DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, 16/681,608, filed 11/12/2019 claims priority from US Provisional Application 62/760,795, filed 11/13/2018.
The effective filing date is after the AIA  date of March 16, 2013, and so the application is being examined under the “first inventor to file” provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Status of the Application
This Non-Final Office Action is in response to Applicant’s communication of March 18, 2020.
Claims 1-18 are pending, of which claims 1, 8, and 13 are independent.
All pending claims have been examined on the merits.  

Information Disclosure Statement
The Information Disclosure Statement (IDS) submitted on March 18, 2020 has been considered. 

Claim Rejections - 35 USC § 103
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
It is noted that in the following rejections, numerous claim limitations are written as alternative limitations; to anticipate or render obvious such limitations, only one of the alternative limitations need be disclosed or taught by the cited reference.  (See MPEP §§ 2173.05(h), 2111 et seq.) 
Claims 1-4, 7-10, and 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over US 2014/0372128 A1 to Sheets et al. (“Sheets”.  Eff. Filed on Jun. 17, 2013.  Published on Dec. 18, 2014) in view of US 2018/0234464 A1 to Sim et al. (“Sim”.  Filed on Feb. 15, 2007.  Published on Aug. 16, 2018). 
In regards to claim 1, Sheets teaches: 
1. A computer-implemented method for use in facilitating voice authentication of a user in connection with a network transaction, the method comprising:

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

receiving, at a computing device, an authentication request for a transaction, initiated at a voice interactive device, 

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be in electronic communication with the access device 120. The communication device 110 can be a personal digital assistant (PDA), a smart phone, tablet computer, notebook computer, or the like, that can execute and/or support payment transactions with a payment system 100. A communication device 110 can be used in conjunction with a payment device, such as a credit card, debit card, charge card, gift card, or other payment device and/or any combination thereof. The combination of a payment device (e.g., credit card) and the communication device 110 (e.g., smart phone) can be referred to as the communication device 110 for illustrative purposes. In some embodiments, the communication device 110 may be used in conjunction with transactions of currency or points (e.g., points accumulated in a particular software application). In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

from a merchant plug-in (MPI) associated with a merchant involved in the transaction, 

(See Sheets, para. [0039]: “The access device 120 may be configured to be in electronic communication with the acquirer 130 via a merchant 125. In one embodiment, the access device 120 may be a point-of-service (POS) device. Alternatively, the access device 120 can be any suitable device configured to process payment transactions such as credit card or debit card transactions, or electronic settlement transactions, and may have optical, electrical, or magnetic readers for reading data from portable electronic communication devices such as smart cards, keychain device, cell phones, payment cards, security cards, access cards, and the like. In some embodiments, the access device 120 may be located at and controlled by a merchant. For example, the access device 120 can be a POS device at a grocery store checkout line. In some embodiments, the access device 120 can be a client computer or a mobile phone in the event that the user is conducting a remote transaction.”)

the authentication request including a pre-authentication indicator based on voice authentication of a user by the voice interactive device or by a voice authentication service;

(See Sheets, para. [0041]: “Furthermore, the payment processing network 140 can receive a voice sample by the user (e.g., from the payment device 110, access device 120, or acquirer 130) to determine a risk factor associated with a transaction, as further described below.”)

generating, by the computing device, a risk score for the transaction based at least in part on the pre-authentication indicator;

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See Sheets, para. [0089]: “The risk score attribute of the voice model 520 indicates a risk score associated with the particular authentication request by the user. In this example, the risk score may be on a scale from 0-100, with 100 being the highest (most risk). The match scores may decrease over time as the user authenticates with the authentication system more and becomes more “trusted” over time.”)

However, under a conservative interpretation of Sheets, it could be argued that Sheets does not explicitly teach the italicized portions below, but is taught in Sim:
transmitting, by the computing device, the risk score with the authentication request for the transaction to an access controller server (ACS) associated with an issuer of an account to which the transaction is directed; and

An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

In regards to “access controller server (ACS) associated with an issuer of an account to which the transaction is directed”, the Examiner interprets that whether Sim’s “authentication module or logic 132” is operated by the “issuer of an account to which the transaction is directed”, or by a contractor hired by the issuer, is a matter of intended use.

returning, by the computing device, a result response to the MPI, wherein the result response indicates permission to proceed in the transaction based on authentication of the user.

