Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/27/20 was filed after the mailing date of the application on 3/27/20.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
1.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422  re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

2.	Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of copending Application No. 15/155,044.  Although the conflicting claims are not identical, they are not patentably distinct from each other because claim 1 of copending Application No. 15/155,044 contain every element of claims 1-20 of the instant application and such anticipate claims 1-20 of the instant application.
3.	This is a provisional obviousness-type double patenting rejection since the conflicting claims have not yet been patented. The mapping of the rejected claims of the instant application to the copending application is as follows:
Claim 1 in the instant application #16/832,492 corresponds to claim 1 in the co-pending application #15/155,044. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-10, 13-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lyons (US Patent Pub. 2013/0185207) in view of Dorfman (US Patent Pub. 2014/0282961) in view of Mirzah (US Patent Pub 20080098464).


As per claims 1, 13 and 20:  A computing platform, comprising:
at least one processor (Fig 1 element 110);
a communication interface communicatively coupled to the at least one processor (Fig. 2, steps 320 and 330f); and
memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
par. 0026, a customer 302 has a desire to access personal information for instance on a relying party website; see also par. 0023; Fig. 3, step 302f);
based on receiving the authentication request for the user account from the computing device, generate one or more authentication prompts based on one or more authentication rules (pars. 0028-0029; customer asked to provide PAN and challenger question presented; Fig. 2, steps 320 and 330f);
provide the one or more authentication prompts generated based on the one or more authentication rules (pars. 0028-0029; customer asked to provide PAN and challenger question presented; Fig. 2, steps 320 and 330);
validate one or more responses to the one or more authentication prompts generated based on the one or more authentication rules (pars. 0029-0030, confirmation of authentication and customer gains access to personal information; Fig. 3 step 340);
based on validating the one or more responses to the one or more authentication prompts generated based on the one or more authentication rules, generate one or more security questions based on historical information associated with the user account, wherein the historical information associated with the user account comprises login history information associated with the user account, and wherein generating the pars. 0029-0030, confirmation of authentication and customer gains access to personal information; pars. 0039-0040; in step 522, the relying party shares data received from the customer, which can include a network ID (identification), case code, required information, and authentication level (or assurance score) required to access the personal information hosted by the relying party's website. In step 524, the data received from the customer and relying party is sent to the payment card service provider, which is captured by the managing computer system of the payment card service provider. If the customer is eligible to access personal information on the relying party website or as an initial step, in step 540, the customer enters the complete primary account number (i. e., eligible PAN) and sends the information to the managing computer system (i.e., by clicking OK, Send and/or Enter on the keyboard or graphical user interface of the client device for example). In step 542, the customers' PAN information is passed onto the managing computer system for the payment card service provider, which determines the attribute provider and sends the attribute provider the PAN and a request for authentication and/or challenger questions based on the authentication needs of the relying party site. In step 544, the attribute provider (or issuer) returns one or more (as required) authentication and/or challenger questions that need to be answered by the customer. In step 550, the managing computer system presents the authentication and/or challenger questions to the relying party website, which presents the authentication and/or challenger questions in step 552 to the customer within the existing pop-up window; Figs. 3, 5 A&B);
provide the one or more security questions generated based on the historical information associated with the user account (See Lyons: pars. 0039-0040; in step 522, the relying party shares data received from the customer, which can include a network ID (identification), case code, required information, and authentication level (or assurance score) required to access the personal information hosted by the relying party's website. In step 524, the data received from the customer and relying party is sent to the payment card service provider, which is captured by the managing computer system of the payment card service provider. If the customer is eligible to access personal information on the relying party website or as an initial step, in step 540, the customer enters the complete primary account number (i.e., eligible PAN) and sends the information to the managing computer system (i.e., by clicking OK, Send and/or Enter on the keyboard or graphical user interface of the client device for example). In step 542, the customers' PAN information is passed onto the managing computer system for the payment card service provider, which determines the attribute provider and sends the attribute provider the PAN and a request for authentication and/or challenger questions based on the authentication needs of the relying party site. In step 544, the attribute provider (or issuer) returns one or more (as required) authentication and/or challenger questions that need to be answered by the customer. In step 550, the managing computer system presents the authentication and/or challenger questions to the relying party website, which presents the authentication and/or challenger questions in step 552 to the customer within the existing pop-up window; Figs. 5A&B);
