DETAILED ACTION

This non-final office action is in response to claims 1-10, 12-22 filed January 31, 2020 for examination. Claims 11, 23-24 were canceled. Claims 1-10 and 10-22 are being examined and are pending. 
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Preliminary Amendment

Preliminary amendment to the claims, filed 01/31/2020 has been acknowledged.
Drawings

The drawings filed on 01/31/2020 have been accepted.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 3-7, and 21 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by EP 3041185 A1 to Terasaki et al. hereinafter “Terasaki”).
Regarding claim 1, Terasaki disclosed a computer-implemented method conducted at a server computer of an authentication service provider comprising: 
receiving an authentication request, the authentication request requesting authentication of a transaction and including transaction details describing the transaction (Para. 0030. In a step G1, the user equipment UE sends a request R1 for authentication to the server S, said request R1 for authentication comprising an identifier Id1 of a user of the user equipment UE, such as a login, and a first authenticating parameter P1 of said user such as a password, a PIN code, etc.); 
obtaining an encryption key being unique to the authentication service provider and a user mobile device (Para. 0031. Based on the identifier Id1 of the user of the user equipment UE and the first authenticating parameter P1, the serve S retrieves an encryption key PK1 associated to the user of the user equipment UE (i.e. unique encryption key) during a step G3. The encryption key PK1 may be a public key associated to the user of the user equipment UE.); 
generating an authentication prompt including at least some of the transaction details (Para, 0035. The user equipment UE displays the multi-dimensional code QRC received in the message MSG1 on a display of the user equipment UE.);
encrypting a payload including the authentication prompt using the encryption key to output an encrypted payload (Para. 0032. The server S encrypts a second authenticating parameter P2 associated to the user of the user equipment UE using the encryption key PK1.); and, 
providing the encrypted payload via a first communication channel to a user for acquisition and decryption by the user mobile device using a decryption key corresponding to the encryption key (Para. 0037. The mobile device MD decrypts the second authenticating parameter P2 using a decryption key PK2 associated to the user of the user equipment UE stored on the mobile device MD. The decryption key PK2 is for example a private key associated to the user of the user equipment UE and to the public key PK1.).
Claim 21 recites similar limitations to claim 1, mutatis mutandis, the subject matter of claim 1, which is therefore, also considered to be taught by Terasaki as above.
Regarding claim 3, Terasaki further taught the method as claimed in claim 1, wherein the first communication channel is established between the server computer and a user communication device, and wherein the first communication channel is a secure communication channel (Para. 0001. Secured communication session with server).
Regarding claim 4, Terasaki further taught the method as claimed in claim 3, wherein providing the encrypted payload to the user includes transmitting the encrypted payload to the user communication device via the first communication channel for providing the encrypted payload to the user (Para. 0032-0035. Multi-dimensional code (encoded encrypted payload) are transmitted and displayed on a display of the user equipment).
Regarding claim 5, Terasaki further taught the method as claimed in claim 3, wherein the authentication request is received from a transaction service provider facilitating the transaction, wherein the first communication channel is established between the server computer, transaction service provider and the user communication device (Fig. 3. MD (mobile device), UE (user equipment), and S (server)) and wherein providing the encrypted payload to the user includes transmitting the encrypted payload to the transaction service provider for on-forwarding to the user device (Fig. 3, Steps G6, G7, G8. Para, 0035, 0036.).
Regarding claim 6, Terasaki further taught the method as claimed in claim 1, wherein providing the encrypted payload via the first communication channel includes: generating a Para. 033-0035. The multi-dimensional code QRC may be a bar-code or a QR code.).
Regarding claim 7, Terasaki further taught the method as claimed in claim 1, wherein obtaining the encryption key includes accessing a mobile device public key stored at the authentication service provider (Para 0031. Public key associated with the user stored in UE) and being uniquely associated with a mobile device private key securely stored in the user mobile device (Para. 0037. Private key stored on the SIM card of the mobile device MD).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Terasaki in view of US 8,477,941 B1 to Dhanoa et al. hereinafter “Dhanoa”.
Regarding claim 8, Terasaki taught the method as claimed in claim 7, Tersaki does not but the analogous art Dhanoa taught wherein obtaining the encryption key includes: obtaining a symmetric key (Col. 9, line 8. Generate symmetric key); and, accessing the mobile device public key and an authentication service provider private key being securely stored at the authentication service provider and being uniquely associated with an authentication service provider public key accessible to the mobile device (Col. 9, lines 23-30. Public-Private key.).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Terasaki by including the idea of obtaining the encryption key includes: obtaining a symmetric key; and, accessing the mobile device public key and an authentication service provider private key being securely stored at the authentication service provider and being uniquely associated with an authentication service provider public key accessible to the mobile device as taught by Danoa so that data is securely communicated on the first network will continue to be securely communicated while transitioning to the second network (Dhanoa, col. 1, lines ).
Regarding claim 9, Terasaki-Dhanoa combination further taught the method as claimed in claim 8, wherein encrypting the payload includes: encrypting the payload using the symmetric key to output a symmetrically encrypted payload; asymmetrically encrypting the symmetric key using one or both of the mobile device public key and the authentication service provider private key to output an asymmetrically encrypted symmetric key, wherein the encrypted payload includes Col. 9, lines 12-20. Symmetric key is encrypted utilizing broadcast server’s public key. The symmetric keys are utilized to encrypt and decrypt communications between the mobile device and the broadcast server.).
Claims 2, 10, 12-14, 18-20, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Terasaki in view of US 2017/0244692 A1 to Bhupathiraju et al. hereinafter “Bhupathiraju”.
