DETAILED ACTION

Status of Claims

Claims 1-20 are currently pending and have been examined in this application.  This FINAL communication is in response to the amendment submitted on 10/13/21. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments


Applicant's arguments filed regarding the Double Patent Rejections have been fully considered but they are not persuasive. 

Issue #1

Applicant: While disagreeing with the grounds of the rejection, Applicant has, nevertheless, amended the claims to further prosecution and expedite issuance of a patent. Applicant submits that, as will be presented below in regards to the 35 U.S.C. § 102 rejections, the currently amended claims distinguish from the cited references. Accordingly, Applicant respectfully requests that the double patenting rejections be withdrawn.

Examiner:  The double patenting rejection is maintained and Examiner suggests the submission of a terminal disclaimer to obviate the rejection.

Applicant's arguments filed regarding 101 have been fully considered but they are not persuasive. 

Issue #1
Applicant:  Applicant submits that the instant claims do not recite a judicial exception to patent-eligible subject matter. For example, Applicant refers to Example 37 of the 2019 Revised Patent Subject Eligibility Guidance (2019 PEG). In the analysis of Example 37 claim 2, the 2019 PEG considers the following claim limitation: "determining the amount of use of each icon using a processor that tracks how much memory has been allocated to each application associated with each icon over a predetermined period of time." In the Step 2A Prong 1 analysis, the 2019 PEG provides that claim 2 "does not recite a mental process because the claim, under its broadest reasonable interpretation, does not cover performance in the mind but for the recitation of generic computer components":  For example, the "determining step" now requires action by a processor that cannot be practically applied in the mind. In particular, the claimed step of determining the amount of use of each icon by tracking how much memory has been allocated to each application associated with each icon over a predetermined period of time is not practically performed in the human mind, at least because it requires a processor accessing computer memory indicative of application usage.  2019 PEG, p. 3-4 (emphasis added).  Applicant submits that, like Example 37 Claim 2, the instant claims cannot practically be performed in the human mind. For example, amended claim 1 of the present application recites "in response to successfully verifying, by comparing submitted user credentials to recorded user credentials stored in a memory circuit, the identity of the user" and "sending, by the computer system to a computing device associated with the user, the plurality of authentication codes." In a similar fashion as described in the comments of Example 37 Claim 2, the claimed limitations cannot be practically performed in the human mind, at least because they require a processor accessing stored records in a computer memory as well as digital communication between a computer system and a user's computing device to transmit a plurality of codes. Accordingly, Applicant respectfully submits that the method recited in amended claim 1 is not simply a mental process and, as such, amended claim 1 does not recite a judicial exception”.

Examiner:   The claims are still directed to a Certain method of organizing human activity (fundamental economic practice or commercial or legal interaction) of authenticating a transaction option with a code. 

Issue #2

Applicant: Second, even if amended claims 1, 9, and 15 were to be found as judicial exceptions in prong 1 (which Applicant does not concede), Applicant submits that the claims are integrated into a practical application as applied to prong 2. In step 2A prong 2 of the 101 analysis of independent claims 1, 9, and 15, the Office Action asserts that the recited limitations do not integrate the judicial exceptions into a practical application. Office Action at pages 10-1 1. More specifically, the Office Action asserts that "The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than mere instructions to implement an abstract idea by adding the words 'apply it' (or an equivalent) with the judicial exception." Office Action at page 10. Amended claim 1 recites (emphasis added) "initiating a multi-factor authentication procedure to verify an identity of the user" and, in response to receiving a particular authorization code, "using the particular authentication code to validate that the user is authorized to complete the secure transaction" and "causing, based on the particular authentication code, a selection of the corresponding transaction option." Amended claim 1 describes use of a multi-factor authentication procedure that is not only used to validate an identity and authorization of a user to perform a secure transaction, but is also used to perform a selection of a particular transaction option that corresponds to the particular authorization code. Such a dual-use of the multi-factor authentication procedure may provide an additional benefit to the user. In addition to confirming the user's identity, the selection of the particular authorization 10 of 13 code initiates an associated transaction option that no longer has to be performed separately by the user after a successful authorization. Such benefits may encourage use of multi-factor authentication by users of the computer system, thereby increasing a level of security within the computer system. Since computer hacking can costs entities millions, or even billions of dollars, increasing a level of security of a computer system is a very significant benefit to the entities. 

Examiner:  The claims still do not go beyond generally linking to a particular technological environment relying on multi-factor authentication.  The use of multi-factor authentication whether before or during a transaction would have the same net effect for technological security.  It would appear that instituting the multi-factor authentication during the transaction would be solving a business problem rather than a technical problem (a business benefit rather than a technological benefit).  Furthermore, where are the said technical problem and technical solution described in the specification?  The rejection is maintained.