(See Sim, para. [0030]: “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation. The authentication broker 100 may have a risk engine 130 that computes risk score or probabilities for risks such as general authentication risk (confidence of an approved authentication), or specific types of authentication risks, such as the risk of leaking sensitive information to an unsecured device, based on information related to an authentication request. Risk scores can be incorporated into the authentication making decision. For additional details on risk assessment modeling, see U.S. Pat. No. 9,396,332. For example, if adaptive authentication is desired, different ranges of general risk scores may control how many authentication factors and/or which authentication factors need to be satisfied. Higher risk scores might lead to increasing numbers or types of authentication factors.”)

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for voice authenticated for a transaction that uses risk scores, as taught by Sheets above, with authorizing a transaction based on authentication of the user (that uses voice matching and risk score), as further taught by Sim above, because 

In regards to claim 2: 
2. The computer-implemented method of claim 1, wherein the pre-authentication indicator includes a key signed by the voice interactive device or the voice authentication service; and
wherein the method further comprises validating the signed key prior to transmitting the risk score to the ACS.

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See also Sim, para. [0025]: “At step B, assuming that the authentication broker 100 authenticated the identity of the end user, then the authentication broker 100 issues an authentication credential such as a token 110. Note that there may be intermediate steps such as validating the client/application (perhaps verifying possession of a pre-registered secret key), exchanging an authorization code used to issue the token 110, etc.”)

In regards to claim 3: 
3. The computer-implemented method of claim 1, wherein the pre-authentication indicator includes a score; and
wherein generating the risk score includes generating the risk score based on the score associated with the pre-authentication indicator.

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See Sheets, para. [0089]: “The risk score attribute of the voice model 520 indicates a risk score associated with the particular authentication request by the user. In this example, the risk score may be on a scale from 0-100, with 100 being the highest (most risk). The match scores may decrease over time as the user authenticates with the authentication system more and becomes more “trusted” over time.”)

In regards to claim 4: 
4. The computer-implemented method of claim 1, wherein the authentication request further includes additional information indicative of the voice interactive device; and
wherein generating the risk score includes generating the risk score based further on the additional information.

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

In regards to claim 7: 
7. The computer-implemented method of claim 1, further comprising:
forwarding an authorization request for the transaction to the issuer of the account, after receiving the authorization request for the transaction from an acquirer associated with the merchant; and
forwarding an authorization reply for the transaction, received from the acquirer, to the issuer.

(See Sheets, para. [0041]: “In some embodiments, the payment processing network 140 is VisaNet™, where Visa internal processing (VIP) performs the various payment processing network 140 or multi-lateral switch functions described herein. The payment processing network 140 can include an authorization and settlement server (not shown). The authorization and settlement server (“authorization server”) performs payment authorization functions. The authorization server is further configured to send and receive authorization data to the issuer 150. Furthermore, the payment processing network 140 can receive a voice sample by the user (e.g., from the payment device 110, access device 120, or acquirer 130) to determine a risk factor associated with a transaction, as further described below.”)

In regards to independent claim 8. 
8. A computer-implemented method for use in facilitating voice authentication of a user in connection with a network transaction, the method comprising:

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

receiving, at a directory server computing device, an authentication request for a transaction, initiated at a voice interactive device, 

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be in electronic communication with the access device 120. The communication device 110 can be a personal digital assistant (PDA), a smart phone, tablet computer, notebook computer, or the like, that can execute and/or support payment transactions with a payment system 100. A communication device 110 can be used in conjunction with a payment device, such as a credit card, debit card, charge card, gift In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

from a merchant plug-in (MPI) associated with a merchant involved in the transaction, 