validate one or more responses to the one or more security questions generated based on the historical information associated with the user account and store updated login history information for the user account based on providing the user account information associated with the user account to the computing device (See Lyons: pars. 0039-0040; in step 522, the relying party shares data received from the customer, which can include a network ID (identification), case code, required information, and authentication level (or assurance score) required to access the personal information hosted by the relying party's website. In step 524, the data received from the customer and relying party is sent to the payment card service provider, which is captured by the managing computer system of the payment card service provider. If the customer is eligible to access personal information on the relying party website or as an initial step, in step 540, the customer enters the complete primary account number (i.e., eligible PAN) and sends the information to the managing computer system (i.e., by clicking OK, Send and/or Enter on the keyboard or graphical user interface of the client device for example). In step 542, the customers' PAN information is passed onto the managing computer system for the payment card service provider, which determines the attribute provider and sends the attribute provider the PAN and a request for authentication and/or challenger questions based on the authentication needs of the relying party site. In step 544, the attribute provider (or issuer) returns one or more (as required) authentication and/or challenger questions that need to be answered by the customer. In step 550, the managing computer system presents the authentication and/or challenger questions to the relying party website, which presents the authentication and/or challenger questions in step 552 to the customer within the existing pop-up window; Figs. 5A&B).
However, Lyon does not specifically disclose based on validating the one or more responses to the one or more security questions generated based on the historical information associated with the user account, provide user account information associated with the user account to the computing device (Dorfman: par. 0025, the log-in ID may be a username, an e-mail address, a screen name, or any other unique ID, name, or address associated with the user).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Lyons and Dorfman in it’s entirety, to modify the technique of Lyons for online authentication, which enables a customer to gain access to personal information by adopting Dorfman's teaching for authenticating an identity of an online user. The motivation would have been to maintaining and ensuring the safety and security of customer information.
As per claims 2 and 14:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein the login history information associated with the user account comprises device information identifying at least one device that was previously used to access the user account  (Lyons: pars. 0028-0029; challenger question presented; Fig. 2, step 330).
As per claims 3 and 15:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein the login history information associated with the user account comprises channel information identifying at least one channel that was previously used to access the user account  (Lyons: pars. 0028-0029; challenger question presented; Fig. 2, step 330).
As per claims 4 and 16:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein the historical information associated with the user account comprises usage history information associated with the user account (Lyons: pars. 0028-0029; challenger question presented; Fig. 2, step 330).
As per claims 5 and 17: The combination of Lyons and Dorfman discloses the computing platform of claim 4, wherein the usage history information associated with the user account comprises action information identifying one or more actions that were previously performed during a usage session of the user account (Lyons: pars. 0028-0029; challenger question presented; Fig. 2, step 330).
As per claims 6 and 18:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein providing the one or more authentication prompts generated based on the one or more authentication rules comprises sending, via the communication interface, and to the computing device, a prompt to provide a username and password for the user account (Dorfman: par. 0046, the IVR server(s) may instruct the user to say one more words or phrases, and/or to answer one or more security questions, using the user's natural speaking voice, Fig. 6).
As per claim 8:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein providing the one or more authentication prompts Dorfman: par. 0046, the IVR server(s) may instruct the user to say one more words or phrases, and/or to answer one or more security questions, using the user's natural speaking voice, Fig. 6).
As per claim 9:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein providing the one or more security questions generated based on the historical information associated with the user account comprises sending, via the communication interface, and to the computing device, a prompt to respond to the one or more security questions generated based on the historical information associated with the user account (See Lyons: pars. 0039-0040; in step 522, the relying party shares data received from the customer, which can include a network ID (identification), case code, required information, and authentication level (or assurance score) required to access the personal information hosted by the relying party's website. In step 524, the data received from the customer and relying party is sent to the payment card service provider, which is captured by the managing computer system of the payment card service provider. If the customer is eligible to access personal information on the relying party website or as an initial step, in step 540, the customer enters the complete primary account number (i.e., eligible PAN) and sends the information to the managing computer system (i.e., by clicking OK, Send and/or Enter on the keyboard or graphical user interface of the client device for example). In step 542, the customers' PAN information is passed onto the managing computer system for the payment card service provider, which determines the attribute provider and sends the attribute provider the PAN and a request for authentication and/or challenger questions based on the authentication needs of the relying party site. In step 544, the attribute provider (or issuer) returns one or more (as required) authentication and/or challenger questions that need to be answered by the customer. In step 550, the managing computer system presents the authentication and/or challenger questions to the relying party website, which presents the authentication and/or challenger questions in step 552 to the customer within the existing pop-up window; Figs. 5A&B).
As per claim 10:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein providing the user account information associated with the user account to the computing device comprises enabling the computing device to access to an online banking portal provided by the financial institution (pars. 0028-0029; customer asked to provide PAN; Fig. 2, steps 320; par. 0014, the term "issuer" or "attribute provider" can include, for example, a financial institution (i.e., bank)).

Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lyons (US Patent Pub. 2013/0185207) in view of Dorfman (US Patent Pub. 2014/0282961) in view of Mirzah (US Patent Pub 20080098464).

As per claims 7 and 19:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, validate one or more responses to the one or more pars. 0029-0030, confirmation of authentication and customer gains access to personal information; Fig. 3 step 340);
Lyons in view of Dorfman do not specifically disclose wherein providing the one or more authentication prompts generated based on the one or more authentication rules comprises sending, via the communication interface, and to a mobile computing device registered with the user account, a one-time passcode.
Mirzah: par. 0018, SMS payment security service allows customers to first be identified by their internet banking login and password and then by the OTP—a one-time SMS code. This service works by sending one time only code OTP via SMS to user's mobile phone while completing an on-line payment. Then, user enters the unique code into the payment confirmation screen within a short allowable period of time to complete the payment; Fig. 6B)).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Lyons, Dorfman and Mirzah in it’s entirety, to modify the technique of Lyons for online authentication, which enables a customer to gain access to personal information by adopting Mirzah's teaching for user authentication systems used for access control in computer and network security systems. The motivation would have been to maintaining and ensuring the safety and security of customer information.


11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Lyons (US Patent Pub. 2013/0185207) in view of Dorfman (US Patent Pub. 2014/0282961) in view of Dhandayuthapani (US Patent Pub. 2016/0380976).

As per claim 11:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
Lyons in view of Dorfman do not specifically disclose store updated usage history information for the user account based on providing the user account information associated with the user account to the computing device (Dhandayuthapani: par. 0069, actions may include changing a password; Fig. 3).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Dhandayuthapani with the method and system of Lyons, Doftman, and Mirzah wherein an account update request is received to provide users with a means for improving user’s access features (Dhandayuthapani: par. 0069).
As per claim 12:  The combination of Lyons and Dorfman discloses the computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: 
prior to receiving the authentication request for the user account:
Lyons; par. 0026, a customer 302 has a desire to access personal information for instance on a relying party website; see also par. 0023; Fig. 3, step 302f); and
Lyons in view of Dorfman do not specifically disclose store initial usage history information for the user account based on monitoring usage of the user account during a usage session (Dhandayuthapani: par. 0069, actions may include changing a password; Fig. 3).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Dhandayuthapani with the method and system of Lyons, Doftman, and Mirzah wherein an account update request is received to provide users with a means for improving user’s access features (Dhandayuthapani: par. 0069).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472.  The examiner can normally be reached on 730-330pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ANTHONY D BROWN/Primary Examiner, Art Unit 2433