Applicant’s arguments with respect to 102/103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.




Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


Issued Patent(s)

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1-22 of U.S. Patent No. 9947011 (‘011) in view of Oberheide (US 20180255054), and further in view of at least the combination of references taught in the instant office action. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are taught by the intervening claims associated with patent (‘011).


Claim 1 (instant application).

‘011 teaches the following limitations: 


determining, by a computer system, that a plurality of transaction options is available for completing the secure transaction; 

(‘011 – [Claim 1])

generating...a plurality of authentication codes, each authentication code of the plurality corresponding to a respective one of the plurality of transaction options, 

(‘011 – [Claim 1])

sending, by the computer system to a computing device associated with the user, the plurality of authentication codes, and 

(‘011 – [Claim 1])

in response to receiving a particular authentication code of the plurality of authentication codes from the computing device: 

(‘011 – [Claim 1])

causing, based on the particular authentication code, a selection of the corresponding transaction option.

(‘011 – [Claim 1])


The remaining features of the claims in the instant application are not explicitly taught by related patent ‘011.  However, the remaining features are taught in view of Oberheide as discussed in the 103 rejection.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have modified the application (‘011) with Oberheide as taught in the 103 rejection in order to complete/validate trasnactions using multi-factor authentication [Oberheide – 0002, 0009] as well as the motivations for combining the features taught from the remaining prior art in combination with Oberheide as described in the 103 rejection.    


The other independent claims are rejected using similar rationale to the above mapping.  Claims dependent on the above are rejected using similar rationale by way of its dependency.



Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claims 1-20 of U.S. Patent No. 11100500 (‘500) in view of Kortina (US 9947011), and further in view of at least the combination of references taught in the instant office action. Although the claims at issue are not identical, they are not patentably distinct from the claims of the instant application are taught by the intervening claims associated with patent (‘500).


Claim 1 (instant application).

‘500 teaches the following limitations: 


determining, by a computer system, that a plurality of transaction options is available for completing the secure transaction; 

(‘500 – [Claim 1])

each authentication code of the plurality corresponding to a respective one of the plurality of transaction options, 

(‘500 – [Claim 1])

sending, by the computer system to a computing device associated with the user, the plurality of authentication codes, and 

(‘500 – [Claim 1])

in response to receiving a particular authentication code of the plurality of authentication codes from the computing device: 

(‘500 – [Claim 1])

causing, based on the particular authentication code, a selection of the corresponding transaction option.

(‘500 – [Claim 1])


The remaining features of the claims in the instant application are not explicitly taught by related patent ‘500.  However, the remaining features are taught in view of Kortina and the combination of references as discussed in the 103 rejection.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have to have modified the application (‘500) with Kortina and the combination of references taught in the 103 rejection with the motivation to generate a plurality of authentication codes, where each code comprises a token representing a respective payment option [Kortina – claims 1 & 3] as well as the motivations for combining the features taught from the remaining prior art in combination with Kortina as described in the 103 rejection.    

	
The other independent claims are rejected using similar rationale to the above mapping.  Claims dependent on the above are rejected using similar rationale by way of its dependency.


	Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The claims are either directed to a system or method, which is one of the statutory categories of invention.  (Step 1: YES).
The Examiner has identified method Claim 1 as the claim that represents the claimed invention for analysis and is similar to system Claims 11 & 15.  Claim 1 recites the limitations of (additional elements emphasized in bold and are considered to be parsed from the remaining abstract idea): 



in response to a request from a user to complete a secure transaction, initiating a multi-factor authentication procedure to verify an identity of the user; in response to successfully verifying, by comparing submitted user credentials to recorded user credentials stored in a memory circuit, the identity of the user, determining, by a computer system, that a plurality of transaction options is available for completing the secure transaction; generating, by the computer system as a part of the multi-factor authentication procedure, a plurality of authentication codes, each authentication code of the plurality corresponding to a respective one of the plurality of transaction options; sending, by the computer system to a computing device associated with the user, the plurality of authentication codes, and in response to receiving a particular authentication code of the plurality of authentication codes from the computing device:  using the particular authentication code to validate that the user is authorized to complete the secure transaction, and causing, based on the particular authentication code, a selection of the corresponding transaction option.



which is a process that, under its broadest reasonable interpretation, covers performance of the limitation(s) as a Certain method of organizing human activity (fundamental economic practice or commercial or legal interaction) of authenticating a transaction option with a code.  