Regarding claim 2, Terasaki disclosed the method as claimed in claim 1, Terasaki does not but the analogous art Bhupathiraju taught wherein the payload includes a nonce and the authentication prompt for encryption (Para. 0053-0055. The registration authentication request includes transaction ID, LoA, user interface text to be displayed to the user 101 on the mobile device 103 and a nonce that is used either as a key for the response sent back to the authentication server 118 or from which a key is derived. The registration authentication request message may contain a salt to be used by the applet 215 executing on the security device 107 to compute a salted hash of the PIN which is included in the response message that the security device 107 transmits back to the authentication server 118. The security device 107 encrypts the response message using the nonce from the registration authentication request. The nonce can either be used directly, or a derivation can be performed on the nonce to generate the cryptographic key used in encrypting the response.).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Terasaki by including the idea of the payload includes a nonce and the authentication prompt for encryption as taught by Bhupathiraju 
Regarding claim 10, Terasaki-Bhupathiraju combination further taught the method as claimed in claim 1, including: receiving a validation request including a token based on or including one or both of the transaction details and a nonce; validating the token; and, if the token is valid, transmitting an authentication confirmation message confirming authentication of the transaction (Bhupathiraju, Para. 0053)
Regarding claim 12, Terasaki taught a computer-implemented method conducted at a user mobile device comprising: 
capturing an encrypted payload, the encrypted payload including an authentication prompt relating to authentication of a transaction and including transaction details describing the transaction (Para, 0032-0035.  In a step G5, the server S encodes the encrypted authenticating parameter P2 in the form of a multi-dimensional code QRC. The multi-dimensional code QRC may be a bar-code or a QR code for example. [0034] In a step G6, the server S transmits said multi-dimensional code QRC to the user equipment UE in a message MSG1.The user equipment UE displays the multi-dimensional code QRC received in the message MSG1 on a display of the user equipment UE.); 
accessing a decryption key for decrypting the encrypted payload, the decryption key corresponding to an encryption key having been used at an authentication service provider to encrypt the payload and being unique to the authentication service provider and the user mobile device (Para. 0031-0032.In a step G2, the server S receives the request R1. Based on the identifier Id1 of the user of the user equipment UE and the first authenticating parameter P1, the serve S retrieves an encryption key PK1 associated to the user of the user equipment UE during a step G3. The encryption key PK1 may be a public key associated to the user of the user equipment UE. In a step G4, the server S encrypts a second authenticating parameter P2 associated to the user of the user equipment UE using the encryption key PK1. Para. 0037. Once the multi-dimensional code QRC is decoded, the mobile device MD decrypts the second authenticating parameter P2 using a decryption key PK2 associated to the user of the user equipment UE stored on the mobile device MD in a step G9. The decryption key PK2 is for example a private key associated to the user of the user equipment UE and to the public key PK1.); 
using the decryption key to decrypt the encrypted payload to obtain the authentication prompt including the transaction details; displaying, via a display of the user mobile device, the authentication prompt including the transaction details and prompting a user of the user mobile device to authenticate the transaction (Para. 0037-0038. Once the multi-dimensional code QRC is decoded, the mobile device MD decrypts the second authenticating parameter P2 using a decryption key PK2 associated to the user of the user equipment UE stored on the mobile device MD in a step G9. The mobile device MD then displays on its screen the decrypted second authenticating parameter P2 in a step G10.); and, 
Terasaki did not but the analogous art Bhupathiraju taught providing a token based on or including one or both of the transaction details or a nonce for submission to the authentication service provider (Para. 0053-0055. The registration authentication request includes transaction ID, LoA, user interface text to be displayed to the user 101 on the mobile device 103 and a nonce that is used either as a key for the response sent back to the authentication server 118 or from which a key is derived. The registration authentication request message may contain a salt to be used by the applet 215 executing on the security device 107 to compute a salted hash of the PIN which is included in the response message that the security device 107 transmits back to the authentication server 118. The security device 107 encrypts the response message using the nonce from the registration authentication request. The nonce can either be used directly, or a derivation can be performed on the nonce to generate the cryptographic key used in encrypting the response.).
Therefore, it would have been obvious to one having ordinary skill in the art before the applicant(s) invention was filed to modify the invention of Terasaki by including the idea of providing a token based on or including one or both of the transaction details or a nonce for submission to the authentication service provider as taught by Bhupathiraju for the advantage of users may use their mobile device as an authentication medium for access to service provider services (Bhupathiraju, 0024).
Claim 22 recites similar limitations to claim 12, mutatis mutandis, the subject matter of claim 22, which is therefore, also considered to be taught by Terasaki-Bhupathiraju combination as above.
Regarding claim 13, Terasaki further taught the method as claimed in claim 12, wherein the encrypted payload is provided to the user by a transaction service provider facilitating the transaction, the transaction service provider having received the encrypted payload from the authentication service provider (Para. 0031-0035).
Regarding claim 14, Terasaki further taught the method as claimed in claim 12, wherein accessing the decryption key includes accessing a mobile device private key securely stored in the mobile device and uniquely associated with a mobile device public key stored at the authentication service provider in association with the mobile device (Para. 0037. The decryption key PK2 is for example a private key associated to the user of the user equipment UE and to the public key PK1. The decryption key KP2 may be stored on the SIM card of the mobile device MD for higher security.).
Regarding claim 18, Terasaki-Bhupathiraju combination further taught the method as claimed in claim 12, wherein the token is based on the nonce, and wherein providing the token includes: generating the token using the nonce as an input to an algorithm; and, displaying the token to the user via the display of the user mobile device for submission by the user to the authentication service provider (Bhupathiraju, Para. 0053-0055. Terasaki, Para. 0039.).
Regarding claim 19, Terasaki-Bhupathiraju combination further taught the method as claimed in claim 12, wherein the token is based on the transaction details, and wherein providing the token includes: generating the token using the transaction details as an input to an algorithm; and, displaying the token to the user via the display of the user mobile device for submission by the user to the authentication service provider (Bhupathiraju, Para. 0053-0055. Terasaki, Para. 0039.).
Regarding claim 20, Terasaki-Bhupathiraju combination further taught the method as claimed in claim 12, wherein displaying the token to the user includes displaying the token in the prompt together with the transaction details (Bhupathiraju, Para. 0038-0040).

