DETAILED ACTION


Acknowledgments

The present application is being examined under the AIA  first inventor to file invent provisions. 
This Office Action is in response to the arguments and amendments received on 05/25/2021.
Claims 1, 14, and 19 have been amended.
Claims 1, 4-10, 12-14, 17-19, and 22-24 are currently pending and have been examined.


Response to Arguments

Applicant’s arguments, filed 05/25/2021, with respect to the rejection(s) of claim(s) 1, 4-10, 12-14, 17-19, and 22-24 under 35 USC §103 and 35 USC §102(a)(2) have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.  Further, the Applicant asserts that the previously relied upon prior art fails to disclose “enables users to access secure web-based resources on a network from a first device (e.g. a laptop or desktop computer) by an authenticated second device (e.g. a mobile phone).”  The Examiner notes that the claims do not require access to a web-based resource.  The claims only require access to another device, not a web-based resource.  The amendments received on 05/25/2021 attempt to make clear that the resource being accessed is one “on the network that the first user device wants to access” however, this can still be interpreted as accessing hardware on a shared network rather than using hardware to access a web-based resource.  However, in light of the explanation and amendments an additional citation is provided that teaches accessing a web-based resource, as intended.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 7-10, 12-14, 18, 19, and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley (US 2016/0094550), in view of Bhimanaik (US 8,627,438).
Claims 1, 14, 19:
Bradley discloses:
receiving, at a computing device over a network, an access request from a first user device, the access request identifying a secure resource (receiving a request to access the accessory device 24 at the controller device 11, see figure 3, [0059]) on the network that the first user device wants to access;

identifying, via the computing device, in response to receiving the access request from the first user device (access request, see [0059]), device information of a second user device associated with the user, said second device information comprising an identifier for communicating with said second user device (authentication between the first and second user devices permitting access to the second device via authentication at the first device, see figure 3, [0045, 0046]), the second user device being a previously registered device of the user (device 11 previously authorized with device 24, see figure 3, [0059]);
communicating, via the computing device, a message to said second user device based on said identifier, said message prompting the second user device to authenticate the user (transmitting the above authentication via message between the devices, see [0047]);
receiving, via the computing device over the network, an outcome determination of the authentication of the user from said user second device, said outcome determination indicating whether the user is granted access to the second user device (granting access after authentication by secondary device, see [0046]; denying of access after a failed authentication is discussed in [0004]); and
communicating to the first user device, via the computing device, a response to the access request based on the received outcome determination, said response enabling the first user device access to the secure resource on the network when said outcome determination indicates that the user is authenticated on to the second user device (access provided to the laptop after authentication via the mobile device, see figure 3, [0045, 0046]).
Bradley discloses the receipt of an access request from a first user device attempting to access a secure resource as cited above.  Bradley does not explicitly disclose that the secure resource is a web-based resource, or in the language of the claim, “a secure resource on the network that the first user device wants to access.”
However, Bhimanaik teaches: “a secure resource on the network that the first user device wants to access (access an online resource (705) by receiving an approval request from a secondary device authentication process thereby granting access on the first device, see figure 7 and col 14 Lines 50-67; Col 15 Line 15-60)
It would have been obvious to one having ordinary skill in the art at the time the invention was made to combine the biometric device pairing system of Bradley with the passwordless strong authentication using trusted devices system of Bhimanaik because a need exists to authenticate users of multiple devices and allow them to gain access to a second device by authenticating on a first device (see Bradley [0002]) and a need exists for a less cumbersome method of authenticating into web-based resources via the use of known trusted devices (see Bhimanaik Col 1 Lines 20-54).  By combining the hardware based authentication system of Bradley with the web-based access provided for by Bhimanaik a less cumbersome system (fewer passwords to remember etc) system of authentication is created.
Claims 7, 18.    
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said authentication is based on at least one of a PIN and biometric information (PIN or biometric, see [0025]).
Claim 8.    
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said message communicated to the second user device is a push message (transmit a request from the laptop to the authentication device; it is noted that the transmission of the message rather than the device poling for a message is interpreted as a push message, see [0059]).
Claim 9.    
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said message communicated to the second user device is an encrypted message (the communication network is encrypted, see [0029]; message encryption, such as the message to unlock the desired device, laptop, is also encrypted, see [0073]).
Claim 10.
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said second device is a personal mobile device of the user (user device is a smartphone, see [0046]).
Claim 12.    
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said access request comprises an identifier associated with the user (matching the identity of the user via biometrics; i.e. the identifier is the biometric data (or PIN in other embodiments), see [0039]).
Claim 13.    
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said access request comprises an indication from the user related to controlling security information set up by the user related to accessing the secure resource, wherein said response enables the user to control said security information (the user input to generate the authentication is biometric, however, if the user wishes to not provide such data,  the user may provide a PIN as an alternative, ensuring the user maintains control over their secure identification data, see [0025]).
Claims 22, 23, 24: 	
The combination of Bradley and Bhimanaik discloses each element of claim 1 above; Bradley further discloses:
wherein said response comprises an error message when said outcome determination indicates that said authentication is insufficient to permit access to the second user device (a message to stating the success or failure of the authentication process, see [0073]).


