PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/213,229
Filing Date: 7 Dec 2018
Appellant(s): Spencer et al.



__________________
Kari L. Barnes Registration No. 60,499
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed September 07, 2021 appealing from the Office action mailed July 23, 2020.
(1) Grounds of Rejection to be Reviewed on Appeal

Every ground of rejection set forth in the Office action dated 07/23/2020 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

1.1 	Non-Statutory Double Patenting: Claims 1-3, 6, 8-11, 14-16, 18, 20, and 21 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-3, 7, 9-12, and 21, of Patent 10164974 (Application 14/778131).  

Claims 1-3, 6, 8-11, 14-16, 18, 20 and 21:
Claims 1-3, 6, 8-11, 14-16, 18, 20 and 21 have similar limitations as in claims 1-3, 7, 9-12, and 21, of Patent 10164974 (Application 14/778131).  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications claim A method of authenticating a user for performing a transaction.  Claims 1-3, 6, 8-11, 14-16, 18, 20 and 21 are rejected under the reasons as set forth above.  

This is an obviousness-type double patenting rejection because the conflicting claims have been patented.


Claims 1-3, 6, 8-11, 14-16, 18, 20 and 21 in the instant application correspond to claims 1-3, 7, 9-12, and 21, of Patent 10164974 (Application 14/778131).  Since claims 1-3, 6, 8-11, 14-16, 18, 20 and 21 are A method of authenticating a user for performing a transaction comprising the steps of: (a)    receiving on a first authentication server data representing unique knowledge of the user; (b)    receiving on the authentication server a hardware profile, the hardware profile being associated with the user; (c)    comparing on a second evaluation server the received data representing unique knowledge of the user with previously stored data representing unique knowledge of the user; (d)    comparing on the second evaluation server the received hardware profile with a previously stored hardware profile associated with the user by calculating a percent difference of the previously stored hardware profile with the received current hardware profile; and (e)    allowing the transaction to go forward if both the received data representing unique knowledge of the user is authenticated by step (c) and the difference between the received hardware profile and the previously stored hardware profile form the result of step (d) is less than a set tolerance; and (f) when the percentage difference is not within the set tolerance, the transaction does not proceed AND claims 1-3, 7, 9-12, and 21, of Patent 10164974 (Application 14/778131) are A method of authenticating a user for performing a transaction comprising the steps of: (a)    receiving on a first authentication server data representing unique knowledge of the user, wherein data representing unique knowledge of the user is related to a sequential selection of pictures presented to the user; (b)    receiving on the authentication server a hardware profile, the hardware profile being associated with the user; (c)    comparing on a second evaluation server the received data representing unique knowledge of the user with previously stored data representing unique knowledge of the user; (d)    comparing on the second evaluation server the received hardware profile with a previously stored hardware profile associated with the user by calculating a percent difference of the previously stored hardware profile with the received current hardware profile using the Levenshtein Distance equation: and (e)    allowing the transaction to go forward if both the received data representing unique knowledge of the user and the received hardware profile is authenticated by step[[s]] (c) and the difference between the received hardware profile and the previously stored hardware profile from the result of step (d) is less than a set tolerance: and (f)    if the percentage difference is not within the set tolerance, the transaction does not proceed., it would have been obvious to modify claims 1-3, 7, 9-12, and 21, of Patent 10164974 (Application 14/778131) to get Claims 1-3, 6, 8-11, 14-16, 18, 20 and 21 in the instant application.


1.2	Claims 1, 14 are rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.  
Claims 1 and 14 recites the limitation “stored on the hardware device” in page 1, lines 6-7, page 4, line 18.  There is insufficient antecedent basis for this limitation in the claim.
Claim 20 recites the limitation “use of the hardware device” in page 5, line 25.  There is insufficient antecedent basis for this limitation in the claim.

1.3	Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Lyon (US 2012/0221470, publish date 08/30/2012) in view of Kirovski et al.  (US 2004/0010721 A1, publish date 01/15/2004) further in view of Zhang et al. (US 2012/0151574 A1, publish date 06/14/2015).