If a claim limitation, under its broadest reasonable interpretation (BRI), covers performance of the limitation as a certain method of a fundamental economic practice or commercial or legal interaction, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  


Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims are abstract)
This judicial exception is not integrated into a practical application. Limitations that are not indicative of integration into a practical application include:  (1) Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea (MPEP 2106.05.f), (2) Adding insignificant extra-solution activity to the judicial exception (MPEP 2106.05.g), (3) Generally linking the use of the judicial exception to a particular technological environment or field of use (MPEP 2106.05.h).  The computer system, computing device multi-factor authentication, and memory circuit in Claim 1 are just using generic computer components (as well as the non-transitory CRM, computer system and multi-factor authentication of Claim 9 and memory, processor, device, device screen, computer system and multi-factor authentication of Claim 15).  The computer hardware is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts to no more than generally linking the use of the judicial exception to a particular technological environment or field of use.  Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Therefore claims 1, 9 & 15 are directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and as an ordered combination, they do not add significantly more (also known as an “inventive concept”) to the exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computer hardware amounts to no more than no more than generally linking the use of the judicial exception to a particular technological environment or field of use.  Generally linking the use of the judicial exception to a particular technological environment or field of use with the use of generic computer components, cannot provide an inventive concept - rendering the claim patent ineligible. Thus claims 1, 9 & 15 are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)  
The dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for at least the reasons presented above.  The dependent claims do not include any additional elements (including Claim 5 – hashing algorithm – which is a computer tool used to implement the abstract idea, Claim 11 – computing device – which is a generic computer used to apply the abstract idea) that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Therefore, the dependent claims are directed to an abstract idea.  Thus, the aforementioned claims are not patent-eligible.
 
	


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 15 & 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kortina (US 9947011) in view of Oberheide (US 20180255054).



Claim 1. 

Kortina teaches the following limitations: 


determining, by a computer system, that a plurality of transaction options is available for completing the secure transaction; 

(Kortina - [col 4 ln 25-33] receiving…a request for registered payment options associated with a user computing device…identifying…one or more payment options associated with the device identifier, where each of the one or more payment options is associated with respective payment instrument  [col 5 ln 18-25] Identifying the one or more payment options may include identifying that none of the one or more payment options is associated with the retail entity identifier. The method may further include, prior to providing the one or more codes, requesting authorization to associate the one or more payment options with the retail entity identifier, and receiving authorization to associate the one or more payment options with the retail entity identifier. [col 8 ln 4-12] upon receipt of the device identifier 128, attempts to identify one or more stored (e.g., registered) cards using a card identification engine 116. For example, the card identification engine 116 may match the device identifier 128 to device identifiers 124 


generating, by the computer system as a part of the [multi-factor] authentication procedure, a plurality of authentication codes, 

(Kortina – [col 15 ln 62-63] the codes are each unique tokens [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device) 


each authentication code of the plurality corresponding to a respective one of the plurality of transaction options, 

(Kortina - [col 15 ln 57-63] the payment gateway 506 attempts to identify payment instruments registered with the computing device (554). The payment gateway, in some implementations, provides codes associated with one or more registered payment options (556a) to the entity server 504...the codes are each unique tokens [claim 1])


sending, by the computer system to a computing device associated with the user, the plurality of authentication codes, and 

(Kortina – [col 16 ln 6-9] the entity server 504 may supply the codes for the one or more registered payment options to a payment software library portion of the entity application 502. [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device; providing, by the communications interface via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device)


in response to receiving a particular authentication code of the plurality of authentication codes from the computing device: 

(Kortina – [col 10 ln 54-55] a payment instrument selection and corresponding authentication value is received (218). [col 11 ln 1-2] In other implementations, no providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device; in response to receiving, by the communications interface of the payment gateway via the network, a communication from the mobile application that is responsive to the plurality of codes displayed on the graphical user interface, determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument)


causing, based on the particular authentication code, a selection of the corresponding transaction option.

(Kortina – [col 11 ln 48-49] the confirmation information relates to successful completion of payment of the transaction. [claim 1] determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument; accessing, by a processor of the payment gateway, based upon the first code, payment instrument information associated with the payment option;  causing, by the processor of the payment gateway, the processing of the payment instrument information in relation to a transaction identified by the transaction information and receiving an indication of validation of the payment instrument;)


Kortina does not explicitly teach the following limitations, however Oberheide teaches:

in response to a request from a user to complete a secure transaction, initiating a multi-factor authentication procedure to verify an identity of the user, in response to successfully verifying, by comparing submitted user credentials to recorded user credentials stored in a memory circuit, the identity of the user, 

