Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions.
DETAILED ACTION
This Office Action is in response to the application 16/989,716 filed on 08/10/2020 and a preliminary amendment filed on 10/14/2020.
Claims 21-42 have been examined and are pending in this application.
Priority
This application is a continuation of U.S. Patent Application No. 16/379,558 (Now U.S. patent No. 10,785,215) filed on 04/09/2019 which is a continuation of U.S. Patent Application No. 15/015,592 (Now U.S. patent No. 10,284,549) filed on 02/04/2016 which is a continuation of U.S. Patent Application No. 14/330,025 (Now U.S. patent No. 9,325,702) filed on 07/14/2014 which is a continuation of U.S. Patent Application No. 13/011,739 (Now U.S. patent No. 8,806,592) filed on 01/21/2011, which is a continuation of U.S. Patent Application No. 13/011,587 (Now U.S. patent No. 8,789,153) filed on 01/21/2011which claims priority from provisional Application No. 61/298,551 filed on 01/27/ 2010. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 


Claims 32-42 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claim 32, the claim calls for a system; as recited in the body of the claim, the claimed system comprising: “a network site.” As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  The nominal recitation of the machine/device in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101.  See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010).  See also Ex parte Cohen et al., (Appeal No. 2009-011366) for details.  The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.
Regarding claims 33-42; claims 33-42 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reason. 
Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the 
Claims 21-30 and 32-41 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Cristopher Hockings hereinafter Christopher (Two-Factor Authentication Using Tivoli Access Manager WebSEAL), in view of Axel Buecker hereinafter Axel (Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0) and further in view of Mennes (US 2009/0235339).
Regarding claim 21, Christopher discloses a method comprising: 
receiving, by a network site (WebSEAL), an indication that a transaction has been initiated at a network device  (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); pages 4 and 5; Fig.2 (WebSEAL AND Extended LDAP high-level workflow); 1-4. Christopher teaches that user requests a protected web resource via WebSEAL (let's assume index.html). WebSEAL determines if the user needs to be authenticated and sends a custom login form. WebSEAL's token CDAS interface is called); 
transmitting, by the network site, details capable of being received by a security server (Christopher: page 7; Fig.3 (WebSEAL and external Authentication Server). Christopher teaches that WebSEAL determines if the user needs to be authenticated, sends login form and user input (contact number and a sequence number according to the user ID)); 
(Christopher: page 7; Fig.3 (WebSEAL and external Authentication Server). Christopher teaches that generates the random one-time-pass-code with the sequence number and the shared secret PIN); and 
transmitting, by the network site, an approval responsive to detecting a match between the first one-time password and a value entered at the network device that corresponds to a second one-time password (Christopher: pages 7 and 8; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); Christopher teaches that User keys in the one-time pass-code (upon received from the mobile device) and sends the form to WebSEAL pkmslogin.form again.  CDAS compare the random one-time pass-code with the one that user input and if matched then authenticate users).  
Christopher discloses the one-time-password is generated and transmitted for approval. However, Christopher does not explicitly disclose CDAS is part of the WebSEAL (network site) and transmitting an approval for the initiated transaction to occur responsive to detecting a match between the first one-time password and a second one-time password.
However, in an analogous art, Axel teaches wherein the CDAS is a built in module of the WebSeal and EAI allows a back-end application server to perform the authentication of the user passing through WebSEAL (Axel pages 56 (2.5.3 External authentication interface (EAI)); Axel teaches that the appropriate information was gathered by the server (userid/password, userid/token, or client certificate information) and then this was passed to the CDAS. The CDAS would then verify the information and return a user identity. The EAI interface is an alternative way to customize authentication when the authentication information is passed in HTTP messages. It allows a back-end application server to perform the authentication of the user (with the HTTP messages passing through WebSEAL) and then, upon successful authentication, return an identity to WebSEAL/WebPI using some pre-defined HTTP headers; pages 187 and 188 (5.1.1 External authentication C API) and fig. 5-4 (2) (WebSEAL authentication model with CDAS). Axel further teaches that the external authentication C API (CDAS) enables you to substitute the default built-in WebSEAL authentication mechanism with a highly flexible shared library mechanism that allows custom handling and processing of client authentication information. The CDAS infrastructure has become obsolete and is now called external authentication C API. See also page 115 (Support for custom modules written using the external authentication C API (known as CDAS)).
 As Axel teaches CDAS is a part of WebSEAL and Christopher teaches the one-time-password is generated as a function of a secret shared by the security server (Token Authn Server) and the network site (WebSEAL), Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Axel with the method and system of Christopher, wherein external OTP generator (“ security server”) uses an value to generate the OTP, and the CDAS which is inside the WebSEAL (“network site”) uses the same value (shared secret) to calculate and verify the OTP (Axel pages 56-57).