With respect to claims 1, 14, 21, Lyon discloses a method of authenticating a user for performing a transaction (a user authentication and secure transaction system, para 0052, Fig, 1) comprising the steps of:
(a)    receiving on a first authentication server data representing unique knowledge/a biometric of the user (Client device 503 accesses control computer 60 via https or a real world transaction, para 0126) (Message digest function 801 to receive username and password, para 0127) (User profile 1020 can comprise data such as the following: user name, user password, date of birth, email address, social security number, banking account(s) information, credit/debit card(s) information gathered from a manual card swipe at a financial institution, government issued I.D. (e.g. drivers license), hardware ID numbers, IP address, user photo, authenticated credit limit, biometric data, authorized mailing address or addresses, and caller identification verification. For example, user 100 can configure the user's profile 1020 such that transactions corresponding to user 100 will only be approved if predetermined minimum and/or maximum authentication procedures are followed, para 0192);
(b)    receiving on the authentication server a hardware profile (User Profiled Figure 4, 401, Hardware signature, Figure 4, 415) (The hardware identification signature key is sent to control computer, para 0123), the hardware profile including user generated data stored (data created by and associated with the user and stored) on the hardware device/to install applications (Control computer 60 may assign a user identifier to user 100 that is unique to user 100, the user identifier may be comprised of a hardware identification signature, 0095) (The hardware identification signature key generated by installed software, 0123) (Hardware signature, Figure 4, 415); 
(c)    comparing on a second evaluation server (Merchant computer 70 combines merchant's 170 merchant name and the merchant identifier with user's 100 user name, user identifier, and password to create authorization data 141, and uploads authorization data 141 to control computer 60 by means of computer network, para 0098, Figs, 1, 5) the received data representing unique knowledge/a biometric characteristic of the user with previously stored data representing unique knowledge/a biometric characteristic of the user (control computer 60 may compare uploaded user identity data 111 to user data stored in database, para 0089) (Authentication procedures may comprise comparing the verification data to user's 100 user profile storable in user database 160 and/or fraud database, para 0104) (biometric or email identification may be used for authentication purposes, para 0121) (such authentication may be accomplished by user 100 entering verification data such as a password or biometric information, para 0226);
(d)    comparing on the second evaluation server the received hardware profile with a previously stored hardware profile associated with the user (Merchant access key 1110 combined with authorized user key 502 and the hardware identification signature on a merchant client device grants merchant 170 merchant profile 1015 access, para 0193, Figs. 5, 10, 11) (a currently created hardware identification signature to be sent to control computer 60 for comparison to the stored hardware identification signature residing within profile, para 0123); and
(e)    allowing the transaction to go forward if both the received data representing unique knowledge of the user is authenticated by step (c) and the difference between the received hardware profile and the previously stored hardware profile form the result of step (d) (If control computer 60 is able to authenticate the verification information, control computer 60 sends message 133 to merchant computer 70 to authorize the transaction, para 0105; enrollment access key 1306 may be combined with authorized user key 502 and a hardware identification signature on an enrollment client device to grant enrollment agent 1312 enrollment profile 1328 access, para 0193).

Kirovski et al.  teaches logon to a local and/or remote computer (or computing device) requires a password; a user may logon on by entering passwords via the display 300 (0052-0053, 0056, Figure 4), passwords are often "hashed" and/or combined with other information and "hashed", as shown in the hash information column 518, Hash information includes password and other information, such as, user information.  For example, in the hash information column 518, CHS(PW+X) includes password information (PW) and other information (X) and CHS represents a hash function (0054, Figure 5), wherein data representing unique knowledge of the user (display 9 pictures, 300, Individual pictures are selectable, such a display 300 is suitable for entering a "picture" password 330, such as, "cup of coffee 304, airplane 302, and suitcase 308", 0051-, Figure 3, Figure 5, 516) (a set of pictures, 0058, Figure 6).

Lyon and Kirovski et al.  are analogous art because they are from the same field of endeavor of user authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Kirovski et al.  in Lyon for wherein data representing unique knowledge of the user as claimed for purposes of enhancing security and/or simplified password secured transactions and implement a strategy against attacks and therefore maximizing the protection of transactional data. (see Kirovski et al.   0032, 0057-0058).

