DETAILED ACTION
This Office Action is in response to the amendment filed 6/9/2021 to application 16/204,350.
Claims 1-20 are currently pending; claims 1, 9, 17, and 19 have been amended; claims 1, 9, and 17 are independent claims; claims 1-20 have been examined.  
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Action is made FINAL.
Response to Arguments
Applicants’ arguments, see Applicant Arguments/Remarks Made in an Amendment, filed 6/9/2021, with respect to the rejections of claims 1-20 have been fully considered but are not persuasive.
Applicant comments as follows:  During the interview, the Office Action mailed March 19, 2021, was discussed in the context of proposed claim amendments and standing rejections. For the 101 rejection, several proposed claim amendments were discussed but no agreement was reached. For the 103 rejection, the Examiner indicated that the proposed claim amendments appear to overcome the cited art, but further search and consideration would be required in advance of an allowability determination.
Examiner respectfully notes that the interview summary is as follows:  The applicant further explained the claimed invention and alleged differences between the prior art and proposed amended claims. The examiner pointed out his position that the proposed 
Applicant respectfully argues as follows:  Amended independent claim 1 generally recites, among other things, “generate an authentication request including a transaction ID that is based on information corresponding to a user, the user device, and the electronic portal, the transaction ID including data that corresponds to an access time, an access location, a user identifier, and a device identifier” as well as “generate and transmit a notification to an authentication application processor that is associated with the user device, the notification including a prompt to the user device for a simple passcode” and independent claims 9 and 17 recite similar respective features. With respect to the above feature, relevant disclosure is provided at paragraphs [0018]-[0020] and [0022] of the specification of the instant application. Applicant respectfully submits that each of Gomi, Rathbun, and Shastri fails to teach the recited claim features.  More specifically, Applicant respectfully submits that the cited parts of Gomi, Rathbun, and Shastri do not provide any disclosure for “generate an authentication request including a transaction ID that is based on information corresponding to a user, the user device, and the electronic portal, the transaction ID including data that corresponds to an access time, an access location, a user 
Examiner respectfully disagrees.  Regarding claim 1, Eisen discloses, in paragraph 0056 and FIG. 4, a system for facilitating secure access to an electronic portal comprising: a plurality of processors: a memory: and a communication interface coupled to each of the plurality of processors and the memory; in paragraphs 0209, 195, 0189, 0062, that is based on information corresponding to a user, the user device, and the electronic portal, the transaction ID including data that corresponds to an access time, an access location, a user identifier, and a device identifier. Examiner notes that  paragraph 0001 of Applicant’s original disclosure discloses “website or other electronic portal” interpreted to mean a website is a type of electronic portal.  Eisen discloses, in paragraph 0181, transmit the authentication request to an authentication service processor; in paragraph 0181, wherein the authentication service processor is configured to: receive the authentication request.  Rathbun discloses, in paragraph 0019, wherein an authentication portal processor is configured to: receive an access request from a user device; in paragraph 0012, generate and transmit a notification to an authentication application processor that is associated with the user device, the notification including a prompt to the user device for a simple passcode; in paragraph 0012, wherein the authentication application processor is configured to: receive the notification and accept user input of the simple passcode  where- authentication application processor encompasses prompt to provide personal identification number).  Rathbun, in paragraph 0012, discloses authenticate the user input of the simple passcode; in paragraph 0073, upon successful authentication, grant access to the authentication portal.
The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272 5368 to schedule an interview.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b) (2) (C) for any potential 35 U.S.C. 102(a) (2) prior art against the later invention.

Claims 1, 9, 17, and 18 are rejected under 35 U.S.C. 103Eisen (US20170262845), filed March 29, 2017, in view of Rathbun (US20130055362), filed August 22, 2011.