Christopher and Axel disclose the one-time-password is generated as a function of a secret shared by the security server and the network site. However, Christopher and Axel do not explicitly disclose transmitting an approval for the initiated transaction to 
However, in an analogous art, Mennes teaches wherein transmitting an approval for the initiated transaction to occur responsive to detecting a match between the first one-time password and a second one-time password (Mennes par. 0061. Mennes teaches that the invention consisting of a token (100) for generating security values such as one-time passwords to authenticate a user or transaction signatures to indicate the user's approval of a transaction. See also par. 0067).
As Christopher and Axel teach the one-time-password is generated as a function of a secret shared by the network site (WebSEAL) and comparing one-time pass-code to authenticate, Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Mennes with the method and system of Christopher and Axel, wherein transmitting an approval for the initiated transaction to occur responsive to detecting a match to authenticate users and transaction signatures to indicate transaction approval (Mennes par. 0001).
Regarding claim 22, Christopher, Axel and Mennes disclose the method of claim 21,
Christopher further discloses further comprising the security server transmitting, responsive to receiving the details, the second one-time password to the network device (Christopher: pages 7 and 8; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); Christopher teaches that User keys in the one-time pass-code (upon received from the mobile device) and sends the form to WebSEAL pkmslogin.form again).
(Mennes par. 0061. Mennes teaches that the invention consisting of a token (100) for generating security values such as one-time passwords to authenticate a user or transaction signatures to indicate the user's approval of a transaction. See also par. 0067).
As Christopher and Axel teach the one-time-password is generated as a function of a secret shared by the network site (WebSEAL) and comparing one-time pass-code to authenticate, Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Mennes with the method and system of Christopher and Axel, wherein transmitting an approval for the initiated transaction to occur responsive to detecting a match to authenticate users and transaction signatures to indicate transaction approval (Mennes par. 0001).
Regarding claim 23, Christopher, Axel and Mennes disclose the method of claim 22,
Christopher further discloses wherein the transmitting, by the network site, of the approval is additionally based on the security server and the network site computing in accordance with an agreed-upon operation (Christopher: pages 7 and 8; Fig.3  (WebSEAL AND Extended LDAP high-level workflow);. The shared secret PIN is shared between the custom CDAS and the OTP genitor for the one-time pass-code generation and verification).
Regarding claim 24, Christopher, Axel and Mennes disclose the method of claim 22,
 (Christopher: Fig.1 (High-level component architecture), the external authentication server offers a service that will generate one-time authentication tokens for use in a two-phased authentication system; See also Fig. 3 (4.2) and page 6 (WebSEAL and external Authentication Server).
Regarding claim 25, Christopher, Axel and Mennes disclose the method of claim 22,
Christopher further discloses further comprising the security server computing the second one-time password as a function of the details (Christopher: page 7; Fig.3 (WebSEAL and external Authentication Server). Christopher teaches that generates the random one-time-pass-code with the sequence number and the shared secret PIN).
Mennes further discloses the transaction details (Mennes par. 0061. Mennes teaches that the invention consisting of a token (100) for generating security values such as one-time passwords to authenticate a user or transaction signatures to indicate the user's approval of a transaction. See also par. 0067).
As Christopher and Axel teach the one-time-password is generated as a function of a secret shared by the network site (WebSEAL) and comparing one-time pass-code to authenticate, Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Mennes with the method and system of Christopher and Axel, wherein transmitting the transaction details to detecting a  (Mennes par. 0001).
Regarding claim 26, Christopher, Axel and Mennes disclose the method of claim 25,
Christopher further discloses wherein the security server computes the second one-time password as a function of a secret shared with the network site (Christopher: page 6 (WebSEAL and external Authentication Server) Christopher: pages 7 and 8; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); this solution makes use of the standard userid/password CDAS implementation. The implementation makes use of external servers for generation and maintenance of the pass-codes and the custom CDAS is used to verify the one-time pass-code. When WebSEAL starts up, the custom CDAS retrieves the shared PIN. This shared secret PIN is shared between the custom CDAS and the OTP genitor for the one-time pass-code generation and verification).
Regarding claim 27, Christopher, Axel and Mennes disclose the method of claim 25,
Axel further discloses wherein the security server computes the second one-time password as a function of a time stamp or a counter value (Axel page 152. Server can only be used by users that logged in before throttle. It shows as throttle and will show a throttled at timestamp. Only users that have sessions that started before the throttle timestamp can access the server).
(“ security server”) uses an value to generate the OTP, and the CDAS which is inside the WebSEAL (“network site”) uses the same value (shared secret) to calculate and verify the OTP (Axel pages 56-57).
