Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the Amendment filed on 07/19/2021.
In the instant Amendment, claims 1-4, 11-13, 19 and 20 have been amended. Claims 1, 11 and 19 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
The rejections of claims 1-18 under 35 U.S.C. 112(b) are withdrawn as the claims have been amended.
Applicants’ arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C.
102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-11 and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Khan (US 9,918,226) and in view of Cristopher Hockings hereinafter Christopher (Two-Factor Authentication Using Tivoli Access Manager WebSEAL).
Regarding claim 1, Khan discloses a method for authenticating a secure credential transfer (Khan Col.7; lines 37-41. Khan teaches that secure enclave processor compare authentication information with stored authentication and, if a match is obtained, provide an encrypted token with an authentication-complete indicator to a secure element), the method comprising: 
receiving, by one or more first processors of a first client device (electronic device 114), user input (identification) to initiate the secure credential transfer to a second client device (electronic device 110), the user input triggering a communication to be sent to a second client device (electronic device 110) (Khan Col. 13; lines 58-64 and Figs 1, 2 and 8. Khan teaches that receives, from a user, an identifier (such as a username, a password and/or a biometric identifier of the user); provides, to a third electronic device (such as electronic device 114 in FIG. 1), the identifier; receives, from the third electronic device, a sign-in token (such as a single sign-in token) that is based on the identifier; and provides, to the secure element, the sign-in token); 
verifying, by the one or more processors, a user identity based on user identification input (Khan Col. 10; lines 62-66 and Fig 2. Khan teaches that processing subsystem display, on a display subsystem 240, instructions to provide the identifier. Then, the user provide the identifier in the form of a username and/or a password entered using user-interface device); 
verifying device identity of the second client device by: determining, by one or more second processors of the second client device, a security status of the second client device (certifying a secure element) from hardware of the second client device (secure element) (Khan Col. 13; lines 20-23 and Fig 4. Khan teaches that a flow diagram illustrating a method 400 for certifying a secure element, which may be performed by a processor in a secure element in an electronic device), 
invoking, by the one or more second processors, an identifier (secure element identifier) related to the security status of the second client device to the authentication server (electronic device 112) (Khan Col. 14; lines 23-29 and Fig 6. Khan teaches that electronic device 112 may request the secure-element identifier (SEID) from secure element 230 in electronic device 110. In response, secure element 230 may access the controlling authority security domain to obtain the secure-element identifier, and may provide the secure-element identifier to electronic device 112); 
receiving, by the one or more second processors, certification (challenge) from the authentication server for the second client device based on the invoked identifier (Khan Col. 14; lines 34-40 and Fig 6. Khan teaches that after validating the certification (e.g., using information about the provider, such as the certificate, available to electronic device 112), electronic device 112 may provide the challenge to secure element 230. Using the challenge and the secure-element identifier, secure element 230 may access the controlling authority security domain to obtain the encryption key, and may generate the digital signature); 
receiving, by the one or more second processors, one or more tokens (Sing-in token) associated with an account for the secure credential transfer (Khan Col. 13; lines 58-66 and Figs 1, 2 and 8. Khan teaches that receives, from the third electronic device, a sign-in token (such as a single sign-in token) that is based on the identifier; and provides, to the secure element, the sign-in token); and 
after verifying the user identity, establishing, using the one or more first processors and the one or more second processors, a channel between the first client device and the second client device for the secure credential transfer using the one or more tokens (Khan Col. 14; lines 54-67 and Col. 6; lines 9-15 and 26-31. Khan teaches that electronic device 114 may provide the single sign-in token (SSO) to secure enclave processor. Secure element 230 may provide the digital signature and the sign-in token to electronic device 112. Electronic device 112 may provide the sign-in token to electronic device 114 to confirm that the sign-in token is valid. The wireless communication among electronic devices 110, 112 and/or 114 may involve the exchange of packets that include the certification information (such as the secure-element identifier, the identifier, the certificate, the challenge, the sign-in token, and/or the digital signature). These packets may be included in frames in one or more wireless channels. This can comprise transmitting frames on wireless channels to enable electronic devices to make initial contact, followed by exchanging subsequent data/management frames (such as connect requests to establish a connection), configuring security options).