Neither Lyon nor Kirovski et al.  discloses by calculating a percent difference of the previously stored hardware profile with the received current hardware profile; allowing the transaction to go forward if less than a set tolerance; (f) when the percentage difference is not within the set tolerance, the transaction does not proceed as claimed.

However, Zhang teaches by calculating a percent difference of the previously stored hardware profile with the received current hardware profile; allowing the transaction to go forward if less than a set tolerance; (f) when the percentage difference is not within the set tolerance, the transaction does not proceed (the AVS checks whether or not the system identifier in the activation request matches the OEM-reported system identifier to within a second tolerance, within a second tolerance may comprise determining whether a distance between the two system identifiers is less than the second tolerance.  The second tolerance may be a number indicating the maximal allowed distance between the first and second system identifiers (0070-0071) may be done to within a tolerance in order to account for possible modification in the hardware configuration of the system from the time the OEM-generated system identifier was reported to the software vendor (e.g., act 807 in FIG. 3) to the time that the software activation request was sent from the user computer to the software vendor (0072)

Lyon, Kirovski et al.  and Zhang are analogous art because they are from the same field of endeavor of hardware profiles.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Zhang in Lyon and Kirovski et al.  for by calculating a percent difference of the previously stored hardware profile with the received current hardware profile; allowing the transaction to go forward if less than a set tolerance; (f) when the percentage difference is not within the set tolerance, the transaction does not proceed as claimed for purposes of enhancing the system of Lyon by allowing for slight changes in hardware configuration and therefore maximizing the protection of transactional data. (see Zhang the comparison of the OEM-reported system identifier to the user-provided system identifier, in act 604, may be done to within a tolerance in order to account for possible modification in the hardware configuration of the system from the time the OEM-generated system identifier was reported to the software vendor (e.g., act 807 in FIG. 3} to the time that the software activation request was sent from the user computer to the software vendor, para 0072).

With respect to claims 2, 15, Lyon discloses wherein the first and second authentication servers are the same server (a user authentication and secure transaction system comprised of enrollment computer 50, control computer 60 in electronic communication with enrollment computer 50, merchant computer 70 in electronic communication with control computer 60, and user key. It is to be understood that the system illustrated in FIG. 1 can have a single occurrence of each component or person or a plurality of one or more components or persons as required by the needs of the system applications, para 0052, Fig. 1).

With respect to claims 3, 18, the combination of Lyon and Kirovski et al.  and Zhang et al. discloses the limitations of claims 1, 14, as addressed.  

Kirovski et al.  teaches wherein the received data representing unique knowledge is hashed (passwords are often "hashed" and/or combined with other information and "hashed", as shown in the hash information column 518, Hash information includes password and other information, such as, user information.  For example, in the hash information column 518, CHS(PW+X) includes password information (PW) and other information (X) and CHS represents a hash function (0054, Figure 5).

Lyon and Kirovski et al.  are analogous art because they are from the same field of endeavor of user authentication.

The motivation for combining Lyon and Kirovski et al.  is recited in claims 1, 14.  
With respect to claim 4, Lyon discloses wherein the received hardware profile is hashed (the user identifier and/or merchant identifier may be comprised of a hardware identification signature, other types of identifying means could be employed, such as those having serialized encryption means, 0095).

With respect to claims 5, 7, 17, Lyon discloses wherein the unique knowledge comprises (i) a PIN, (ii) a password, (iii) user account number, (iv) at least one picture selected by the user, (v) pictures selected by the user in a desired order, (vi) a swipe pattern on a picture, or (vii) multiple taps on a picture (User profile 1020 can comprise data such as the following: user name, user password, date of birth, email address, social security number, banking account(s) information, credit/debit card(s) information gathered from a manual card swipe at a financial institution, government issued I.D. (e.g. drivers license), hardware ID numbers, IP address, user photo, authenticated credit limit, biometric data, authorized mailing address or addresses, and caller identification verification. For example, user 100 can configure the user's profile 1020 such that transactions corresponding to user 100 will only be approved if predetermined minimum and/or maximum authentication procedures are followed, para 0192).