(See Sheets, para. [0039]: “The access device 120 may be configured to be in electronic communication with the acquirer 130 via a merchant 125. In one embodiment, the access device 120 may be a point-of-service (POS) device. Alternatively, the access device 120 can be any suitable device configured to process payment transactions such as credit card or debit card transactions, or electronic settlement transactions, and may have optical, electrical, or magnetic readers for reading data from portable electronic communication devices such as smart cards, keychain device, cell phones, payment cards, security cards, access cards, and the like. In some embodiments, the access device 120 may be located at and controlled by a merchant. For example, the access device 120 can be a POS device at a grocery store checkout line. In some embodiments, the access device 120 can be a client computer or a mobile phone in the event that the user is conducting a remote transaction.”)

the authentication request including a pre-authentication indicator based on voice authentication of a user by the voice interactive device or by a voice authentication service;

(See Sheets, para. [0041]: “Furthermore, the payment processing network 140 can receive a voice sample by the user (e.g., from the payment device 110, access device 120, or acquirer 130) to determine a risk factor associated with a transaction, as further described below.”)

generating, by the directory server computing device, a risk score for the transaction based at least in part on the pre-authentication indicator;

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See Sheets, para. [0089]: “The risk score attribute of the voice model 520 indicates a risk score associated with the particular authentication request by the user. In this example, the risk score may be on a scale from 0-100, with 100 being the highest (most risk). The match scores may decrease over time as the user authenticates with the authentication system more and becomes more “trusted” over time.”)

Sheets, it could be argued that Sheets does not explicitly teach the italicized portions below, but is taught in Sim:

determining, by the directory server computing device, whether to permit the transaction based on the generated risk score, without interacting with an access controller server (ACS) associated with an issuer of an account involved in the transaction; and

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

In regards to “access controller server (ACS) associated with an issuer of an account to which the transaction is directed”, the Examiner interprets that whether Sim’s “authentication module or logic 132” is operated by the “issuer of an account to which the transaction is directed”, or by a contractor hired by the issuer, is a matter of intended use.

returning, by the directory server computing device, a result response to the MPI, wherein the result response indicates a permission to proceed in the transaction.

(See Sim, para. [0030]: “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation. The authentication broker 100 may have a risk engine 130 that computes risk score or probabilities for risks such as general authentication risk (confidence of an approved authentication), or specific types of authentication risks, such as the risk of leaking sensitive information to an unsecured device, based on information related to an authentication request. Risk scores can be incorporated into the authentication making decision. For additional details on risk assessment modeling, see U.S. Pat. No. 9,396,332. For example, if adaptive authentication is desired, different ranges of general risk scores may control how many authentication factors and/or which authentication factors need to be satisfied. Higher risk scores might lead to increasing numbers or types of authentication factors.”)

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for voice authenticated for a transaction that uses risk scores, as taught by Sheets above, with authorizing a transaction based on authentication of the user (that uses voice matching and risk score), as further taught by Sim above, because “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation.” (See Sim, para. [0030]).  
In regards to claim 9: 
9. The computer-implemented method of claim 8, further comprising 
validating an authentication key included in the pre-authentication indicator prior to generating the risk score; and wherein generating the risk score is based on whether the authentication key is validated or not.

(See Sheets, para. [0033]: “A “voice model,” as described herein, can be a model of the user's voice constructed from prior voice samples received from the user. The voice model can be used to determine a risk factor associated with a user. The voice model may contain information about current and prior user authentications with a verification system. For example, the voice model may contain the time, location, voice data, and match score associated with each particular voice authentication with the verification system by the user. The combination of information within the voice model about prior authentications may be used to determine the risk factor associated with the user.”)

(See also Sim, para. [0025]: “At step B, assuming that the authentication broker 100 authenticated the identity of the end user, then the authentication broker 100 issues an authentication credential such as a token 110. Note that there may be intermediate steps such as validating the client/application (perhaps verifying possession of a pre-registered secret key), exchanging an authorization code used to issue the token 110, etc.”)