Regarding claim 1, Eisen discloses a system for facilitating secure access to an electronic portal comprising: a plurality of processors: a memory: and a communication interface coupled to each of the plurality of processors and the memory (Eisen, paragraph 0056, “The user device may comprise memory storage units which may comprise non-transitory computer readable medium comprising code, logic, or instructions for performing one or more steps.  The user device may comprise one or more processors capable of executing one or more steps, for instance in accordance with the non-transitory computer readable media.  The user device may comprise a display showing a graphical user interface.  The user device may be capable of accepting inputs via a user interactive device.  Examples of such user interactive devices may include a keyboard, button, mouse, touchscreen, touchpad, joystick, trackball, camera, microphone, motion sensor, heat sensor, inertial sensor, or any other type of user interactive device.  The user device may be capable of operating one or more software applications.  One or more applications may or may not be related to the operation of the card reader.”; FIG. 4 shows processing unit 408 and memory unit 410 the communications of which would pass through a communication interface);
generate an authentication request including a transaction ID that is based on information corresponding to a user, the user device, and the electronic portal, the transaction ID including data that corresponds to an access time, an access location, a user identifier, and a device identifier (Eisen, paragraph 0195, “The transaction as provided in the historic data may be stored regardless of whether an issue is flagged and/or any transfer of money, goods, or services is permitted to move forward to completion.”; paragraph 0209, “The stored data may include information such as a transaction ID, data from an authentication read, and/or any additional information from the card.  The transaction ID be a unique identifier that identifies a particular transaction, e.g., TID 1, TID 2, TID 3, etc. As previously described, a transaction may be any time a user has an authentication read performed for the user's card.  The transaction as provided in the historic data may be stored regardless of whether an issue is flagged and/or any transfer of money, goods, or services is permitted to move forward to completion.”; paragraph 0190, “In other embodiments, the QR code analyzer may analyze the collected data packet to identify the user device or the user.”; paragraph 0189, “In some embodiments, the user device identity or user device identifier may be transmitted along with the code or processed information as a data packet to the authentication system 1403.”; paragraph 0062, “The authentication read may also result in obtaining positional information (e.g., orientation, spatial location [i.e., access location], and/or any corresponding movement information) about the card reader and/or user device.”; paragraph 0243, “In some embodiments, when a locator (e.g., URL) is provided, the QR code may be displayed via an interface such as a webpage or any software.  The interface is linked to the server via the locator (e.g., URL) to establish a communication of the user and the server.” --- paragraph 0001 of Applicant’s original disclosure discloses “website or other electronic portal” interpreted to mean a website is a type of electronic portal);
transmit the authentication request to an authentication service processor (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system [i.e., authentication service processor].  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”);
wherein the authentication service processor is configured to: receive the authentication request (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system [i.e., authentication service processor].  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”).
Eisen does not explicitly disclose wherein an authentication portal processor is configured to: receive an access request from a user device; generate and transmit a notification to an authentication application processor that is associated with the user device, the notification including a prompt to the user device for a simple passcode; wherein the authentication application processor is configured to: receive the notification and accept user input of the simple passcode; authenticate the user input of the simple passcode; upon successful authentication, grant access to the authentication portal.
However, in an analogous art, Rathbun discloses wherein an authentication portal processor is configured to: receive an access request from a user device (Rathbun, paragraph 0019, “Web server 130 may host a website.  Web server 130 may handle a transaction (e.g., a request to access an online portal [i.e., authentication portal processor] associated with an account of a user, an online purchase, a request for verification of a person's identity, etc.) initiated at computer terminal 120, by a user of mobile device 110 [i.e., user device] who accesses the website by using computer terminal 120.”);
generate and transmit a notification to an authentication application processor that is associated with the user device, the notification including a prompt to the user device for a simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt [i.e., notification] the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
wherein the authentication application processor is configured to: receive the notification and accept user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.” --- authentication application processor encompasses prompt to provide personal identification number);
(Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.””);
upon successful authentication, grant access to the authentication portal (Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rathbun with the system/method of Eisen to include wherein an authentication portal processor is configured to: receive an access request from a user device; generate and transmit a notification to an authentication application processor that is associated with the user device, the notification including a prompt to the user device for a simple passcode; wherein the authentication application processor is configured to: receive the notification and accept user input of the simple passcode; authenticate the user input of the simple passcode; upon successful authentication, grant access to the authentication portal.
(Rathbun: paragraph 0068).