Khan3KhanKhanKkk teaches 3 receiving, by one or more first processors at a first client device user input; receiving, by the one or more second processors, one or more tokens and establishing a secure channel (Khan Col. 13; lines 58-66). However; Khan does not explicitly teach in response to receiving the user input: transmitting, by the one or more first processors, a first communication to an authentication server; transmitting, by the one or more first processors, a second communication to the a second client device and after verifying the user identity and the device identity, establishing, using the one or more first processors and the one or more second processors, a secure channel between the first client device and the second client device for the secure credential transfer using the one or more tokens. 
However, in an analogous field, Christopher teaches in response to receiving the user input: transmitting, by the one or more first processors, a first communication to an authentication server (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); pages 4 and 5; Fig.2 (WebSEAL AND Extended LDAP high-level workflow); 1-4. Christopher teaches that user requests a protected web resource via WebSEAL (let's assume index.html). WebSEAL determines if the user needs to be authenticated and sends a custom login form. WebSEAL's token CDAS interface is called); and 
(Christopher: pages 6 and 7; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); the OTP generator is used to generate a random one-time pass-code and send the generated random one-time pass-code to SMS gateway. The SMS gateway sends the one-time pass-code to the mobile network).
14after verifying the user identity and the device identity of the second client device (CDAS code retrieves the contact number of the user authenticated from LDAP), establishing, using the one or more first processors and the one or more second processors, a secure channel between the first client device and the second client (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function) device for the secure credential transfer using the one or more tokens (Token Authentication) (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); 1 and (CDAS interface); WebSEAL with Token Authentication configured: This requires a token CDAS to be written that handles the two-factor authentication. Sections that follow outline the mechanism for building a token CDAS to support two-phased authentication. The CDAS interface provided by TAM web components allow for authentication and mapping of users to third-party authentication providers. There are a number of interfaces available to the customer within this documented API. These include: Token Authentication: This allows for implementation of code that will support token authentication systems; pages 4-5 and 7 (4); Fig.2 (WebSEAL AND Extended LDAP high-level workflow); 1-4 and 8. Christopher teaches that user requests a protected web resource via WebSEAL (let's assume index.html). WebSEAL determines if the user needs to be authenticated and sends a custom login form. WebSEAL's token CDAS interface is called. CDAS code retrieves the contact number of the user authenticated from LDAP and generates a one-time passcode to be stored within the CDAS cache. CDAS code compares the token with that stored within the cache for the user. (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function)) 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Khan with the method and system of Christopher, wherein receiving the user input and uses the same value (shared secret) to calculate and verify the OTP to provide users with a means for two factor authentication (Christopher abstract).
Regarding claim 3, Khan and Christopher disclose the method of claim 1, 
Khan further discloses wherein the second communication is transmitted from the first client device to the second client device using near field communication (NFC) (Khan Col.4; lines 38-48. Khan teaches that the wireless communication between the electronic device and the other electronic device may involve conveying packets that are transmitted and received by radios in the electronic device and the other electronic device in accordance with a communication protocol, such as a near-field-communication standard or specification (from the NFC Forum of Wakefield, Mass.)).
Regarding claim 4, Khan and Christopher disclose the method of claim 3, 
Christopher further discloses further comprising, after the one or more second processors of the second client device receives the second communication, requesting, by  (Christopher par. 0074. Christopher teaches that once the secure and dedicated communication channel 512 has been established, the smart assistant device 503 transmits, to the mobile device 505, the digital voice ID of the user 501 (as determined by the smart assistant device 503), an identification code or other identifying indicia for the smart assistant device. See also par. 0073).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of establishing, a secure channel between the first client device and the second client device of Khan using the method of verifying the user identity and the device ID taught in Christopher in order to establish a secure communication channel to transmit data (Christopher par. 0076 and 0078).7
Regarding claim 5, Khan and Christopher disclose the method of claim 1, 
Khan further discloses wherein the user identification input is an existing verification of user identity for the first client device (Khan Col.5; lines 23-29. Khan teaches that a processor in electronic device 110 provides an identifier of a user of electronic device 110 (such as a username, a password and/or a biometric identifier) to electronic device 114 (such as a server associated with a provider of electronic device 110 and, more generally, hardware under the control of and/or otherwise performing actions on behalf of the provider of electronic device 110)).