The motivation to combine the two references is provided in the independent claims.

In regards to claim 10: 
10. The computer-implemented method of claim 9, further comprising 
generating an authentication code for the transaction; and 
wherein the result response included the authentication code.

(See Sheets, para. [0026]: “An “authorization response message” may be an electronic message reply to an authorization request message. An authorization response message can be generated by an issuing financial institution or a payment processing network. The authorization response message may include, by way of example only, one or more of the following status indicators: Approval—transaction was approved; Decline—transaction was not approved; or Call Center—response pending more information, merchant must call the toll-free authorization phone number. The authorization response message may also include an authorization code, which may be a code that a issuer bank returns in response to an authorization request message in an electronic message (either directly or through the payment processing network) to the merchant's access device (e.g. POS equipment) that indicates approval of the transaction. The code may serve as proof of authorization. As noted above, in some 


In regards to claim 13: 
13. A computer-implemented method for use in facilitating authentication of a user in connection with a network transaction by the user at a third party, the method comprising:
capturing, by a voice interactive device, a voice command for a transaction from a user, the voice command directed to a third party;

(See Sheets, para. [0038]: “In some embodiments, the communication device 110 may be a wireless device, a contactless device, a magnetic device, or other type of payment device. In some embodiments, the communication device 110 includes software (e.g., application) and/or hardware to perform the various payment transactions and capture user voice data as further described below.”)

determining content of the voice command;

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

authenticating the user based on the captured voice command and a voice biometric reference associated with an identifier for at least one of the user and/or the voice interactive device; and

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)

However, under a conservative interpretation of Sheets, it could be argued that Sheets does not explicitly teach the italicized portions below, but is taught in Sim:
transmitting, by the voice interactive device, a purchase request for the transaction to the third party, the purchase request including an indication of biometric authentication for the user,

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with an authentication attempt. The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

In regards to “access controller server (ACS) associated with an issuer of an account to which the transaction is directed”, the Examiner interprets that whether Sim’s “authentication module or logic 132” is operated by the “issuer of an account to which the transaction is directed”, or by a contractor hired by the issuer, is a matter of intended use.

whereby the third party is permitted to initiate an enhanced authentication of the user in connection with the transaction.

(See Sim, para. [0030]: “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation. The authentication broker 100 may have a risk engine 130 that computes risk score or probabilities for risks such as general authentication risk (confidence of an approved authentication), or specific types of authentication risks, such as the risk of leaking sensitive information to an unsecured device, based on information related to an authentication request. Risk scores can be incorporated into the authentication making decision. For additional details on risk assessment modeling, see U.S. Pat. No. 9,396,332. For example, if adaptive authentication is desired, different ranges of general risk scores may control how many authentication factors and/or which authentication factors need to be satisfied. Higher risk scores might lead to increasing numbers or types of authentication factors.”)

(See Sim, para. [0033]: “An authentication module or logic 132 may coordinate and control how a subject is authenticated. The authentication logic 132 uses factor validation modules 128 to validate factors presented for authentication against stored factors. A biometric factor validation module, for instance, may be configured to compare stored biometric factors (fingerprints, retina scans, typing features, voice data, etc.) in the biometrics factors 124 with biometric factors sensed in conjunction with The authentication logic 126 may also receive risk scores and risk evaluation data from the risk engine 130. As mentioned, in some embodiments, risk data can inform both how an authentication is performed and whether an authentication should be granted. In some cases, an authentication factor may be found invalid and yet, based on a sufficiently low risk score, authentication may be confirmed.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for voice authenticated for a transaction that uses risk scores, as taught by Sheets above, with authorizing a transaction based on authentication of the user (that uses voice matching and risk score), as further taught by Sim above, because “Authentication factors are just one type of information potentially used in some authentication procedures. Authentication may also involve risk evaluation.” (See Sim, para. [0030]).  