Kirovski et al.  teaches wherein the unique knowledge comprises (iv) at least one picture selected by the user, (v) pictures selected by the user in a desired order, (vi) a swipe pattern on a picture, or (vii) multiple taps on a picture (display 9 pictures, 300, Individual pictures are selectable, such a display 300 is suitable for entering a "picture" password 330, such as, "cup of coffee 304, airplane 302, and suitcase 
308", 0051-, Figure 3, Figure 5, 516) (a set of pictures, 0058, Figure 6).

Lyon and Kirovski et al.  are analogous art because they are from the same field of endeavor of user authentication.

The motivation for combining Lyon and Kirovski et al.  is recited in claim 1.  

With respect to claim 6, the combination of Lyon and Kirovski et al.  and Zhang et al. discloses the limitations of claim 1, as addressed.  

Kirovski et al.  teaches wherein the unique knowledge of the user is at least one picture selected by the user (display 9 pictures, 300, Individual pictures are selectable, such a display 300 is suitable for entering a "picture" password 330, such as, "cup of coffee 304, airplane 302, and suitcase 308", 0051-, Figure 3, Figure 5, 516) (a set of pictures, 0058, Figure 6).

Lyon and Kirovski et al.  are analogous art because they are from the same field of endeavor of user authentication.

The motivation for combining Lyon and Kirovski et al.  is recited in claim 1.  

With respect to claim 8, Lyon discloses comprising the additional steps of (i) receiving on the first authentication server user information and (ii) comparing the received user information with previously stored user information for verification of the user on the evaluation server; and wherein step (e) comprises allowing the transaction to go forward only if the user is verified in step (ii) (control computer 60 attempts to authenticate verification data received in message 149 before continuing to process the transaction.  Authentication procedures may comprise comparing the verification data to user's 100 user profile storable in user database 160 and/or fraud database, para 0104) (If control computer 60 is able to authenticate the verification information, control computer 60 sends message 133 to merchant computer 70 to authorize the transaction, para 0105).

With respect to claim 9, Lyon discloses wherein the user information comprises the user’s (a) name, (b) social security number, (c) national identification number, (d) passport number, (e) IP address,(f) vehicle registration number, (g) vehicle license plate number, (h) driver's license number, (i) appearance, (j) fingerprint, (k) handwriting, (1) credit card information, (m) bank account information, (n) digital identity, (o) date of birth, (p) birthplace, (q) past and current residence, (r) age, (s) gender, (t) marital status, (u) race, (v) names of schools attended, (w) workplace, (x) salary, (y) job position, (z) biometric data, or combinations of one or more thereof (User profile 1020 can comprise data such as the following: user name, user password, date of birth, email address, social security number, banking account(s) information, credit/debit card(s) information gathered from a manual card swipe at a financial institution, government issued I.D. (e.g. drivers license), hardware ID numbers, IP address, user photo, authenticated credit limit, biometric data, authorized mailing address or addresses, and caller identification verification. For example, user 100 can configure the user's profile 1020 such that transactions corresponding to user 100 will only be approved if predetermined minimum and/or maximum authentication procedures are followed, para 0192).

With respect to claim 10, Lyon discloses wherein the hardware profile comprises information on a hardware device selected from the group consisting of (a) contact information, (b) mobile network code, (c) information about music, (e) installed applications, (f) arrangement of installed applications, (g) frequency of use of applications, (h) location of the user, (i) Bluetooth device pairings, (j) carrier name, (k) mobile country code, (1) phone number, (m) photos, (n) device name, or combinations of one or more thereof (the hardware identification information of the personal communication device 1704 can comprise the device’s 1704 MAC address, serial number, and/or hardware configuration information, 0224).
 
Kirovski et al.  teaches (d) pixel colors from a background screen (images having a variety of features, an exemplary password system presents a user with the image 710, or alternatively, the user selects image 710 from a group of two or more images, images, such as the images 710, 710', are composed of a plurality of picture elements or pixels, o select an individual pixel and/or groups of pixels, 0060).

Lyon and Kirovski et al.  are analogous art because they are from the same field of endeavor of user authentication.