Claims 4-6 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bradley (US 2016/0094550), in view of Bhimanaik (US 8,627,438) and Johansson (US 9,264,419).
Claims 4, 17:    
The combination of Bradley and Bhimanaik does not explicitly disclose:
determining that an application is installed on the second user device to receive the message and display said message prompt.
Johansson  teaches:
determining that an application is installed on the second user device to receive the message and display said message prompt (authentication manager application, see C4 L42-54).
It would have been obvious to one of ordinary skill in the art to combine the system and method for biometric device pairing of Bradley and the passwordless strong authentication using trusted devices system of Bhimanaik with the two factor authentication with authentication objects of Johansson because 1) a need exists for a more secure and convenient means of providing secure authentication of user identities across devices (see Bradley [0002, 0003]); 2) a need exists for a less cumbersome method of authenticating into web-based resources via the use of known trusted devices (see Bhimanaik Col 1 Lines 20-54); and 3) a need exists for providing additional mechanisms of authentication to improve device security (see Johansson [Col 1 Lines25-45]). By combining the hardware based authentication system of Bradley with the web-based access provided for by Bhimanaik and the dedicated authentication application running on the user’s device of Johansson a less cumbersome system (fewer passwords to remember etc) system of authentication is created
 Claim 5.    
The combination of Bradley and Bhimanaik does not explicitly disclose:
wherein said application is a dedicated application configured to receive said message, display said prompt and determine said outcome determination 
Johansson  teaches:
wherein said application is a dedicated application configured to receive said message, display said prompt and determine said outcome determination (authentication manager application, see C4 L42-54, result notification, see C8 L1-15).
It would have been obvious to one of ordinary skill in the art to combine the system and method for biometric device pairing of Bradley and the passwordless strong authentication using trusted devices system of Bhimanaik with the two factor authentication with authentication objects of Johansson because 1) a need exists for a more secure and convenient means of providing secure authentication of user identities across devices (see Bradley [0002, 0003]); 2) a need exists for a less cumbersome method of authenticating into web-based resources via the use of known trusted devices (see Bhimanaik Col 1 Lines 20-54); and 3) a need exists for providing additional mechanisms of authentication to improve device security (see Johansson [Col 1 Lines25-45]). By combining the hardware based authentication system of Bradley with the web-based access provided for by Bhimanaik and the dedicated authentication application running on the user’s device of Johansson a less cumbersome system (fewer passwords to remember etc) system of authentication is created
Claim 6.    
The combination of Bradley and Bhimanaik does not explicitly disclose:
wherein said application is associated with the resource and is configured to receive said message, display said prompt and determine said outcome determination
Johansson  teaches:
wherein said application is associated with the resource and is configured to receive said message, display said prompt and determine said outcome determination (authentication manager application, see C4 L42-54, result notification, see C8 L1-15).

It would have been obvious to one of ordinary skill in the art to combine the system and method for biometric device pairing of Bradley and the passwordless strong authentication using trusted devices system of Bhimanaik with the two factor authentication with authentication objects of Johansson because 1) a need exists for a more secure and convenient means of providing secure authentication of user identities across devices (see Bradley [0002, 0003]); 2) a need exists for a less cumbersome method of authenticating into web-based resources via the use of known trusted devices (see Bhimanaik Col 1 Lines 20-54); and 3) a need exists for providing additional mechanisms of authentication to improve device security (see Johansson [Col 1 Lines25-45]). By combining the hardware based authentication system of Bradley with the web-based access provided for by Bhimanaik and the dedicated authentication application running on the user’s device of Johansson a less cumbersome system (fewer passwords to remember etc) system of authentication is created


CONCLUSION

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
The following references are cited to further show the state of the art with respect to multi-factor authentication.
U.S. Pub No. 2018/0270226 to Agrawal disclosing secure transfer of user information between devices based on user credentials.
U.S. Pub No. 2018/0268402 to Agrawal disclosing dynamically passing authentication information across devices.
U.S. Pub No. 2018/0115897 to Einberg disclosing wearable discover for authentication.
U.S. Pub No. 2014/0214673 to Baca disclosing a method for authentication using biometric data for mobile device e-commerce transactions.
U.S. Patent No. 9,614,829 to Molina disclosing deauthentication in a multi-device environment.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Michael J Cross whose telephone number is (571)270-7549.  The examiner can normally be reached on 9am - 5pm Monday - Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hajime Rojas can be reached on 571-270-5491.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/M.J.C/Examiner, Art Unit 3681                                                                                                                                                                                                        

/HAJIME ROJAS/Supervisory Patent Examiner, Art Unit 3681