Regarding claim 28, Christopher, Axel and Mennes disclose the method of claim 21,
Mennes further discloses wherein further comprising the network site computing the first one-time password as a function of the transaction details (Mennes par. 0022. Mennes teaches that this application discloses a low-cost strong authentication token for creating one-time passwords and/or transaction signatures, hereafter collectively referred to as security values, for use in client-server transactions).
As Christopher and Axel teach the one-time-password is generated as a function of a secret shared by the network site (WebSEAL) and comparing one-time pass-code to authenticate, Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Mennes with the method and system of Christopher and Axel, wherein transmitting an approval for the initiated transaction to occur responsive to detecting a match to authenticate users and transaction signatures to indicate transaction approval (Mennes par. 0001).
Regarding claim 29, Christopher, Axel and Mennes disclose the method of claim 28,
Christopher further discloses wherein the network site computes the first one-time password as a function of a secret shared with the network site (Christopher: page 6 (WebSEAL and external Authentication Server) Christopher: pages 7 and 8; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); this solution makes use of the standard userid/password CDAS implementation. The implementation makes use of external servers for generation and maintenance of the pass-codes and the custom CDAS is used to verify the one-time pass-code. When WebSEAL starts up, the custom CDAS retrieves the shared PIN. This shared secret PIN is shared between the custom CDAS and the OTP genitor for the one-time pass-code generation and verification).
Regarding claim 30, Christopher, Axel and Mennes disclose the method of claim 28,
Axel further discloses wherein the network site computes the first one-time password as a function of a time stamp or a counter (Axel page 152. Server can only be used by users that logged in before throttle. It shows as throttle and will show a throttled at timestamp. Only users that have sessions that started before the throttle timestamp can access the server).
As Axel teaches CDAS is a part of WebSEAL and Christopher and Mennes teaches the one-time-password is generated as a function of a secret shared by the security server (Token Authn Server) and the network site (WebSEAL), Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to (“ security server”) uses an value to generate the OTP, and the CDAS which is inside the WebSEAL (“network site”) uses the same value (shared secret) to calculate and verify the OTP (Axel pages 56-57).
Regarding claims 32-37 and 39-41; claims 32-37 and 39-41 are directed to a system associated with the method claimed in claims 21-22 and 24-30 respectively.  Claims 32-37 and 39-41 are similar in scope to claims 21-22 and 24-30 respectively, and are therefore rejected under similar rationale.
Regarding claim 38; claim 38 is directed to a system associated with the method claimed in claim 23.  Claim 38 is similar in scope to claim 23, and is therefore rejected under similar rationale.
Claims 31 and 42 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Cristopher Hockings hereinafter Christopher (Two-Factor Authentication Using Tivoli Access Manager WebSEAL), in view of Axel Buecker hereinafter Axel (Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0); in view of Mennes (US 2009/0235339), and further in view of Lindsay (US 2009/0259588).
Regarding claim 31, Christopher, Axel and Mennes disclose the method of claim 21,
Christopher further discloses, further comprising: combining the details with data received from one or more additional network sites (Christopher: pages 6 and 7; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); the OTP generator is used to generate a random one-time pass-code and send the generated random one-time pass-code to SMS gateway. The SMS gateway sends the one-time pass-code to the mobile network); and
Mennes further discloses transmitting the transaction details (Mennes par. 0061. Mennes teaches that the invention consisting of a token (100) for generating security values such as one-time passwords to authenticate a user or transaction signatures to indicate the user's approval of a transaction. See also par. 0067).
As Christopher and Axel teach the one-time-password is generated as a function of a secret shared by the network site (WebSEAL) and comparing one-time pass-code to authenticate, Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Mennes with the method and system of Christopher and Axel, wherein transmitting an approval for the initiated transaction to occur responsive to detecting a match to authenticate users and transaction signatures to indicate transaction approval (Mennes par. 0001).
Christopher, Axel and Mennes do not explicitly disclose transmitting the transaction details in the data received from the one or more additional network sites to a risk engine.
 However, in an analogous art, Lindsay discloses transmitting the transaction details in the data received from the one or more additional network sites to a risk engine (Lindsay: par. 0195. Lindsay teaches that the system retrieves rules for elevated risk 778 from a database 780 or other memory device, which may be physically part of a local security system or may be remote and accessed via a network (not shown). See also par. 0103)
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Lindsay with the method and system of Christopher, Axel and Mennes, transmitting the transaction details in the data received from the one or more additional network sites to a risk engine to provide access or control over asset.
Regarding claim 42; claim 42 is directed to a system associated with the method claimed in claim 31.  Claim 42 is similar in scope to claim 31, and is therefore rejected under similar rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANCHIT K SARKER whose telephone number is (571)270-7907.  The examiner can normally be reached on M-F 8:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FARID HOMAYOUNMEHR can be reached on 571-272-3739.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SANCHIT K SARKER/Examiner, Art Unit 2495