 The application has been amended as follows:
Please replace claim 14 with:
14. (Currently Amended) A system of performing out-of-band user authentication, the system comprising: a service electronic device associated with a service;  22Attorney Docket No. 179062.00401 an electronic device in communication with the service electronic device; a server electronic device in communication with the server electronic device; a first non-transitory computer-readable storage medium comprising one or more programming instructions that, when executed, cause the service electronic device to: receive, from the electronic device, a request to initiate a session of the service, generate an authentication token, encrypt the authentication token to generate an encrypted authentication token, and transmit the encrypted authentication token to the electronic non-transitory computer-readable storage medium comprising one or more programming instructions that, when executed, cause the electronic device to: receive the encrypted authentication token, retrieve a public key and a private key associated with the electronic device from a data store, retrieve a service public key from a data store, wherein the service public key is associated with the service, decrypt the encrypted authentication token using the private key to obtain the authentication token, sign the authentication token with the private key to generate a signed authentication token, encrypt the signed authentication token with the service public key to generate a signed-encrypted authentication token, and  23Attorney Docket No. 179062.00401 send the signed-encrypted authentication token and a security token to the server electronic device; and a third non-transitory computer-readable storage medium comprising one or more programming instructions that, when executed, cause the server electronic device to: receive a request for the signed-encrypted authentication token from the service electronic device, wherein the request includes a read token and an indication of a memory location accessible by the server electronic device, verify that the read token matches information stored at the memory location, and in response to verifying that the read token matches information stored at the memory location, send the signed-encrypted authentication token to the service electronic device.  

Please replace claim 15 with:
15. (Currently Amended) The system of claim 14, wherein the first non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the service electronic device to: decrypt the signed-encrypted authentication token using a private key associated with the service to obtain a signed-decrypted authentication token, verify the signed-decrypted authentication token using the public key associated with the electronic device to obtain a verified decrypted authentication token, determine whether the verified decrypted authentication token matches the authentication token generated by the service electronic device, and  24Attorney Docket No. 179062.00401 in response to determining that the verified decrypted authentication token matches the authentication token generated by the service electronic device, authenticate the request to access the service. 

Please replace claim 16 with:
16. (Currently Amended) The system of claim 15, wherein the second non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the electronic device to delete the private key, the public key, the read token, the security token and the indication of the memory location from the electronic device.  

Please replace claim 17 with:
17. (Currently Amended) The system of claim 14, wherein the second non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the electronic device to initialize an account for the service by: receiving a request from the user to access the service; receiving the service public key from the service electronic device associated with the service, storing the service public key in a data store of the electronic device, generating the public key and the private key associated with the electronic device and storing the public key and the private key in the data store, generating the security token and the read token, transmitting the security token to the server electronic device, receiving from the server electronic device the indication of the location of where the security token is stored by the server electronic device, transmitting the public key, the read token and the indication of the location to the service 25Attorney Docket No. 179062.00401 electronic device to create a new account for the user, and delete the public key, the private key, the security token, the read token and the indication of the location from the data store.  

Please replace claim 18 with:
18. (Currently Amended) The system of claim 17, wherein the first non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the service electronic device to create the new account for the user using the public key, the read token and the indication of the location.  

Please replace claim 22 with:
22. (Currently Amended) The system of claim 14, wherein the second non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the electronic device to: receive , an indication that the user wishes to terminate the session of the service; and transmit the security token and the indication of the location to the server electronic device.

Please replace claim 23 with:
23. (Currently Amended) The system of claim 22, wherein the third non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the server electronic device to: receive the security token and the indication of the location from the electronic device; verify that the received security token matches content stored at the location; and in response to verifying that the received security token matches 

Please replace claim 24 with:
24. (Currently Amended) The system of claim 23, wherein the third non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the server electronic device to, in response to verifying that the received security token matches content 27Attorney Docket No. 179062.00401 stored at the location, deleting the read token and the signed-encrypted authentication token from the location.  

Please replace claim 25 with:
25. (Currently Amended) The system of claim 22, wherein the third non-transitory computer-readable storage medium further comprises one or more programming instructions that, when executed, cause the server electronic device to: receive the security token and the indication of the location from the electronic device, verify that the received security token matches content stored at the location, and in response to verifying that the received security token does not match content stored at the location, sending an indication of an unsuccessful session termination to the electronic device.


Allowable Subject Matter
Claims 1-25 are allowed.
The following is an examiner’s statement of reasons for allowance:
The invention relates to a method of performing out-of-band user authentication includes, by a service electronic device associated with a service a request to initiate a session of the service, generating an authentication token, encrypting the authentication token to generate an encrypted authentication token, and transmitting the encrypted authentication token to the electronic device.