Regarding claim 9, Eisen discloses a computer implemented method for facilitating secure access to an electronic portal comprising generating an authentication request including a transaction ID that is based on information corresponding to a user, the user device, and the electronic portal, the transaction ID including data that corresponds to an access time, an access location, a user identifier, and a device identifier (Eisen, paragraph 0195, “The transaction as provided in the historic data may be stored regardless of whether an issue is flagged and/or any transfer of money, goods, or services is permitted to move forward to completion.”; paragraph 0209, “The stored data may include information such as a transaction ID, data from an authentication read, and/or any additional information from the card.  The transaction ID be a unique identifier that identifies a particular transaction, e.g., TID 1, TID 2, TID 3, etc. As previously described, a transaction may be any time a user has an authentication read performed for the user's card.  The transaction as provided in the historic data may be stored regardless of whether an issue is flagged and/or any transfer of money, goods, or services is permitted to move forward to completion.”; paragraph 0190, “In other embodiments, the QR code analyzer may analyze the collected data packet to identify the user device or the user.”; paragraph 0189, “In some embodiments, the user device identity or user device identifier may be transmitted along with the code or processed information as a data packet to the authentication system 1403.”; paragraph 0062, “The authentication read may also result in obtaining positional information (e.g., orientation, spatial location [i.e., access location], and/or any corresponding movement information) about the card reader and/or user device.”; paragraph 0243, “In some embodiments, when a locator (e.g., URL) is provided, the QR code may be displayed via an interface such as a webpage or any software.  The interface is linked to the server via the locator (e.g., URL) to establish a communication of the user and the server.” --- paragraph 0001 of Applicant’s original disclosure discloses “website or other electronic portal” interpreted to mean a website is a type of electronic portal);
transmitting the authentication request to an authentication service (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system.  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”);
at the authentication service: receiving the authentication request from the authentication portal (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system.  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”).

However, in an analogous art, Rathbun discloses at an authentication portal: receiving an access request from a user device (Rathbun, paragraph 0019, “Web server 130 may host a website.  Web server 130 may handle a transaction (e.g., a request to access an online portal [i.e., authentication portal processor] associated with an account of a user, an online purchase, a request for verification of a person's identity, etc.) initiated at computer terminal 120, by a user of mobile device 110 [i.e., user device] who accesses the website by using computer terminal 120.”);
generating a notification configured to prompt the user device for input of a simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt [i.e., notification] the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
(Rathbun, paragraph 0012, “The authentication server may prompt [i.e., notification] the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
at the authentication application: receiving the notification and accepting user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”);
authenticating the user input of the simple passcode (Rathbun, paragraph 0012, “The authentication server may prompt the user to provide authentication information (e.g., a password, a personal identification number (PIN), a one-time passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”; paragraph 0024, “Authentication server 140 may receive the authentication information (e.g., with/in a request to accept/approve or reject the selected authentication request) from mobile device 110, and authenticate the user based on the authentication information.”);
upon successful authentication, granting access to the authentication portal (Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rathbun with the system/method of Eisen to include at an authentication portal: receiving an access request from a user device; generating a notification configured to prompt the user device for input of a simple passcode; transmitting the notification to an authentication application; at the authentication application: receiving the notification and accepting user input of the simple passcode; authenticating the user input of the simple passcode; upon successful authentication, granting access to the authentication portal.
One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).
Regarding claim 17, Eisen discloses a computer implemented method for facilitating secure access to an electronic portal though through multifactor authentication, the method comprising (Eisen, paragraph 0246, “The authentication may be a multi-factor authentication.”);
at an authentication portal: requesting an authentication image from a code generator (Eisen, paragraph 0182, “When a user accesses a webpage portal (provided by the service provider) [i.e., authentication portal] to conduct a transaction, server 1401 may send a request to authentication system 1403 for a QR code.  The request may contain an identity of the service provider and a session ID.”);
receiving an authentication image (Eisen, paragraph 0181, “The QR code request may be initiated when a new transaction or an authentication session is required or initiated.  For example, when a user 1417 accesses a webpage portal provided by service provider 1415 to conduct a transaction (e.g., a financial transaction), service provider [i.e., authentication portal] may request a QR code from the authentication system 1403.  The authentication may generate a QR code [i.e., code generator] associated with the request after verifying of the service provider's identity.  Service provider may provide the QR code [i.e., receiving authentication image] to the user.  Subsequently, the QR code may be scanned by the user and transmitted to the authentication system.  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”);