Regarding claim 6, Khan and Christopher disclose the method of claim 1, 
 (Khan Col.7; lines 5-10. Khan teaches that processing subsystem include a secure enclave processor 220 (which is a system-on-chip within one or more processors in processing subsystem 210) that performs security services for other components in the processing subsystem 210 and that securely communicates with other subsystems in electronic device).
Regarding claim 7, Khan and Christopher disclose the method of claim 1, 
Khan further discloses wherein the certification from the authentication server indicates that the invoked identifier is associated with a known client device in a database of the authentication server (Khan Col. 14; lines 23-29; lines 34-40 and Fig 6. Khan teaches that electronic device 112 may request the secure-element identifier (SEID) from secure element 230 in electronic device 110. After validating the certification (e.g., using information about the provider, such as the certificate, available to electronic device 112), electronic device 112 may provide the challenge to secure element 230. Using the challenge and the secure-element identifier, secure element 230 may access the controlling authority security domain to obtain the encryption key, and may generate the digital signature).
Regarding claim 8, Khan and Christopher disclose the method of claim 1, 
Khan further discloses further comprising receiving, by the one or more first processors, the certification for the second client device (Khan Col. 16; lines 9-21. Khan teaches that secure enclave processor 220 may provide certification information (such as the secure-element identifier, the optional certificate, the digital signature and the sign-in token) to electronic device 112, which certifies that secure element 230 is valid using information available to electronic device 112 (such as the optional certificate and the private encryption key associated with the provider of secure element 230). In some embodiments, electronic device 112 communicates with electronic device 114 to confirm that the sign-in token is valid, e.g., using the unencrypted version of the sign-in token that is provided to electronic device 112 by secure enclave processor 220).
Regarding claim 9, Khan and Christopher disclose the method of claim 1, 
Khan further discloses further comprising, receiving, by the one or more first processors, a selection of the account for the secure credential transfer (Khan Col. 9; lines 59-66. Khan teaches that the user may use passbook 248 to select or activate one or more of payment applets 236 (such as payment applets 236-1 and 236-4). If payment applet 236-1 supports the authentication-complete flag (as indicated by the enabling or setting of authentication support in payment applet 236-1), in order for payment applet 236-1 to conduct a financial transaction with electronic device 112 (FIG. 1)).
Regarding claim 10, Khan and Christopher disclose the method of claim 1, 
Khan further discloses wherein invoking the identifier related to the security status of the second client device to the authentication server includes using the first client device as a proxy for invoking the identifier to the authentication server (Khan Col. 14; lines 23-29; Col. 16; lines 9-21and Fig 6. Khan teaches that electronic device 112 may request the secure-element identifier (SEID) from secure element 230 in electronic device 110. In response, secure element 230 may access the controlling authority security domain to obtain the secure-element identifier, and may provide the secure-element identifier to electronic device 112. In some embodiments, electronic device 112 communicates with electronic device 114 to confirm that the sign-in token is valid, e.g., using the unencrypted version of the sign-in token that is provided to electronic device 112 by secure enclave processor 220).