The motivation for combining Lyon and Kirovski et al.  is recited in claim 1.

With respect to claim 11, Lyon discloses comprises performing the transaction (If the result of decision 905 is positive, the process proceeds to operation 906 allowing profile changes to take place before proceeding to operation 907, otherwise, the process proceeds to operation 907 where the transaction proceeds, para 0152) (operation 907 allows a transaction to proceed after authentication and verification, para 0154, Fig. 9).

With respect to claim 12, Lyon discloses wherein the unique knowledge is an answer to a question (User profile 1020 can comprise data such as the following: user name, user password, date of birth, email address, social security number, banking account(s) information, credit/debit card(s) information gathered from a manual card swipe at a financial institution, government issued I.D. (e.g. drivers license), hardware ID numbers, IP address, user photo, authenticated credit limit, biometric data, authorized mailing address or addresses, and caller identification verification. For example, user 100 can configure the user's profile 1020 such that transactions corresponding to user 100 will only be approved if predetermined minimum and/or maximum authentication procedures are followed, para 0192).

With respect to claims 13, 19, Lyon discloses apparatus for performing the method of claim 1 comprising the authentication server (a user authentication and secure transaction system, para 0052, Fig, 1), and memory storing the previously stored data representing unique knowledge of the user (user data stored in database, para 0089) and the previously stored hardware profile associated with the user (the stored hardware identification signature residing within profile, para 0123), the authentication server being programmed for performing steps (a) - (d) (see claims 1 and 14 above).

With respect to claim 16, Lyon discloses wherein the biometric characteristic is a fingerprint, retina, facial characteristic, or voice data of the user or combinations of one or more thereof (scanning a person's fingerprints or thumbprints, 0058) (users identity: fingerprints, thumbprints, photograph, retina scan, voice recognition segment, 0082) (biometric data, para 0192).

With respect to claim 20, Lyon discloses a method for a user to perform a transaction (a user authentication and secure transaction system, para 0052, Fig. 1) comprising the steps of:
(a)    receiving on a first electronic device data representing unique knowledge of the
user (enrollment operator 151 may input user identity data 110 and/or merchant identity data 130 into enrollment computer 50, verify, and/or alter user identity data 110 or merchant identity data, para 0081); 
(b)    sending to an authentication server a hardware profile of a second electronic device for authentication of the second electronic device (User Profiled Figure 4, 401, Hardware signature, Figure 4, 415) (Merchant access key 1110 combined with authorized user key 502 and the hardware identification signature on a merchant client device grants merchant 170 merchant profile 1015 access, para 0193, Figs. 5, 10, 11) (The hardware identification signature key is sent to control computer, para 0123);
the hardware profile including data generated by the user during use of the hardware device (Control computer 60 may assign a user identifier to user 100 that is unique to user 100, the user identifier may be comprised of a hardware identification signature, 0095) (Hardware signature, Figure 4, 415); 
 (c)    sending to an authentication server the data representing unique knowledge of the user with the first device (Client device 503 accesses control computer 60 via https or a real world transaction, para 0126; Message digest function 801 to receive username and password, para 0127);
(d)    receiving from the authentication server a response indicating whether the first device was authenticated and the data representing unique knowledge of the user was authenticated (Once client devices 503 are authenticated and configured, they are authorized to communicate with control computer, para 0169);
(e)    proceeding with the transaction if the second device and the data representing unique knowledge of the user were authenticated (If control computer 60 is able to authenticate the verification information, control computer 60 sends message 133 to merchant computer 70 to authorize the transaction, para 0105) (enrollment access key 1306 may be combined with authorized user key 502 and a hardware identification signature on an enrollment client device to grant enrollment agent 1312 enrollment profile 1328 access, para 0193).

Kirovski et al.  teaches logon to a local and/or remote computer (or computing device) requires a password; a user may logon on by entering passwords via the display 300 (0052-0053, 0056, Figure 4), passwords are often "hashed" and/or combined with other information and "hashed", as shown in the hash information column 518, Hash information includes password and other information, such as, user information.  For example, in the hash information column 518, CHS(PW+X) includes password information (PW) and other information (X) and CHS represents a hash function (0054, Figure 5), wherein data representing unique knowledge of the user (display 9 pictures, 300, Individual pictures are selectable, such a display 300 is suitable for entering a "picture" password 330, such as, "cup of coffee 304, airplane 302, and suitcase 308", 0051-, Figure 3, Figure 5, 516) (a set of pictures, 0058, Figure 6).