(Eisen, paragraph 0182, “Upon determining that the request came from a trusted source/entity, the authentication system 1403 may respond to the request by sending a unique QR code back to the server 1401.  Server 1401 may then include the QR code on the webpage portal so that the code can be displayed to the user.”);
receiving an authentication request from an authentication application in response to the authentication application recognizing the authentication image (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system.  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”);
generating an authentication request including a transaction ID that is based on information corresponding to a user, the user device, and the electronic portal, the transaction ID including data that corresponds to an access time, an access location, a user identifier, and a device identifier (Eisen, paragraph 0195, “The transaction as provided in the historic data may be stored regardless of whether an issue is flagged and/or any transfer of money, goods, or services is permitted to move forward to completion.”; paragraph 0209, “The stored data may include information such as a transaction ID, data from an authentication read, and/or any additional information from the card.  The transaction ID be a unique identifier that identifies a particular transaction, e.g., TID 1, TID 2, TID 3, etc. As previously described, a transaction may be any time a user has an authentication read performed for the user's card.  The transaction as provided in the historic data may be stored regardless of whether an issue is flagged and/or any transfer of money, goods, or services is permitted to move forward to completion.”; paragraph 0190, “In other embodiments, the QR code analyzer may analyze the collected data packet to identify the user device or the user.”; paragraph 0189, “In some embodiments, the user device identity or user device identifier may be transmitted along with the code or processed information as a data packet to the authentication system 1403.”; paragraph 0062, “The authentication read may also result in obtaining positional information (e.g., orientation, spatial location [i.e., access location], and/or any corresponding movement information) about the card reader and/or user device.”; paragraph 0243, “In some embodiments, when a locator (e.g., URL) is provided, the QR code may be displayed via an interface such as a webpage or any software.  The interface is linked to the server via the locator (e.g., URL) to establish a communication of the user and the server.” --- paragraph 0001 of Applicant’s original disclosure discloses “website or other electronic portal” interpreted to mean a website is a type of electronic portal);
transmitting the authentication request to an authentication service (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system.  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”);
(Eisen, paragraph 0251, “The communication between user device and authentication server, authentication server and service provider can be secured using various encryption techniques.  Any combination of server certificates, secure sockets layer (SSL), secured protocol such as TLS (transport layer security) and/or internet protocol (IP) addresses can be used to secure the communications within the network.”; paragraph 0005, “A QR code or a visual graphical barcode may serve as a token with resistance to replay attacks.”; paragraph 0260, “For example, in one embodiment, the magnetic fingerprint data may be used to identify a user, and the individual or combination of the swipe data and positional data can be used to verify the identity.  In another embodiment, user identity can be identified by the QR code, and any combination of the other three factors may be used for verification.  As mentioned previously, the combination of factors to be used for authentication can be determined based on the desired security level set by the service provider, the user or the authentication system.”).
Eisen discloses an authorized user token, but does not explicitly disclose receiving an authorized user token from the authentication application; and, granting access to the authentication portal.
However, in an analogous art, Rathbun discloses receiving an authorized user token from the authentication application (Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”);
(Rathbun, paragraph 0073, “In response to the authentication response, web server 130 may determine that the user is authenticated and/or that the transaction is approved.  In one example, when appropriate, web server 130 may provide/grant user access to a portal (e.g., a web page) that requires the authentication of the user prior to granting the access.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rathbun with the system/method of Eisen to include receiving an authorized user token from the authentication application; and, granting access to the authentication portal.
One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).
Regarding claim 18, Eisen and Rathbun disclose the method of claim 17.  Eisen discloses wherein the authentication image comprises a quick response (QR) code (Eisen, paragraph 0181, “Subsequently, the QR code may be scanned by the user and transmitted to the authentication system.  The authentication system may analyze the QR code for identification of the user and/or verification of the service provider.  Additional authentication information may be requested from user as will be described later herein, and once the authentication session is completed, user and service provider may complete the transaction via a direct communication.”).

Claims 2, 3, 10, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Eisen (US20170262845), filed March 29, 2017, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Schneider (US20140250518), filed March 29, 2013.


Regarding claim 2, Eisen and Rathbun disclose the system of claim 1. 
Eisen and Rathbun do not explicitly disclose wherein the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern.
However, in an analogous art, Schneider 518 discloses wherein the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider (US20140250518, paragraph 0012, “The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system. “).

One would have been motivated to provide users with the benefits for providing graduated access to a user (Schneider 518: paragraph 0032).