(Oberheide – [0009] remote access credentials [0010] The requested transaction is preferably initiated by the initiating agent through a client such as a website, application, or device (e.g., an ATM machine). For authentication, the initiator agent may be a legitimate party or a malicious party attempting to fraudulently impersonate the legitimate party. [0016] [claim 1] A method of multi-factor authentication of a digital transaction; at a third-party service provider receiving a transaction request from an initiator using an initiating user device distinct request comprising user authentication credentials for performing a first factor of authentication at the third-party service provider; authenticating the initiator based on the user authentication credentials; in response to a successful authentication of the initiator, transmitting an application programming interface (API) request to a multi-factor authentication API server of the remote authentication service, the API request comprising an authentication request and transaction request data associated with the transaction request to the remote authentication service; [Fig. 1] “Initiator is same as Authentic User”)


using the [particular authentication code] to validate that the user is authorized to complete the secure transaction, and 

(Oberheide – [0012] Authentication preferably includes validating the identity of at least one involved party relevant to a transaction. Authorization preferably includes validating authority or permission of an entity to execute a transaction. For authentication, the authority device preferably belongs to the authentic user for self-approval of transactions. [claim 1] registering a multifactor authentication account and registering a mobile user device of a user in association with the multi-factor authentication account on a remote authentication service for performing a second factor of authentication for the digital transaction... receiving, from the authentication service application, an authentication response to the authentication notification, the authentication response comprising data of the confirmation input or data of the denial input; returning, from the multi-factor authentication API server, an API response comprising authentication response data relating to the authentication response to the third-party service provider; completing the digital transaction or denying the digital transaction based on the authentication response data;)

Examiner Note: While Oberheide discusses an authentication response, the authentication response containing a particular code is substitutable with Kortina.



It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Oberheide in order to complete/validate transactions using multi-factor authentication [Oberheide – 0002, 0009].




Claim 2. 


Kortina in combination with the references taught in Claim 1 teach those respective limitations.  Kortina further teaches:




sending, by the computer system, a message to the computing device associated with the user, the message including an indication of a corresponding transaction option for respective ones of the plurality of authentication codes.  

(Kortina – [col 6 ln 10-17] The instructions may cause the processor to prepare, for presentation to a user of the computing device within an entity application, a graphical user interface presenting the one or more payment options for selection. The instructions may cause the processor to, receive, responsive to presentation of the one or more payment options, an indication of selection of a first payment option of the one or more payment options. [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options...providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device;)

Examiner Note: Spec 0051 “Computing device 470a, receives indication 465, indicating that the user has initiated secure transaction 445, and activates application 435 causing application 435 to generate authentication codes 455a-455c, each corresponding to a respective one of transaction options 450a-450c... Computing device 470a causes authentication codes 455a-455c to be displayed on a screen of computing device 470a. As described above, each of authentication codes 455a-455c may be displayed with an indication of a corresponding one of transaction options 450a-450c.”


Claim 3. 

Kortina in combination with the references taught in Claim 1 teach those respective limitations.  Kortina further teaches:

causing the plurality of authentication codes to be displayed on the computing device; and receiving an indication of an entry of the particular authentication code from the user.  

(Kortina – [col 6 ln 10-17] The instructions may cause the processor to prepare, for presentation to a user of the computing device within an entity application, a graphical user interface presenting the one or more payment options for selection. The instructions may cause the processor to, receive, responsive to presentation of the one or more payment options, an indication of selection of a first payment option of the one or more payment options. [claim 1] providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device…in response to receiving, by the communications interface of the payment gateway via the network, a communication from the mobile application that is responsive to the plurality of codes displayed on the graphical user interface, determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument;)



Claim 15. 

Kortina teaches the following limitations: 


a memory; and a processor configured to execute instructions stored in the memory, causing the processor to perform operations including: 

(Kortina – [claim 12] one or more hardware processors coupled to the non-transitory
memory and configured to read instructions from the non-transitory memory to cause the system to perform operations [col 17 ln 62-63 & col 18 ln 5-8] The computing device 700 includes a processor 702, a memory 704…The processor 702 can process instructions for execution within the computing device 700, including instructions stored in the memory 704 or on the storage device 706 to display graphical information for a GUI)




determining a plurality of transaction options is available for completing the secure transaction; 

(Kortina - [col 4 ln 25-33] receiving…a request for registered payment options associated with a user computing device…identifying…one or more payment options associated Identifying the one or more payment options may include identifying that none of the one or more payment options is associated with the retail entity identifier. The method may further include, prior to providing the one or more codes, requesting authorization to associate the one or more payment options with the retail entity identifier, and receiving authorization to associate the one or more payment options with the retail entity identifier. [col 8 ln 4-12] upon receipt of the device identifier 128, attempts to identify one or more stored (e.g., registered) cards using a card identification engine 116. For example, the card identification engine 116 may match the device identifier 128 to device identifiers 124 stored within a payment gateway database 122. Each device identifier 124 within the payment gateway database 122, for example, may be associated with one or more card identifiers 126.)
Examiner Note:  successful verification of an identity occurs using a card identification engine to determine/identify transaction options (a plurality of payment cards) available to complete the transaction. 