Lyon and Kirovski et al.  are analogous art because they are from the same field of endeavor of user authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Kirovski et al.  in Lyon for wherein data representing unique knowledge of the user as claimed for purposes of enhancing security and/or simplified password secured transactions and implement a strategy against attacks and therefore maximizing the protection of transactional data. (see Kirovski et al.   0032, 0057-0058).

Neither Lyon nor Kirovski et al.  discloses only if a percent difference between the hardware profile of a second electronic device sent to the authentication server at step b and a previously stored hardware profile is less than a set tolerance; 
(f) when the percent difference between the hardware profile of the second electronic device sent to the authentication server at step b and the previously stored hardware profile is not within the set tolerance, terminating the transaction as claimed.

However, Zhang teaches only if a percent difference between the hardware profile of a second electronic device sent to the authentication server at step b and a previously stored hardware profile is less than a set tolerance; (f) when the percent difference between the hardware profile of the second electronic device sent to the authentication server at step b and the previously stored hardware profile is not within the set tolerance, terminating the transaction (the AVS checks whether or not the system identifier in the activation request matches the OEM-reported system identifier to within a second tolerance, within a second tolerance may comprise determining whether a distance between the two system identifiers is less than the second tolerance.  The second tolerance may be a number indicating the maximal allowed distance between the first and second system identifiers (0070-0071) may be done to within a tolerance in order to account for possible modification in the hardware configuration of the system from the time the OEM-generated system identifier was reported to the software vendor (e.g., act 807 in FIG. 3) to the time that the software activation request was sent from the user computer to the software vendor (0072)

Lyon, Kirovski et al.  and Zhang are analogous art because they are from the same field of endeavor of hardware profiles.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Zhang in Lyon and Kirovski et al.  for only if a percent difference between the hardware profile of a second electronic device sent to the authentication server at step b and a previously stored hardware profile is less than a set tolerance; 
(f) when the percent difference between the hardware profile of the second electronic device sent to the authentication server at step b and the previously stored hardware profile is not within the set tolerance, terminating the transaction as claimed for purposes of enhancing the system of Lyon by allowing for slight changes in hardware configuration and therefore maximizing the protection of transactional data. (see Zhang the comparison of the OEM-reported system identifier to the user-provided system identifier, in act 604, may be done to within a tolerance in order to account for possible modification in the hardware configuration of the system from the time the OEM-generated system identifier was reported to the software vendor (e.g., act 807 in FIG. 3} to the time that the software activation request was sent from the user computer to the software vendor, para 0072).




(2) Response to Argument

2.1	With respect to claims 1, 14, 20, Appellant’s arguments with respect to the 35 USC 112, second paragraph rejection of claims 1, 14, 20, see appeal brief pages 4-5, are persuasive.  

	In response to appellant’s arguments with respect to claims 1, 14, 20, Examiner respectfully agrees.  Appellant authorizes amendments to claims 1, 10, 14, and 20 via an Examiner’s amendment after the appeal or confirms that Applicant will submit an amendment after appeal if all other issues are resolved.  Therefore the rejection would be withdrawn in view of the proposed amendments.  Examiner acknowledges the proposed amendments to claims 1, 10, 14, and 20 however the rejection will be held until prosecution moves forward via an Examiner’s amendment after the appeal or confirms that Applicant will submit an amendment after appeal if all other issues are resolved.