Regarding claim 3, Eisen, Rathbun, and Schneider 518 disclose the system of claim 2.  Schneider 518 discloses wherein the simple passcode comprises a plurality of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider 518, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system.“).
Regarding claim 10, Eisen and Rathbun disclose the method of claim 9.
Eisen and Rathbun do not explicitly disclose One would have been motivated to provide users with the benefits of meeting a level of authentication to successfully authenticate the user for an authentication request (Rathbun: paragraph 0068).
However, in an analogous art, Schneider 518 discloses wherein at the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider 518, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system. “).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Schneider 518 with the system / method of Eisen and Rathbun to include wherein at the simple passcode comprises at least one of a personal identification number (PIN), biometric identifier, or personal identification pattern.
(Schneider 518: paragraph 0032).
Regarding claim 11, Eisen, Rathbun, and Schneider 518 disclose the method of claim 10.  Schneider 518 discloses wherein the simple passcode comprises a plurality of a personal identification number (PIN), biometric identifier, or personal identification pattern (Schneider 518, paragraph 0012, “”The client device can be any suitable computing device such as a personal computer, a laptop computer, a tablet, a smartphone, an application specific console or the like.  The first authentication factor can be a code such as a numeric code, a multidimensional code, e.g. a quick response code (QR-code), a specific acoustic code or a combination thereof.  It can also be comprised in such a code wherein the code particularly can additionally comprise further information.  The second authentication factor can be a personal identification number (PIN), a biometric identifier such as a fingerprint or a retina scan, a voice identifier or voice message, a combination thereof or the like.  In addition to the first and second authentication factors, further authentication factors can be implemented for increasing security of the method or system“).

Claims 4, 5, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Eisen (US20170262845), filed March 29, 2017, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Irwan (10104077), filed October 6, 2017.
Regarding claim 4, Eisen and Rathbun disclose the system of claim 1.
Rathbun discloses to the authentication application (Rathbun, paragraph 0021, “Authentication server 140 may transmit a notification to mobile device 110 to notify the user of mobile device 110 when a new authentication request is added to the queue associated with mobile device 110.”; paragraph 0023, “Authentication server 140 may transmit a message to mobile device 110 for the user to provide the authentication information.”; paragraph 0066, “As shown in FIG. 7, process 700 may include receiving an access request to access a queue of a user (block 710) and providing a list of pending authentication requests in the queue (block 720).  For example, a user may use mobile device 110 to access a customer client via a browser or a dedicated application.  The customer client may prompt the user to use mobile device 110 to enter a non-secret user identifier (e.g., a username) and a secret credential (e.g., a password).  Mobile device 110 may transmit, to authentication server 140, the non-secret user identifier and the secret credential as part of an access request to access a queue of the user.”).
Eisen and Rathbun do not explicitly disclose wherein the authentication service is further configured to: encrypt the transaction ID; transmit the encrypted transaction ID.
However, in an analogous art, Irwan discloses wherein the authentication service is further configured to: encrypt the transaction ID; transmit the encrypted transaction ID  (Irwan, col. 16, lines 10-31, “At step 530, in response to performing the second authentication service, the method further comprises encrypting and sending the first set of one or more transactions to the second computing device.  In an embodiment, once an application 310 has been authenticated, the security gateway 170 may allow the authenticated application 310 to selectively access the message queue 340 such that only queued timestamp-value pairs corresponding to the application 310 may be selected.  For example, an authenticated AGE application may only be allowed access to one or more transactions from AGE devices.  The application 310 may encrypt the one or more transactions from the AGE device using the PKI model.  For example, the application 310 may encrypt the transaction data using a public key that is accessible to the public and send the encrypted transaction data to the authenticated client device 161.  In an embodiment, the corresponding private key, or decryption key, used to decrypt the transaction data may be sent to the client device 161 or pre-provisioned such that only the client device 161 may decrypt the data.  In an embodiment, the private key or decryption key may be sent to the client device 161 during the authentication process of step 525 or pre-provisioned.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Irwan with the system / method of Eisen and Rathbun to include wherein the authentication service is further configured to: encrypt the transaction ID; transmit the encrypted transaction ID.
One would have been motivated to provide users with the benefits for improvements in the field of data security and access control regulation (Irwan: col. 1, lines 6-16).