Regarding claim 11, Khan discloses a non-transitory, computer-readable medium configured to store instructions executable by one or more processors, the instructions, when executed, cause the one or more processors to perform a method (Khan Col.13; lines 8-18. Khan teaches electronic devices 112 (FIG. 1) and/or 114 (FIG. 1) may have the same or similar hardware (processors, memory, networking interfaces, etc.) and/or software to support the operations performed by these entities, as described further below with reference to FIGS. 4-8. In particular, these entities may include one or more computer systems with a processing subsystem that executes one or more program modules stored in a memory subsystem to perform the operations. See also claim 11) comprising: 
receiving, at a first client device (electronic device 114), user input (identification) to initiate a secure credential transfer to a second device (electronic device 110), the user input triggering a communication to be sent to a second client device (electronic device 110) (Khan Col. 13; lines 58-64 and Figs 1, 2 and 8. Khan teaches that receives, from a user, an identifier (such as a username, a password and/or a biometric identifier of the user); provides, to a third electronic device (such as electronic device 114 in FIG. 1), the identifier; receives, from the third electronic device, a sign-in token (such as a single sign-in token) that is based on the identifier; and provides, to the secure element, the sign-in token); 
(Khan Col. 10; lines 62-66 and Fig 2. Khan teaches that processing subsystem display, on a display subsystem 240, instructions to provide the identifier. Then, the user provide the identifier in the form of a username and/or a password entered using user-interface device);
receiving the user identification input (Khan Col. 10; lines 62-66 and Fig 2. Khan teaches that processing subsystem display, on a display subsystem 240, instructions to provide the identifier. Then, the user provide the identifier in the form of a username and/or a password entered using user-interface device); 
verifying device identity of the second client device by: determining, at the second client device, a security status of the second client device (certifying a secure element) from hardware of the second client device (secure element) (Khan Col. 13; lines 20-23 and Fig 4. Khan teaches that a flow diagram illustrating a method 400 for certifying a secure element, which may be performed by a processor in a secure element in an electronic device), 
invoking, from the second client device, an identifier (secure element identifier) related to the security status of the second client device to the authentication server (electronic device 112) (Khan Col. 14; lines 23-29 and Fig 6. Khan teaches that electronic device 112 may request the secure-element identifier (SEID) from secure element 230 in electronic device 110. In response, secure element 230 may access the controlling authority security domain to obtain the secure-element identifier, and may provide the secure-element identifier to electronic device 112), and 
(challenge) from the authentication server for the second client device based on the invoking identifier (Khan Col. 14; lines 34-40 and Fig 6. Khan teaches that after validating the certification (e.g., using information about the provider, such as the certificate, available to electronic device 112), electronic device 112 may provide the challenge to secure element 230. Using the challenge and the secure-element identifier, secure element 230 may access the controlling authority security domain to obtain the encryption key, and may generate the digital signature); 
receiving, from the authentication server, one or more tokens (Sing-in token) associated with an account for the secure credential transfer (Khan Col. 13; lines 58-66 and Figs 1, 2 and 8. Khan teaches that receives, from the third electronic device, a sign-in token (such as a single sign-in token) that is based on the identifier; and provides, to the secure element, the sign-in token); and 
after verifying the user identity at the first client device, establishing a channel between the first client device and the second client device for the secure credential transfer using the one or more tokens (Khan Col. 14; lines 54-67 and Col. 6; lines 9-15 and 26-31. Khan teaches that electronic device 114 may provide the single sign-in token (SSO) to secure enclave processor. Secure element 230 may provide the digital signature and the sign-in token to electronic device 112. Electronic device 112 may provide the sign-in token to electronic device 114 to confirm that the sign-in token is valid. The wireless communication among electronic devices 110, 112 and/or 114 may involve the exchange of packets that include the certification information (such as the secure-element identifier, the identifier, the certificate, the challenge, the sign-in token, and/or the digital signature). These packets may be included in frames in one or more wireless channels. This can comprise transmitting frames on wireless channels to enable electronic devices to make initial contact, followed by exchanging subsequent data/management frames (such as connect requests to establish a connection), configuring security options).
Khan3KhanKhanKkk teaches 3 receiving, by one or more first processors at a first client device user input; receiving, by the one or more second processors, one or more tokens and establishing a secure channel (Khan Col. 13; lines 58-66). However; Khan does not explicitly teach in response to receiving the user input: transmitting, by the one or more first processors, a first communication to an authentication server; transmitting, by the one or more first processors, a second communication to the a second client device and after verifying the user identity and the device identity, establishing, using the one or more first processors and the one or more second processors, a secure channel between the first client device and the second client device for the secure credential transfer using the one or more tokens. 
