DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 20 objected to because of the following informalities:  The claim recites a “period” after “the operations comprising.” This should be a colon.   Appropriate correction is required.
Allowable Subject Matter
Claim 7, 9, 11 and 17-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claims 8, 10, and 18 are objected to for being dependent upon an already objected to claim.
The following is a statement of reasons for the indication of allowable subject matter:  the prior art, either alone or in combination does not expressly disclose a hybrid authentication system such that the system further validates or initializes the session as disclosed in claims 7, 9, 11, or 17. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-6, 12-16, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja et al (US 2018/0139199) in view of Gillian et al (US 2019/0281028).
Regarding claim 1, 14 and 20, Ahuja et al discloses a method in a hybrid authentication system,  and a non-transitory computer-readable medium having stored thereon, computer- executable instructions that when executed by a hybrid authentication system, causes the hybrid authentication system to execute operations, the operations comprising: control circuitry communicatively coupled to a web application server; wherein the control circuitry is configured to [0087-0098, figure 6]: 
receive a request from the web application server to access secure content on a resource server [0026, 0028, 0031]; 
Please note that in this example the application allows the user to pick and select an authentication scheme from the user display.
control display of a set of user-selectable options on a user interface (UI) of a user device based on the received request, wherein the set of user-selectable options comprises a web-based authentication option [0045, 0034, 0058];
Please note that in this example the user may select an authentication scheme and the system may tailor options according to a user profile. 
 select at least one authentication option from the displayed set of user- selectable options based on a user input over the displayed set of user- selectable options [0038; 0039, 0046]
Please note that in this example the policy may be selected based on one or more user preference, online mode status, risk level or employer preference. The user then may select the authentication scheme based on these preferences.  
authenticate the received request based on the selected at least one authentication option [0046]; 
Please note that in this example once the selected authentication scheme is made the identity of the user is verified using the selected authentication scheme. 
issue an access token to the web application server based on the authentication of the received request [0058];
Please note that upon successful verification of credentials, a token may be generated that allows access. 
However, Ahuja et al does not expressly disclose but Gillian et al
Please note that in this example a distributed transaction based action is operated on utilizing blockchain in which authentication challenges are received from the secure resource as a means to authenticate the request.
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Ahuja et al by implementing a public ledger in the system, for the purpose of authenticating access in a decentralized manner, based upon the beneficial teachings provided by Gillian et al, see for example [abstract].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Regarding claim 2, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al further discloses the web application server hosts at least one web application, and the web application server provides the request based on a user-initiated request for a Single-Sign-On (SSO) access to the at least one web application [0034].
Regarding claim 3, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al does not expressly disclose but Gillian et al further discloses smart contract is a self-executable program that controls access to linking information comprising a public key, a web identifier (ID), and a user identifier, the public key is for a wallet account of the user on the public ledger, and the web ID is for a web account of the user [0035, 0051]. 
The rationale to combine is the same as disclosed in point (11). 
Regarding claim 4, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al further discloses the resource server is an application-programming interface (API) server that stores user-specific information as the secure content and is managed by an identity provider [0026]. 
Regarding claim 5 and 15, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al further discloses that the control circuitry is further configured to: communicate a token request to an identity provider based on the selected at least one authentication option comprising the web-based authentication option; receive the access token based on the authentication of the communicated token request; authenticate the received request based on the received access token for the web-based authentication option; and issue the received access token to the web application server based on the authentication of the received request [0046, 0058-0060]. 
Regarding claim 6 and 16, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al does not expressly disclose but Gillian et al further discloses the control circuitry is further configured to: control display of a UI form on the user device based on the selected at least one authentication option comprising the wallet-based authentication option; receive a signature via the UI form, wherein the signature is signed with a private key of a wallet account of the user on the public ledger; and call the stored smart contract based on the received signature [0014-0015, 0057, 0012, 0019, 0045, 0041, 0048]. 
The rationale to combine is the same as disclosed in point (11). 
Regarding claim 12 and 19, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al further discloses that the control circuitry is configured to select 
Regarding claim 13, Ahuja et al and Gillian et al disclose all the limitations of claims 1, 14 and 20. Ahuja et al further discloses that the defined security criteria comprises a defined security level, a user preference for an authentication option, or a failure status of the authentication attempted previously based on one of the web-based authentication option or the wallet-based authentication option [0019, 0039, 0040, 0043, 0072].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Avetisov et al
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENDALL DOLLY whose telephone number is (571)270-1948.  The examiner can normally be reached on Monday-Thursday 7am-4pm(EST) and Friday 7am-11am(EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KENDALL DOLLY/Primary Examiner, Art Unit 2436