In regards to claim 14: 
14. The computer-implemented method of claim 13, wherein determining the content of the voice command includes:
transmitting the voice command to a voice recognition service; and
receiving the content from the voice recognition service.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)


In regards to claim 15: 
15. The computer-implemented method of claim 13, wherein authenticating the user includes comparing, by the voice interactive device, the captured voice command and the voice biometric reference, wherein the voice biometric reference is stored in a trusted execution environment or a secure element of a memory included in said voice interactive device.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)


In regards to claim 16: 
16. The computer-implemented method of claim 13, wherein authenticating the user includes authenticating the user via a network-based authentication service associated with the voice interactive device, based on a voice biometric reference stored in association with the network-based authentication service.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for 

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)


In regards to claim 17: 
17. The computer-implemented method of claim 13, wherein authenticating the user includes:
transmitting the voice command to an authentication service associated with the voice interactive device, whereby the authentication service compares the voice command to a voice biometric reference identified to the user; and
receiving an authentication result for the voice command and the user.

(See Sheets, para. [0058]: “Voice data capture module 272 is configured to capture voice data, via input device 240, from a user for voice authentication purposes. In some embodiments, voice data capture module 272 may capture voice data by the user for purposes of initially registering a user for the first time for subsequent voice authentication. In some embodiments, voice data capture module 272 may capture voice data, via input device 240, for purposes of authenticating a user in order to complete a transaction. For example, communication device 110 may request a user to register or authenticate his/her voice data by displaying a prompt, on display 230, to repeat (by speaking into the microphone) a specific prompt. In some embodiments, the prompt can also be outputted on speaker 250. Upon capturing the user's voice data via the microphone, the voice data corresponding to the prompted prompt may be transmitted to a server computer via voice data transmission module 274 for purposes of storing the voice data for future user authentication or for authenticating the user based on a stored voice model, described below. In some embodiments, the captured voice data can be digitized.”)

(See Sheets, para. [0064]: “The voice database 350 is configured to store voice model(s) of users. The voice model(s) of the users may be constructed from one or more prior voice samples received from the corresponding user. As subsequent voice samples are received from the user, the voice model may improve over time and the voice model data may more accurately represent the user's voice. The voice model(s) may also include attributes such as, but not limited to, time of the authentication/payment transaction, the user or payment cardholder's name, the voice data associated with the payment transaction, the outcome of payment cardholder verification/authentication, and a match score for the audio data. These attributes of the payment user's fraud profile are described in detail in FIG. 6.”)


Claims 5, 6, 11, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sheets in view of Sim, as applied to independent claims 1, 8, and 13 above, and further in view of US 2020/0044851 to Everson et al. (“Everson”.  Filed Jul. 31, 2018.  Published Feb. 6, 2020). 
In regards to claim 5: 
However, under a conservative interpretation of Sheets in view of Sim, it could be argued that Sheets in view of Sim does not explicitly teach the italicized portions below, which are taught by Everson:
5. The computer-implemented method of claim 4, wherein the additional information includes a device type associated with the voice interactive device.

(See Everson, para. [0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”)

The Examiner interprets that “device type” comprises “security level” of the device channel.

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a user in connection with a transaction, as taught by Sheets in view of Sim above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”  
In regards to claim 6: 
However, under a conservative interpretation of Sheets in view of Sim, it could be argued that Sheets in view of Sim does not explicitly teach the italicized portions below, which are taught by Everson:
6. The computer-implemented method of claim 1, wherein the voice interactive device includes a smart speaker.

(See Everson, para. [0039]: “According to another example, if the request is made at a terminal or during an in-person interaction, the system may request verification, such as a fingerprint, biometric, facial recognition, etc. In this example, the customer authentication may be provided via a terminal, PoS, ATM device, teller station, kiosk, etc. If the customer is at home or near a verified smart device, the customer may be requested to provide verification via the smart device. For example, a customer may be at home near a voice initiated assistant. In this scenario, the customer's voice may be used for authentication. In addition, the system may convey a OTP through the voice initiated assistant. The voice initiated assistant may voice the OTP or communicate the OTP via near field or other proximity based communication. Other smart devices, such as speakers, home security keypad, home security camera, appliance and/or other interactive devices and panels may be used as a communication channel.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a user in connection with a transaction, as taught by Sheets in view of Sim above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”  
Claim 11 is rejected on the same grounds as claim 6. 
In regards to claim 12: 
However, under a conservative interpretation of Sheets in view of Sim, it could be argued that Sheets in view of Sim does not explicitly teach the italicized portions below, which are taught by Everson:
12. The computer-implemented method of claim 8, wherein the authentication request includes information indicative of a type of the voice interactive device; and
wherein generating the risk score includes generating the risk score based on the type of the voice interactive device.