Regarding claim 5, Eisen, Rathbun, and Irwan discloses the system of claim 4.  Irwan discloses wherein the encrypted transaction ID is transmitted with the notification (Irwan, col. 13, line 62, through col. 14, line 10, “Once an application 310 or client device 161 has been authenticated, and an enterprise device 180 has been authenticated, an application 310 or client device 161 may access the enterprise device 180 directly, or access data from the enterprise device 180 that has been stored locally in the security gateway 170.  The data may be stored in a message queue 340, for example.  The data transfer instructions 440 may be message queue processing instructions 330, in an embodiment, or any other instructions that transfer data from the enterprise device 180 to the security gateway 170 for regulated distribution only to users, applications, and/or client devices that are authorized to access the data.”).
Regarding claim 12, Eisen and Rathbun disclose the method of claim 9.
Rathbun discloses to the authentication application (Rathbun, paragraph 0021, “Authentication server 140 may transmit a notification to mobile device 110 to notify the user of mobile device 110 when a new authentication request is added to the queue associated with mobile device 110.”; paragraph 0023, “Authentication server 140 may transmit a message to mobile device 110 for the user to provide the authentication information [i.e., authentication application encompasses to provide the authentication information].”; paragraph 0066, “As shown in FIG. 7, process 700 may include receiving an access request to access a queue of a user (block 710) and providing a list of pending authentication requests in the queue (block 720).  For example, a user may use mobile device 110 to access a customer client via a browser or a dedicated application.  The customer client may prompt the user to use mobile device 110 to enter a non-secret user identifier (e.g., a username) and a secret credential (e.g., a password).  Mobile device 110 may transmit, to authentication server 140, the non-secret user identifier and the secret credential as part of an access request to access a queue of the user.”).
Eisen and Rathbun do not explicitly disclose further comprising: at the authentication service, encrypting the transaction ID and transmitting the encrypted transaction ID.
However, in an analogous art, Irwan discloses further comprising: at the authentication service, encrypting the transaction ID and transmitting the encrypted transaction ID (Irwan, col. 16, lines 10-31, “At step 530, in response to performing the second authentication service, the method further comprises encrypting and sending the first set of one or more transactions to the second computing device.  In an embodiment, once an application 310 has been authenticated, the security gateway 170 may allow the authenticated application 310 to selectively access the message queue 340 such that only queued timestamp-value pairs corresponding to the application 310 may be selected.  For example, an authenticated AGE application may only be allowed access to one or more transactions from AGE devices.  The application 310 may encrypt the one or more transactions from the AGE device using the PKI model.  For example, the application 310 may encrypt the transaction data using a public key that is accessible to the public and send the encrypted transaction data to the authenticated client device 161.  In an embodiment, the corresponding private key, or decryption key, used to decrypt the transaction data may be sent to the client device 161 or pre-provisioned such that only the client device 161 may decrypt the data.  In an embodiment, the private key or decryption key may be sent to the client device 161 during the authentication process of step 525 or pre-provisioned.”)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Irwan with the system / method of Eisen and Rathbun to include further comprising: at the authentication service, encrypting the transaction ID and transmitting the encrypted transaction ID.
One would have been motivated to provide users with the benefits for improvements in the field of data security and access control regulation (Irwan: col. 1, lines 6-16).
Regarding claim 13, Eisen, Rathbun, and Irwan disclose the method of claim 12.  Irwan discloses further comprising: transmitting the encrypted transaction ID (Irwan, col. 16, lines 10-31, “At step 530, in response to performing the second authentication service, the method further comprises encrypting and sending the first set of one or more transactions to the second computing device.  In an embodiment, once an application 310 has been authenticated, the security gateway 170 may allow the authenticated application 310 to selectively access the message queue 340 such that only queued timestamp-value pairs corresponding to the application 310 may be selected.  For example, an authenticated AGE application may only be allowed access to one or more transactions from AGE devices.  The application 310 may encrypt the one or more transactions from the AGE device using the PKI model.  For example, the application 310 may encrypt the transaction data using a public key that is accessible to the public and send the encrypted transaction data to the authenticated client device 161.  In an embodiment, the corresponding private key, or decryption key, used to decrypt the transaction data may be sent to the client device 161 or pre-provisioned such that only the client device 161 may decrypt the data.  In an embodiment, the private key or decryption key may be sent to the client device 161 during the authentication process of step 525 or pre-provisioned.”).  Rathbun discloses  with the notification (Rathbun, paragraph 0012, “The authentication server may prompt [i.e., notification] the user to provide authentication information (e.g., a password, a personal identification number (PIN), a onetime passcode, an answer to a challenge question, biometrics information, etc.) required to authenticate the user for the selected authentication request.  The user may use the mobile device to provide the authentication information.  The authentication server may receive the authentication information, and authenticate the user for the selected authentication request based on the authentication information.”).
Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Eisen (US20170262845), filed March 29, 2017, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Aabaye (US20150220917), filed February 4, 2015.
Regarding claim 6, Eisen and Rathbun disclose the system of claim 1.
Eisen and Rathbun do not explicitly disclose wherein the transaction ID comprises a hash token.
However, in an analogous art, Aabaye discloses wherein the transaction ID comprises a hash token (Aabaye, paragraph 0103, “At step 705, a token certificate is generated using the determined token access restrictions.  The token certificate may include a token identifier (e.g., a hash of the token), and other data defining the use of the token, such as an expiration date, a transaction context identifier, or other access restrictions.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Aabaye with the system / method of Eisen and Rathbun to include wherein the transaction ID comprises a hash token.
One would have been motivated to provide users with the benefits for improvements in efficiency and security in verifying tokens (Aabaye: paragraph 0002).
Regarding claim 14, Eisen and Rathbun disclose the method of claim 9.
Eisen and Rathbun do not explicitly disclose wherein the transaction ID comprises a hash token.
However, in an analogous art, Aabaye discloses wherein the transaction ID comprises a hash token (Aabaye, paragraph 0103, “At step 705, a token certificate is generated using the determined token access restrictions.  The token certificate may include a token identifier (e.g., a hash of the token), and other data defining the use of the token, such as an expiration date, a transaction context identifier, or other access restrictions.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Aabaye with the system / method of Eisen and Rathbun to include wherein the transaction ID comprises a hash token.
(Aabaye: paragraph 0002).

Claims 7, 8, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Eisen (US20170262845), filed March 29, 2017, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Shastri (US20170118025), filed October 21, 2016.
Regarding claim 7, Eisen and Rathbun disclose the system of claim 1.
Eisen and Rathbun do not explicitly disclose wherein the authentication portal is further configured to: generate a first authentication image.
However, in an analogous art, Shastri discloses wherein the authentication portal (Shastri, paragraph 0116, authentication portal encompasses access management system 140) is further configured to: generate a first authentication image (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shastri with the system / method of Eisen and Rathbun to include wherein the authentication portal is further configured to: generate a first authentication image.
(Shastri: paragraph 0002).
Regarding claim 8, Eisen, Rathbun, and Shastri disclose the system of claim 7.  Shastri discloses wherein the authentication application is further configured to: scan and recognize the first authentication image generated by the authentication portal (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).
Regarding claim 15, Eisen and Rathbun disclose the method of claim 9.
Eisen and Rathbun disclose at the authentication portal, but do not explicitly disclose further comprising: at the authentication portal, generating a first authentication image.
However, in an analogous art, Shastri discloses further comprising: at the authentication portal, generating a first authentication image (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shastri with the 
One would have been motivated to provide users with the benefits of multi-stage authentication (Shastri: paragraph 0002).
Regarding claim 16, Eisen, Rathbun, and Shastri disclose the method of claim 15.  Shastri discloses further comprising: at the authentication application, scanning and recognizing the first authentication image generated by the authentication portal (Shastri, paragraph 0123, “At step 1914, security data (e.g., a QR code) is generated for enabling password-less authentication since the request is from trusted device or location.  The security data may be generated to include information.  The information may be information specific to the user, such as identifying information about the user.”).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Eisen (US20170262845), filed March 29, 2017, in view of Rathbun (US20130055362), filed August 22, 2011, and further in view of Schneider 351 (US20130080351),  filed September 23, 2011.
Regarding claim 19, Eisen and Rathbun discloses the method of claim 18.  Eisen discloses further comprising: at the authentication portal: (Eisen, paragraph 0182, “Upon determining that the request came from a trusted source/entity, the authentication system 1403 may respond to the request by sending a unique QR code back to the server 1401.  Server 1401 may then include the QR code on the webpage portal so that the code can be displayed to the user.”).