Claim Interpretation under 35 USC 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification, as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: an authentication receiving component, an encryption key obtaining component, an authentication prompt generating component, an encrypting component, a prompt providing component, a capturing component, a decryption key accessing component, a decryption component, a token providing component in claims 21-22. However, figure 4, reference 406, 408, 416, 418, 420, 458, 460, 468, 470, and 474 shows corresponding structure. See also corresponding section in specification. 

Allowable Subject Matter
Claim 15 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim (claim 12) and any intervening claims (claim 14).
The following is a statement of reasons for the indication of allowable subject matter: None of the prior arts on the record taken alone or in combination taught the following claim limitation if incorporated into independent claim along with intervening claim as a whole.
Claim 15: The method as claimed in claim 14, wherein accessing the decryption key includes: accessing the mobile device private key and an authentication service provider public key being uniquely associated with an authentication service provider private key securely stored at the authentication service provider.
Dependent claims 16 and 17 would also be allowable based on their dependency.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2015/0163211 A1 (Chellappa et al.): a method, system, and computer program product for authenticating a node in an electronic communications system. An authentication request is received from a node. A generating challenge is transmitted to the node, wherein the generating challenge prompts the node to generate a first code representing an output of a first encryption challenge having inputs that include a first random value and a first intrinsic ID based on an intrinsic feature. The first code is received from the node in response to the generating challenge. A second code is generated, wherein the second code represents an output of a second encryption challenge having inputs that include at least two of: the first code, a second random value, and a second intrinsic ID, wherein the second intrinsic ID is obtained from a source other than the node. The node is authenticated based on one or more of: (a) the second encryption challenge having inputs of the second random value and the second intrinsic ID, and the second code matching the first code; (b) the second encryption challenge having inputs of the first code and the second random value, and the second code matching the second intrinsic ID; and (c) the second encryption challenge having inputs of the first code and the second intrinsic ID, and the second code matching the second random value; whereby the first random value matches the second random value and the first intrinsic ID matches the second intrinsic ID. See Summary section

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Shawnchoy Rahman/Primary Examiner, Art Unit 2438