generating, as a part of the [multi-factor] authentication procedure, a plurality of authentication codes corresponding to the plurality of transaction options; 

(Kortina – [col 15 ln 62-63] the codes are each unique tokens [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device) 


causing the plurality of authentication codes to be displayed on a screen of a device of the user; and 

(Kortina – [col 18 ln 5-10] The processor 702 can process instructions for execution within the computing device 700, including instructions stored in the memory 704 or on the storage device 706 to display graphical information for a GUI on an external input/output device, such as a display 716 coupled to the high-speed interface 708. [claim 1] providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device;)


Page 5 of 13in response to receiving an indication of an entry of a particular authentication code from the user: 

a payment instrument selection and corresponding authentication value is received (218). [col 11 ln 1-2] In other implementations, no authentication value is required.  For example, if the method 200 is being performed on a single user device, the user may not be required to authenticate the selection of the payment instrument. [col 16 ln 4-6 & 19-24] the entity server 504 forwards the codes for the one or more registered payment options (556b) to the entity application 502... the payment software library portion of the entity application 502 presents a payment option selection dialogue (558). The payment option selection dialogue, for example, may include controls associated with each of the payment options identified by the payment gateway 506 [claim 1] providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device; in response to receiving, by the communications interface of the payment gateway via the network, a communication from the mobile application that is responsive to the plurality of codes displayed on the graphical user interface, determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument)



sending the particular authentication code to a server computer system to 

(Kortina – [col 11 ln 1-5] In other implementations, no authentication value is required. For example, if the method 200 is being performed on a single user device, the user may not be required to authenticate the selection of the payment instrument. [col 16 ln 26-29] the entity application 502 transmits (560) the code associated with the selected payment method and an authentication value to the payment gateway 506.)


cause the server computer system to complete the secure transaction using a particular transaction option that corresponds to the particular authentication code.

(Kortina – [col 11 ln 48-49] the confirmation information relates to successful completion of payment of the transaction. [claim 1] determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument; causing, by the processor of the payment gateway, the processing of the payment instrument information in relation to a transaction identified by the transaction information and receiving an indication of validation of the payment instrument;)



Kortina does not explicitly teach the following limitations, however Oberheide teaches:


in response to receiving, from a user, a request to perform a secure transaction, verifying an identity of the user using a multi-factor authentication procedure, in response to successfully verifying, in a first step of the multi-factor authentication procedure, the identity of the user,

(Oberheide – [0010] The requested transaction is preferably initiated by the initiating agent through a client such as a website, application, or device (e.g., an ATM machine). For authentication, the initiator agent may be a legitimate party or a malicious party attempting to fraudulently impersonate the legitimate party. [claim 1] A method of multi-factor authentication of a digital transaction...receiving a transaction request from an initiator using an initiating user device distinct from the registered mobile device for initiating the digital transaction, the transaction request comprising user authentication credentials for performing a first factor of authentication at the third-party service provider; authenticating the initiator based on the user authentication credentials; in response to a successful authentication of the initiator, transmitting an application programming interface (API) request to a multi-factor authentication API server of the remote authentication service, the API request comprising an authentication request and transaction request data associated with the transaction request to the remote authentication service; [Fig. 1] “Initiator is same as Authentic User”)

Examiner Note: First factor corresponds to the first step of the multi-factor authentication.



using the [particular authentication code] to validate, in a second step of the multi-factor authentication procedure, that the user is authorized to complete the secure transaction; and 


(Oberheide – [0012] Authentication preferably includes validating the identity of at least one involved party relevant to a transaction. Authorization preferably includes validating authority or permission of an entity to execute a transaction. For authentication, the authority device preferably belongs to the authentic user for self-approval of transactions. [claim 1] registering a multifactor authentication account and registering a mobile user device of a user in association with the multi-factor authentication account on a remote authentication service for performing a second factor of authentication for the digital transaction... receiving, from the authentication service application, an authentication response to the authentication notification, the authentication response comprising data of the confirmation input or data of the denial input; returning, from the multi-factor authentication API server, an API response comprising authentication response data relating to the authentication response to the completing the digital transaction or denying the digital transaction based on the authentication response data;)

Examiner Note:  The simple substitution of one known element, “authentication response data” with a “particular authentication code”, produces a predictable result of authentication data being used to validate the identity/authenticate a user.


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Oberheide in order to complete/validate transactions using multi-factor authentication [Oberheide – 0002, 0009].


Claim 20. 

Kortina teaches the respective limitations of Claim 15.  Kortina further teaches: 


wherein receiving the request to perform the secure transaction includes receiving, from the server computer system, an indication that the user has initiated the secure transaction.  