However, in an analogous field, Christopher teaches in response to receiving the user input: transmitting, by the one or more first processors, a first communication to an authentication server (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); pages 4 and 5; Fig.2 (WebSEAL AND Extended LDAP high-level workflow); 1-4. Christopher teaches that user requests a protected web resource via WebSEAL (let's assume index.html). WebSEAL determines if the user needs to be authenticated and sends a custom login form. WebSEAL's token CDAS interface is called); and 
(Christopher: pages 6 and 7; Fig.3 (WebSEAL AND Extended LDAP high-level workflow); the OTP generator is used to generate a random one-time pass-code and send the generated random one-time pass-code to SMS gateway. The SMS gateway sends the one-time pass-code to the mobile network).
14after verifying the user identity after verifying the user identity at the first client device and the device identity of the second client device (CDAS code retrieves the contact number of the user authenticated from LDAP), establishing, using the one or more first processors and the one or more second processors, a secure channel between the first client device and the second client (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function) device for the secure credential transfer using the one or more tokens (Token Authentication) (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); 1 and (CDAS interface); WebSEAL with Token Authentication configured: This requires a token CDAS to be written that handles the two-factor authentication. Sections that follow outline the mechanism for building a token CDAS to support two-phased authentication. The CDAS interface provided by TAM web components allow for authentication and mapping of users to third-party authentication providers. There are a number of interfaces available to the customer within this documented API. These include: Token Authentication: This allows for implementation of code that will support token authentication systems; pages 4-5 and 7 (4); Fig.2 (WebSEAL AND Extended LDAP high-level workflow); 1-4 and 8. Christopher teaches that user requests a protected web resource via WebSEAL (let's assume index.html). WebSEAL determines if the user needs to be authenticated and sends a custom login form. WebSEAL's token CDAS interface is called. CDAS code retrieves the contact number of the user authenticated from LDAP and generates a one-time passcode to be stored within the CDAS cache. CDAS code compares the token with that stored within the cache for the user. (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function)) 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Khan with the method and system of Christopher, wherein receiving the user input and uses the same value (shared secret) to calculate and verify the OTP to provide users with a means for two factor authentication (Christopher abstract).
Regarding claims 13-18; claims 13-18 are directed to a non-transitory computer readable medium associated with the method claimed in claims 3 and 6-10 respectively. Claims 13-18 are similar in scope to claims 3 and 6-10 and respectively, and are therefore rejected under similar rationale respectively.
Regarding claim 19, Khan discloses an authentication server comprising: a memory storing a database of device identity information for a plurality of devices that have a verified security status (certificate) (Khan Col.16; lines 12-17. Khan teaches that information available to electronic device 112 (such as the optional certificate and the private encryption key associated with the provider of secure element. See also Col. 13; lines 20-23 and Fig 4); and 
(Khan Col.13; lines 8-18. Khan teaches electronic devices 112 (FIG. 1) and/or 114 (FIG. 1) may have the same or similar hardware (processors, memory, networking interfaces, etc.) and/or software to support the operations performed by these entities) being configured to: 
receive a communication from a first computing device (electronic device 114) related to initiating a secure credential transfer (Khan Col. 14; lines 54-67 and Figs. 7 and 8. Khan teaches that electronic device 114 may provide the single sign-in token (SSO) to secure enclave processor); 
receive a validation request (certification information) from a second computing device (electronic device 110), the validation request including a challenge communication (Khan Col.16; lines 9-12 and Figs. 2, 7 and 8. Khan teaches that secure enclave processor 220 may provide certification information (such as the secure-element identifier, the optional certificate, the digital signature and the sign-in token) to electronic device 112) carrying:
information related to a user identity verification (Khan Col. 13; lines 58-64 and Figs 1, 2 and 8. Khan teaches that receives, from a user, an identifier (such as a username, a password and/or a biometric identifier of the user); provides, to a third electronic device (such as electronic device 114 in FIG. 1), the identifier; receives, from the third electronic device, a sign-in token (such as a single sign-in token) that is based on the identifier; and provides, to the secure element, the sign-in token), 
(identifier) from a previous challenge communication (Khan Col. 14; lines 23-29 and Fig 6. Khan teaches that electronic device 112 may request the secure-element identifier (SEID) from secure element 230 in electronic device 110. In response, secure element 230 may access the controlling authority security domain to obtain the secure-element identifier, and may provide the secure-element identifier to electronic device 112), and 