(See Everson, para. [0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”)

The Examiner interprets that “device type” comprises “security level” of the device channel.

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a  above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system may apply a different and more secure channel, such as an in-app communication or a call center where the requesting customer's voice or other biometric may be authenticated.”  

In regards to claim 18, it is rejected on the same grounds as claims 6 and 11. 
However, under a conservative interpretation of Sheets in view of Sim, it could be argued that Sheets in view of Sim does not explicitly teach the italicized portions below, which are taught by Everson:
18. The computer-implemented method of claim 13, wherein the voice interactive device includes one of a smart speaker and a vehicle.

(See Everson, para. [0039]: “According to another example, if the request is made at a terminal or during an in-person interaction, the system may request verification, such as a fingerprint, biometric, facial recognition, etc. In this example, the customer authentication may be provided via a terminal, PoS, ATM device, teller station, kiosk, etc. If the customer is at home or near a verified smart device, the customer may be requested to provide verification via the smart device. For example, a customer may be at home near a voice initiated assistant. In this scenario, the customer's voice may be used for authentication. In addition, the system may convey a OTP through the voice initiated assistant. The voice initiated assistant may voice the OTP or communicate the OTP via near field or other proximity based communication. Other smart devices, such as speakers, home security keypad, home security camera, appliance and/or other interactive devices and panels may be used as a communication channel.”)

It would have been obvious to a person having ordinary skill in the art (PHOSITA), at the effective filing date of the Application, to include in the method for facilitating voice authentication of a user in connection with a transaction, as taught by Sheets in view of Sim above, with use of a voice interactive device including a speak, as further taught by Everson in para. [0039] above, because the references are all directed to the same art of voice authentication using a risk score, as shown in Everson’s para. [0038]: “[0038] At step 218, based on the risk score, an optimal or appropriate channel may be identified. If the risk score indicates a low risk, a default communication may be used, such as an email communication. If the risk score indicates a high risk, specifically for the email account, the system   

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
See US 2009/0089869 A1 to Varghese.  

See para. [0062]: “If a request is to be further processed, a further action is the selection of graphical (or other) authentication user interfaces for authenticating a newly arrived user or an existing user making a request that needs particular authentication. In an embodiment, authentication interface selection criteria is determined in accordance with an evaluated risk scores and any risk alerts. The selection criteria are then used to select an authentication interface having a security level that is commensurate the identified risk of fraud. In some embodiments, the risk information can also be provided to a service provider application/system, which can then perform, for example, more thorough checking of authentication data or request the authentication services of the present invention to re -authenticate the user or request. This can involve, for example, seeking responses to detailed authentication questions, obtaining biometric identification information (e.g., fingerprints, retinal scans, etc.), obtaining voice prints, and/or the like.”

Applicants are invited to contact the Office to schedule an in-person interview to discuss and resolve the issues set forth in this Office Action.  Although an interview is not required, the Office believes that an interview can be of use to resolve any issues related to a patent application in an efficient and prompt manner. 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. 
Any inquiry concerning this communication or earlier communications should be directed to Examiner Ayal Sharon, whose telephone number is (571) 272-5614, and fax number is (571) 273-1794.  The Examiner can normally be reached from Monday to Friday between 9 AM and 6 PM.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached on (571) 270-3602.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.  
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available 

Sincerely,

/Ayal I. Sharon/
Examiner, Art Unit 3695

September 11, 2021