(Kortina – [abstract] receiving a request for registered payment options associated with a user computing device…identifying one or more payment options associated with the device identifier, where each of the one or more payment options is associated with respective payment instrument information. [col 9 ln 40-47] once a user has registered one or more payment instruments with the payment gateway 104 via the mobile device 102, all applications configured to conduct transactions via the payment gateway 104 (e.g., all applications performing functionality supported by the payment software library 110) may present that user the opportunity to use those payment instruments which were previously registered via other retailer mobile applications. [col 10 ln 1-9] entering a payment dialogue (202) of a retail mobile application configured to enable electronic transactions via a payment gateway. The payment dialogue, for example, may include purchase information ( e.g., a list of items selected for purchase, a total funds owed, payment instrument information, etc.). The user may enter the payment dialogue, in some examples, from within a shopping cart review or upon selecting a control to make a purchase.)


Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Kortina (US 9947011) in view of Oberheide (US 20180255054), and further in view of Strand (US 10417634).


Claim 4. 

Kortina in combination with the references taught in Claim 1 teach those respective limitations.  Kortina further teaches:

transaction options within a respective one of the plurality of authentication codes.


(Kortina – [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device;) 



Kortina does not explicitly teach the following limitations, however Strand further teaches:


encoding, by the computer system, an identifier for each of the plurality of   

(Strand – [col 12 ln 11-14 & 18-19] the EKA and AA (account authorization) codes may be set by the supervising user as a simple password defined by…a keyword…the EKA and AA codes may be encrypted or use hashes from other values to generate the codes [col 13 ln 29-31] The AA code returned by the hash function are represent hash values, hash codes, hash sums, or simply hashes. [claim 8] at least part of the account authorization code is one of a color sequence, an alphanumeric sequence, or a keyword.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Strand in order to 


Claim 5. 

Kortina in combination with the references taught in Claim 4 teach those respective limitations.  Kortina further teaches:

	the plurality of transaction options

(Kortina – [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device;) 

Kortina does not explicitly teach the following limitations, however Strand further teaches:


wherein the identifier for each of [the plurality of transaction options] is a respective keyword, and wherein the encoding includes using a hashing algorithm on each of the respective keywords.  

(Strand – [col 12 ln 11-14 & 18-19] the EKA and AA (account authorization) codes may be set by the supervising user as a simple password defined by…a keyword…the EKA and AA codes may be encrypted or use hashes from other values to generate the codes [col 13 ln 29-31] The AA code returned by the hash function are represent hash values, hash codes, hash sums, or simply hashes. [claim 8] at least part of the account authorization code is one of a color sequence, an alphanumeric sequence, or a keyword.)


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Strand in order to establish authorization codes with a keyword identifier that can further be hashed using a hashing function [Strand – col 12 ln 11-19 & col 13 ln 29-31].




Claims 6-9, 11-12, 14 & 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kortina (US 9947011) in view of Oberheide (US 20180255054), and further in view of Mossoba (US 20190377864).



Claim 6. 

Kortina teaches the respective limitations of Claim 1.  Kortina does not explicitly teach the following limitations, however Mossoba further teaches:

generating, by the computer system, a trap authentication code, wherein receiving the trap authentication code from the computing device associated with the user causes the secure transaction to be denied.  


(Mossoba – [0016] the authentication platform may dynamically generate a plurality of codes, one of which corresponds to a correct authentication code to be used as a second factor for authentication of the user's identity. The remaining codes in the plurality of codes may serve as decoy codes, which will prevent access to the protected resource if presented to the authentication server as the second factor for authentication. [0017] the authentication platform may additionally store the plurality of codes for comparison to an incorrect authentication code received from the user device for use in detecting potential instances of fraud or malicious attempts at obtaining access to the protected resource. For example, if the incorrect authentication code corresponds to one of the decoy codes in the plurality of codes, then a provider of the protected resource may determine or infer that the user device receiving the codes may be compromised and, thus, require the use of an additional factor for authenticating the user's identity…further security actions may be implemented by the provider, such as, for example, locking the user out of an account to prevent access to the protected resource until a time at which the user's identity can be authenticated.)

Examiner Note: The decoy code corresponds to the trap authentication code.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].


Claim 7. 

Kortina teaches the respective limitations of Claim 1.  Kortina does not explicitly teach the following limitations, however Mossoba further teaches:

generating, by the computer system, a different plurality of authentication codes in response to determining that a particular amount of time has elapsed.  