a signature (digital signature) from the second computing device including a second identifier (certificate) related to a security status of the second computing device (Khan Col. 14; lines 37-44. Khan teaches that using the challenge and the secure-element identifier, secure element 230 may access the controlling authority security domain to obtain the encryption key, and may generate the digital signature. In particular, secure element 230 may sign the secure-element identifier and the challenge using a secure hash technique and the encryption key. Next, secure element 230 may provide the digital signature to electronic device 112), and 
verifying that the first identifier matches the second identifier (Khan Col. 14; lines 43-48. Khan teaches that secure element 230 may provide the digital signature to electronic device 112, which subsequently verifies the digital signature, e.g., using the secure-element identifier, the challenge and the encryption key (which is available to electronic device 112), and
provide one or more tokens (sign-in-token) to the first computing device and the second computing device to establish a channel for the secure credential transfer to the second computing device (Khan Col. 14; lines 54-67 and Col. 6; lines 9-15 and 26-31. Khan teaches that electronic device 114 may provide the single sign-in token (SSO) to secure enclave processor. Secure element 230 may provide the digital signature and the sign-in token to electronic device 112. Electronic device 112 may provide the sign-in token to electronic device 114 to confirm that the sign-in token is valid. The wireless communication among electronic devices 110, 112 and/or 114 may involve the exchange of packets that include the certification information (such as the secure-element identifier, the identifier, the certificate, the challenge, the sign-in token, and/or the digital signature). These packets may be included in frames in one or more wireless channels. This can comprise transmitting frames on wireless channels to enable electronic devices to make initial contact, followed by exchanging subsequent data/management frames (such as connect requests to establish a connection), configuring security options). 
Khan3KhanKhanKkk teaches 3 receiving, by one or more first processors at a first client device user input; receiving, by the one or more second processors, one or more tokens and establishing a secure channel (Khan Col.13; lines 58-66); however, Khan does not explicitly teach perform a verification of the validation request including: verifying that the information related to the user identity verification is from the first computing device and verifying that the second identifier matches a device in the database of device identity information. 
However, in an analogous field, Christopher teaches wherein perform a verification of the validation request including: verifying that the information related to the user identity verification is from the first computing device (CDAS code retrieves the contact number of the user authenticated from LDAP and generates a one-time passcode to be stored within the CDAS cache. CDAS code compares the token with that stored within the cache for the user. (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function)); and 
verifying that the second identifier matches a device in the database of device identity information stored in the memory (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); 1 and (CDAS interface); CDAS code retrieves the contact number of the user authenticated from LDAP and generates a one-time passcode to be stored within the CDAS cache. CDAS code compares the token with that stored within the cache for the user. (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function)). 
establishing a secure channel between the first client device and the second client device for the secure credential transfer using the one or more tokens (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); 1 and (CDAS interface); WebSEAL with Token Authentication configured: This requires a token CDAS to be written that handles the two-factor authentication. Sections that follow outline the mechanism for building a token CDAS to support two-phased authentication. The CDAS interface provided by TAM web components allow for authentication and mapping of users to third-party authentication providers. There are a number of interfaces available to the customer within this documented API. These include: Token Authentication: This allows for implementation of code that will support token authentication systems; pages 4-5 and 7 (4); Fig.2 (WebSEAL AND Extended LDAP high-level workflow); 1-4 and 8. Christopher teaches that user requests a protected web resource via WebSEAL (let's assume index.html). WebSEAL determines if the user needs to be authenticated and sends a custom login form. WebSEAL's token CDAS interface is called. CDAS code retrieves the contact number of the user authenticated from LDAP and generates a one-time passcode to be stored within the CDAS cache. CDAS code compares the token with that stored within the cache for the user. (When the OTP generator starts up, it retrieves the shared secret PIN from the LDAP server over a secure tunnel with the built-in LDAP query function)). 
 Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Khan with the method and system of Christopher, wherein receiving the user input and uses the same value (shared secret) to calculate and verify the OTP to provide users with a means for two factor authentication (Christopher abstract).