2.2	With respect to claims 1, 14, 20, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief pages 4-7, see appeal brief page 9, see appeal brief pages 11-12, see appeal brief pages 13-14 are not persuasive.  Appellant argues that independent claim 1 recites, at step b, “receiving on the authentication server a hardware profile, the hardware profile including user generated data stored on the hardware device.”  The identified device profile of Lyon is in no way related to the user, including user generated data, as claimed.  Lyon describes a hardware identification signature key is unique to the client device, and may include the media access control (MAC) address, CPU speed, installed memory, and/or other unique static information of the client device 503.” (Lyon, [0123].)  The Lyon hardware identification signature key is therefore in no way shown or suggested as being related to the user in any way. Instead, the intended hardware identification signature key of Lyon is a static device attribute of the hardware creating the device. Even if the hardware profile is assigned to a user as the unique user identifier, it is not user generated data as currently claimed by the presently pending independent claims. Neither Kirovski nor Zhang supply the missing hardware profile.  

In response to appellant’s arguments with respect to claims 1, 14, 20, Examiner respectfully disagrees.  Lyon discloses ““FIG. 4 is a diagram of a user key creation process.  Data may be entered 401 into a GUI interface. … data entry points may comprise data such as … hardware identification signature 415 … After data is entered 401 into the user profile, initial user key is created 400” (0110, Figure 4).  “Client device 503 operates as an administrative device for key 700A, whereupon user 100 can review and make certain changes to profile 703.  For example, user 100 may add, delete, or change parameters” (0125).  Examiner holds that Lyon discloses “Input to User profile 401” which includes “hardware identification signature 415” that is created from non-static information (changes to the parameters) and thus discloses “a hardware profile, the hardware profile including user generated data stored on the hardware device.”  


2.3	With respect to claim 1, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief pages 8-9, are not persuasive.  Appellant argues that the Office admits that neither Lyon nor Kirovski discloses “calculating a percent difference” of previously stored hardware profile with the received current hardware profile, allowing the transaction to go forward if less than a set tolerance. (Office Action, p. 10.) However, the Office cites to Zhang to teach calculating a percent difference. Applicant respectfully submits that a person of skill in the art would not modify Lyon with the disclosure of Zhang as proposed. Lyon clearly states that its hardware identification signature key is created from unique static information.  

In response to appellant’s arguments with respect to claim 1, Examiner respectfully disagrees.  Zhang discloses “Determining whether a first proof-of-purchase matches a second proof-of-purchase to within a first tolerance may comprise determining whether a distance between the two proofs-of-purchase is less than the first tolerance” (0069).  Examiner holds that determining a distance tolerance implies percent difference.  Examiner has addressed in above 2.2 Response section that Lyon discloses that its hardware identification signature key is created from non-static information.

2.4	With respect to claim 10, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief page 10, are not persuasive.  Appellant argues that Kirovski does not show or describe pixel colors from a background screen. Instead, Kirovski is creating and displaying images to a user to select as a password combination. As such, Kirovski does not render the further recitations of claim 10 obvious.

In response to appellant’s arguments with respect to claim 10, Examiner respectfully disagrees.  The claim recites “selected from the group consisting of … or combinations of one or more thereof” and therefore requires any combination of data/items.  Lyon discloses “the hardware identification information of the personal communication device 1704 can comprise the device’s 1704 MAC address, serial number, and/or hardware configuration information” (0224) (see Figure 4).

2.5	With respect to claim 21, Appellant’s arguments with respect to the prior art rejection of claims 1-21, see appeal brief page 14, are not persuasive.  Appellant argues claim 21 recites that the hardware profile includes information relating to installed applications. Applicant respectfully submits that the hardware device profile described by Lyon, and relied upon by the Office, does not include the installed applications as claimed. 

	In response to appellant’s arguments with respect to claim 21, Examiner respectfully disagrees.  Lyon discloses “Installed software, which acts as a platform between control computer 60 and client device 503, runs on client device 503 to create a hardware identification signature key.  The hardware identification signature key generated by installed software is derived from information unique to client device 503.  For example, the installed software may determine the hardware identification signature key from the media access control (MAC) address, CPU speed, installed memory, and/or other unique static information of client device 503” (0122).  


For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433                                                                                                                                                                                             



Conferees:
Brandon Hoffman
/BRANDON S HOFFMAN/           Primary Examiner, Art Unit 2433                                                                                                                                                                                             

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433                                                                                                                                                                                             

Requirement to pay appeal forwarding fee. In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.