(Mossoba – [0031] the codes dynamically generated by the authentication platform may expire after a predetermined amount of time to increase the security level associated with the multi-factor authentication technique or process being implemented by the authentication platform. [0041] the authentication platform may perform a declined action based on declining to authenticate the request from the first user device to access the protected device…the declined action may include affording the user an additional opportunity to identify a correct authentication code based on a newly generated set of codes. As a further example, the declined action may include locking the user out of an account associated with the protected device.)



It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].


Claim 8. 

Kortina teaches the respective limitations of Claim 7.  Kortina further teaches:

denying, by the computer system, the secure transaction in response to 

(Kortina – [col 11 ln 28-31] the user may be provided with a certain number of attempts ( e.g., 3, 5, etc.) to present valid authentication information prior to being denied access to the payment instrument for completing the transaction.)
	


Kortina does not explicitly teach the following limitations, however Mossoba further teaches:


determining that the particular amount of time has elapsed before the particular authentication code is received.

correct authentication code to be used as a second factor for authentication [0024] upon expiration of the specified time, the authentication platform would be instructed to perform multi-factor authentication [0031] the codes dynamically generated by the authentication platform may expire after a predetermined amount of time to increase the security level associated with the multi-factor authentication technique or process being implemented by the authentication platform. [0040] the authentication platform may receive, from the first user device, a response to the authentication request that includes a second code based on the request for the correct authentication code [0041] the authentication platform may perform a declined action based on declining to authenticate the request from the first user device to access the protected device... the declined action may include affording the user an additional opportunity to identify a correct authentication code... the declined action may include locking the user out of an account associated with the protected device. [0080] Process 400 may include additional implementations, such as any single implementation or any combination of implementations described below and/or in connection with one or more other processes described elsewhere herein. [claim 4] authenticating the user after the user is locked out of the account)

Examiner Note:  Before the second factor authentication or correct authentication code is submitted, the platform may determine time expiration of the codes which correspond with a particular amount of time elapsing.  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].




Claim 9. 

Kortina teaches the following limitations:



determining a plurality of transaction options is available for completing the secure transaction; 

(Kortina - [col 4 ln 25-33] receiving…a request for registered payment options associated with a user computing device…identifying…one or more payment options associated with the device identifier, where each of the one or more payment options is associated with respective payment instrument  [col 5 ln 18-25] Identifying the one or more payment options may include identifying that none of the one or more payment options is associated with the retail entity identifier. The method may further include, prior to providing the one or more codes, requesting authorization to associate the one or more payment options with the retail entity identifier, and receiving authorization to associate the one or more payment options with the retail entity identifier. [col 8 ln 4-12] upon receipt of the device identifier 128, attempts to identify one or more stored (e.g., registered) cards using a card identification engine 116. For example, the card identification engine 116 may match the device identifier 128 to device identifiers 124 stored within a payment gateway database 122. Each device identifier 124 within the payment gateway database 122, for example, may be associated with one or more card identifiers 126.)

Examiner Note:  successful verification of an identity occurs using a card identification engine to determine/identify transaction options (a plurality of payment cards) available to complete the transaction. 


wherein ones of the plurality of authentication codes correspond to respective ones of the plurality of transaction options, 

(Kortina - [col 15 ln 57-63] the payment gateway 506 attempts to identify payment instruments registered with the computing device (554). The payment gateway, in some implementations, provides codes associated with one or more registered payment options (556a) to the entity server 504...the codes are each unique tokens [claim 1])


in response to receiving a particular one of the authentication codes in an authentication response from the user via the client computer system: 

(Kortina – [col 10 ln 54-55] a payment instrument selection and corresponding authentication value is received (218). [col 11 ln 1-2] In other implementations, no authentication value is required.  For example, if the method 200 is being performed on a single user device, the user may not be required to authenticate the selection of the payment instrument. [col 16 ln 4-6 & 19-24] the entity server 504 forwards the codes for the one or more registered payment options (556b) to the entity application 502... the payment software library portion of the entity application 502 presents a payment option selection dialogue (558). The payment option selection dialogue, for example, may include controls associated with each of the payment options identified by the payment gateway 506 [claim 1] providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device; in response to receiving, by the communications interface of the payment gateway via the network, a communication from the mobile application that is responsive to the plurality of codes displayed on the graphical user interface, determining a first code and transaction the first code identifies a payment option associated with a payment instrument)


determining that the [authentication response] corresponds to a particular transaction option of the plurality of transaction options; and 

(Kortina – [col 10 ln 54-55] a payment instrument selection and corresponding authentication value is received (218). [col 11 ln 1-2] In other implementations, no authentication value is required.  For example, if the method 200 is being performed on a single user device, the user may not be required to authenticate the selection of the payment instrument. [col 16 ln 4-6 & 19-24] the entity server 504 forwards the codes for the one or more registered payment options (556b) to the entity application 502... the payment software library portion of the entity application 502 presents a payment option selection dialogue (558). The payment option selection dialogue, for example, may include controls associated with each of the payment options identified by the payment gateway 506 [claim 1] providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device; in response to receiving, by the communications interface of the payment gateway via the network, a communication from the mobile application that is responsive to the plurality of codes displayed on the graphical user interface, determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument)



completing, by the server computer system, the secure transaction using the particular transaction option.