 Regarding claim 20, Khan and Christopher disclose the authentication server of claim 19, 
Khan further discloses wherein the one or more processors are configured to provide the one or more tokens by: providing a first token to the second computing device including a certification for the validation request (Khan Col.14; lines 54-67. Khan teaches that electronic device 114 may provide the single sign-in token (SSO) to secure enclave processor. Secure element 230 may provide the digital signature and the sign-in token to electronic device 112. Electronic device 112 may provide the sign-in token to electronic device 114 to confirm that the sign-in token is valid); 
 (Khan Col. 9; lines 59-66. Khan teaches that the user may use passbook 248 to select or activate one or more of payment applets 236 (such as payment applets 236-1 and 236-4). If payment applet 236-1 supports the authentication-complete flag (as indicated by the enabling or setting of authentication support in payment applet 236-1), in order for payment applet 236-1 to conduct a financial transaction with electronic device 112 (FIG. 1));
-20-GOOGLE 3.OF-2701 [11001] providing a token for establishing a channel for the secure credential transfer to the second computing device (Khan Col. 14; lines 54-67 and Col. 6; lines 9-15 and 26-31. Khan teaches that electronic device 114 may provide the single sign-in token (SSO) to secure enclave processor. Secure element 230 may provide the digital signature and the sign-in token to electronic device 112. Electronic device 112 may provide the sign-in token to electronic device 114 to confirm that the sign-in token is valid. The wireless communication among electronic devices 110, 112 and/or 114 may involve the exchange of packets that include the certification information (such as the secure-element identifier, the identifier, the certificate, the challenge, the sign-in token, and/or the digital signature). These packets may be included in frames in one or more wireless channels. This can comprise transmitting frames on wireless channels to enable electronic devices to make initial contact, followed by exchanging subsequent data/management frames (such as connect requests to establish a connection), configuring security options).
receiving a signed token from the second computing device (Khan Col.15; lines 22-25. Khan teaches that a digital signature may include a signed version of the sign-in token and the secure-element identifier. Furthermore, the processor provides, to the second electronic device (such as electronic device 112 in FIG. 1)); 
(tokens) for the user account to the first computing device (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); 1 and 2. WebSEAL and External Authentication Server: This assumes that the external authentication server offers a service that will generate one-time authentication tokens for use in a two- phased authentication system).
Cristopher also teaches second and third token (tokens) (Christopher: page 3; Fig.1 (High-level component architecture); WebSEAL and external Authentication Server); 1 and 2. WebSEAL and External Authentication Server: This assumes that the external authentication server offers a service that will generate one-time authentication tokens for use in a two- phased authentication system).
 Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Khan with the method and system of Christopher, wherein receiving the user input and uses the same value (shared secret) to calculate and verify the OTP to provide users with a means for two factor authentication (Christopher abstract).
Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Khan (US 9,918,226), in view of Cristopher Hockings hereinafter Christopher (Two-Factor Authentication Using Tivoli Access Manager WebSEAL) and further in view of Ratnakaram (US 2020/0175154).

Regarding claim 2, Khan and Christopher disclose the method of claim 1, 
Khan and Christopher failed to disclose but Ratnakaram discloses wherein the user input includes a tap input in an applet installed on the first client device (Ratnakaram par. 0088. Ratnakaram teaches that to initiate the transaction with the merchant, the user provides a payment card for the transaction to the merchant system, as shown in block 702. The user may also be prompted to provide, and subsequently provide, additional information associated with the payment card (or another financial instrument) that may enable the transaction to successfully process (e.g., a personal identification number, a zip code, an answer to a security question, or the like). The merchant system then reads the payment card to obtain the financial information of the user. See also par. 0027). 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the method of establishing, a secure channel between the first client device and the second client device of Khan using the method of verifying the user identity and the device ID taught in Ratnakaram in order to establish a secure communication channel to transmit data (Ratnakaram par. 0076 and 0078)7.7
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANCHIT K SARKER whose telephone number is (571)270-7907. The examiner can normally be reached M-F 8:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FARID HOMAYOUNMEHR can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 





/SANCHIT K SARKER/Examiner, Art Unit 2495                                                                                                                                                                                                        

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495