The closest relevant prior art made of record are:
EVANS (US2017/0324737) teaches A method at an authentication server for multi-factor authentication of an electronic device, the method including receiving at the authentication server a request for authentication of the electronic device; sending 
Feekes (US2014/0337957) teaches the present disclosure is generally directed to a hardware token for completing an out-of-band authentication.  In one embodiment, the hardware token performs a method that comprises: receiving an out-of-band encryption key from a client computing device; deriving a security credential that uniquely identifies the hardware token; transmitting the derived security credential and received out-of-band encryption key over the out-of-band communication channel to a network backend over a wireless network; receiving an in-band encryption key over the out-of-band communication channel; and transmitting the received in-band encryption key to the paired client computing device.
Grandcolas (US7, 137, 006) teaches Methods and systems for single sign-on user access to multiple web servers are provided.  A user is authenticated at a first web server (e.g., by user name and password).  The first web server provides a web page to the user having a service selector (e.g., a hyperlink comprising the URL of a second web server offering the service indicated by the selector).  When the user activates the service selector, the first web server constructs and transmits an encrypted authentication token (e.g., a cookie) from the first web server to a second web server via the user client.  The first and second web servers share a sub-domain.  The authentication token comprises an expiration time and is digitally signed by the first web server and is authenticated at the second web server.  Upon authentication, the second web server allows the user to conduct a session at the second web server.  
Hamlin (US2015/0318993) teaches An off-host authentication system includes an authentication information handling system (IHS) that is coupled to a network.  The off-host authentication system also includes a host processing system.  An off-host processing system in the off-host authentication system is coupled to the host processing system and is coupled to the authentication IHS through the network.  The off-host processing system provides an encrypted primary authentication item to the authentication IHS through the network.  The off-host processing system then receives an encrypted secondary authentication token from the authentication IHS through the network.  The off-host processing system then decrypts the encrypted secondary authentication token to produce a decrypted secondary authentication token and uses the decrypted secondary authentication token to retrieve a tertiary authentication token.  The off-host processing system then provides the tertiary authentication token to the host processing system for use in logging a user into a user IHS that includes the host processing system..
Narendra (US9, 055, 029) teaches a multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services.  During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user.  During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy.

Rasheed (US2016/0286393) teaches at least one non-transitory computer readable storage medium includes instructions that when executed enable a system to: request, by an authentication logic of the system during a multi-factor authentication of a user of the system to obtain access to a first service, a token to be sent from a second system associated with the first service to a third system associated with the user; receive, in the authentication logic, the token from the third system without user involvement via a secure channel; and send the token from the authentication logic to the second system to authenticate the user.  Other embodiments are described and claimed.
Thomas (US 9, 094, 212) teaches a client is authenticated by a server receiving an initial request from the client at the beginning of a session.  The server receiving the initial request generates an authentication token and returns the authentication token to the client in response to the client being authenticated.  The user's credentials used to authenticate the client are stored in the authentication token along with other information.  After receiving the authentication token from the server that generated the authentication token, the client passes the authentication token with each of the future requests to the pool of servers.  Using the client to pass the transferrable authentication token, the servers share the user's identity/credentials in a decentralized manner.  Any server from the shared pool of servers that receives a subsequent client request is able to decrypt the token and re-authenticate the user without having to prompt the client for authentication credentials again.
Vysogorets (US2010/0199089) teaches A token-based centralized authentication method for providing access to a service provider to user information associated with a user's relationship with the service provider includes the steps of: authenticating a user presenting a user token at a user terminal, the user token having stored thereon a user ID; deriving a resource identifier using at least two data input elements, the at least two data input elements including the user ID of the user and a service provider ID of the service provider, wherein the user information is stored in a storage network and the resource identifier is associated with the user information; retrieving the user information from the storage network using the resource identifier; and providing the retrieved user information to the service provider. 

However, none of closest prior arts mentioned above teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1 and 14. For example for claim 1, none of the cited prior art, alone or in combination, teaches or suggest the steps of “encrypting the signed authentication token with the service public key to generate a signed-encrypted authentication token, and sending the signed-encrypted authentication token and a security token to a server electronic device, 18Attorney Docket No. 179062.00401 by the server electronic device: receiving a request for the signed-encrypted authentication token from the service electronic device, wherein the request includes a read token and an indication of a memory location accessible by the server electronic device, verifying that the read token matches information stored at the memory location, and in response to verifying that the read token matches information stored at the memory location, sending the signed-encrypted authentication token to the service electronic device” in view of other limitations of claim 1 and for example for claim 14, none of the cited prior art, alone or in combination, teaches or suggest the steps of “encrypt the signed authentication token with the service public key to generate a signed-encrypted authentication token, and  23Attorney Docket No. 179062.00401 send the signed-encrypted authentication token and a security token to the server electronic device; and a third computer-readable storage medium comprising one or more programming instructions that, when executed, cause the server electronic device to: receive a request for the signed-encrypted authentication token from the service electronic device, wherein the request includes a read token and an indication of a memory location accessible by the server electronic device, verify that the read token matches information stored at the memory location, and in response to verifying that the read token matches information stored at the memory location, send the signed-encrypted authentication token to the service electronic device” in view of other limitations of claim 14.   Therefore the claims are allowable over the cited prior arts.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207.  The examiner can normally be reached on Monday-Friday, 8:30am-5:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 2497