However, in an analogous art, Schneider 351 discloses generating a promotion detail for a target customer (Schneider 351, paragraph 0125, “For example, at any given time, one or more of the transaction nodes can be designated as active enrollment nodes or sign-up nodes which allow users to enroll in the offering.  For example, there might be a sign-up node for West coast users and a sign-up node for East coast users.  When a sign-up node forms a new block of entries, it sends an advertisement as a "block status" message to the other active sign-up nodes, if any, and to a small randomly selected subset of the other, deactivated (non sign-up) transaction nodes [i.e., target customer].  The reason for sending block status messages to only a small subset (e.g., more generally, a strict subset--less than all) of the deactivated transaction nodes is that, during periods of high sign-up load, there will already be a lot of network traffic from the new users.”);
generating a hash token  (Schneider 351, paragraph 0099, “Further, the code can include a secure token which is generated by the non-home transaction node, e.g., by hashing the user login id, and digitally signing the hash with a key such as a public key of the home transaction network.”; paragraph 0122, “The transaction nodes can also communicate secure tokens with the advertisements and requests for blocks [i.e., promotion request encompasses advertisements and requests for blocks and promotion detail encompasses advertisements], which are used to authenticate the advertisements as coming from a trusted source.”)
(Schneider 351, paragraph 0125, “When a sign-up node forms a new block of entries, it sends an advertisement as a "block status" message to the other active sign-up nodes, if any, and to a small randomly selected subset of the other, deactivated (non sign-up) transaction nodes [i.e., target customer].”);
transmitting a promotion request to the authentication service (Schneider 351, paragraph 0099, “Further, the code can include a secure token which is generated by the non-home transaction node, e.g., by hashing the user login id, and digitally signing the hash with a key such as a public key of the home transaction network.”; paragraph 0122, “The transaction nodes can also communicate secure tokens with the advertisements and requests for blocks [i.e., promotion request encompasses advertisements and requests for blocks and promotion detail encompasses advertisements], which are used to authenticate the advertisements as coming from a trusted source.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Schneider 351 with the method of Eisen and Rathbun including generating a promotion detail for a target customer; generating a hash token for the target customer; transmitting a promotion request to an authentication the authentication service.
One would have been motivated to provide users with the benefits of allowing users to participate in offering of shares of a stock (Schneider 351: paragraph 0003).


Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Eisen (US20170262845), filed March 29, 2017, Rathbun (US20130055362), filed August 22, 2011, and Schneider 351 (US20130080351),  filed September 23, 2011, and further in view of Purves (US20130346302), filed June 20, 2013.
Regarding claim 20, Eisen, Rathbun, and Schneider 351 disclose the method of claim 19.
Eisen, Rathbun, and Schneider 351 do not explicitly disclose wherein the promotion request comprises the hash token and a promotional message.
However, in an analogous art, Purves discloses wherein the promotion request comprises the hash token and a promotional message (Purves, paragraph 0440, “In one implementation, the merchant server may use the user sign as a trigger to request current user information from the wallet server.  The merchant server may generate and send a user information request message 20926 to the wallet server.  The user information request message [i.e., promotional message] 20926 may include, without limitation, the customer ID that is unique to the customer and the merchant relationship, a token [i.e., token], an API key, a digital certificate, and/or the like.  In one implementation, the token may be generated using one or more parameters such as the merchant's API key, customer ID, merchant ID, merchant name, customer name, and/or the like.  In a further implementation, the token may be encrypted.  In one implementation, the token may be a string that is created by the MD5 Message Digest algorithm hash of one or more of the parameters listed above.  In one implementation, the merchant server may utilize callbacks via APIs, inline widgets, etc., to pull user information from the wallet.  For example, the merchant server may call the getPayment API to obtain payment method details such as card nicknames, brand, last 4 digits, etc. An exemplary GET request method for making the call is provided below.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Purves with the method of Eisen, Rathbun, and Schneider 351 including wherein the promotion request comprises the hash token and a promotional message.
One would have been motivated to provide users with the benefits of remote portal bill payment platforms (Purves: paragraph 0004).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439