(Kortina – [col 4 ln 52-54] receiving the first code may include receiving an authentication value associated with the first code. [col 11 ln 48-49] the confirmation information relates to successful completion of payment of the transaction. [claim 1] determining a first code and transaction information from the communication, wherein the first code identifies a payment option associated with a payment instrument; causing, by the processor of the payment gateway, the processing of the payment instrument information in relation to a transaction identified by the transaction information and receiving an indication of validation of the payment instrument;)



Kortina does not explicitly teach the following limitations, however Oberheide teaches:


in response to receiving, from a user of a client computer system, a request to perform a secure transaction, verifying an identity of the user using a multi-factor authentication procedure, in response to successfully verifying, in a first step of the multi-factor authentication procedure, the identity of the user, 

(Oberheide – [0010] The requested transaction is preferably initiated by the initiating agent through a client such as a website, application, or device (e.g., an ATM machine). For authentication, the initiator agent may be a legitimate party or a malicious party attempting to fraudulently impersonate the legitimate party. [claim 1] A method of multi-factor authentication of a digital transaction...receiving a transaction request from an initiator using an initiating user device distinct from the registered mobile device for initiating the digital transaction, the transaction request comprising user authentication credentials for performing a first factor of authentication at the third-party service provider; authenticating the initiator based on the user authentication credentials; in response to a successful authentication of the initiator, transmitting an application programming interface (API) request to a multi-factor authentication API server of the remote authentication service, the API request comprising an authentication request and transaction request data associated with the transaction request to the remote authentication service; [Fig. 1] “Initiator is same as Authentic User”)

Examiner Note: First factor corresponds to the first step of the multi-factor authentication.


using the [authentication response] to validate, in a second step of the multi-factor authentication procedure, that the user is authorized to complete the secure transaction, 

(Oberheide – [0012] Authentication preferably includes validating the identity of at least one involved party relevant to a transaction. Authorization preferably includes validating authority or permission of an entity to execute a transaction. For authentication, the authority device preferably belongs to the authentic user for self-approval of transactions. [claim 1] registering a multifactor authentication account and registering a mobile user device of a user in association with the multi-factor authentication account on a remote authentication service for performing a second factor of authentication for the digital transaction... receiving, from the authentication service application, an authentication response to the authentication notification, the authentication response comprising data of the confirmation input or data of the denial input; returning, from the multi-factor authentication API server, an API response comprising authentication response data relating to the authentication response to the third-party service provider; completing the digital transaction or denying the digital transaction based on the authentication response data;)

Examiner Note: While Oberheide discusses an authentication response, the authentication response containing a particular code is substitutable with Kortina.


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Oberheide in order to complete/validate transactions using multi-factor authentication [Oberheide – 0002, 0009].

Kortina does not explicitly teach the following limitations, however Mossoba teaches:


sending, by the server computer system to a computing device associated with the user, a plurality of authentication codes that are a part of the multi-factor authentication procedure, 

(Mossoba – [0043] some implementations described herein may increase the level of security associated with performing multi-factor authentication of a user's identity using an authentication code. For example, the level of security may increase by virtue of generating and sending a user a plurality of codes (e.g., one correct authentication code and multiple decoy codes)


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].


Claim 11. 

Kortina in combination with the references taught in Claim 9 teach those respective limitations.  Kortina further teaches:


wherein the operations further comprise sending an indication of a corresponding transaction option for respective ones of the plurality of authentication codes to the computing device associated with the user.  

(Kortina – [col 6 ln 10-17] The instructions may cause the processor to prepare, for presentation to a user of the computing device within an entity application, a graphical user interface presenting the one or more payment options for selection. The instructions may cause the processor to, receive, responsive to presentation of the one or more payment options, an indication of selection of a first payment option of the one or more payment options. [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options...providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device;)

Examiner Note: Spec 0051 “Computing device 470a, receives indication 465, indicating that the user has initiated secure transaction 445, and activates application 435 causing application 435 to generate authentication codes 455a-455c, each corresponding to a respective one of transaction options 450a-450c... Computing device 470a causes authentication codes 455a-455c to be displayed on a screen of computing device 470a. As described above, each of authentication codes 455a-455c may be displayed with an indication of a corresponding one of transaction options 450a-450c.”


Claim 12. 

Kortina teaches the respective limitations of Claim 9. Kortina does not explicitly teach the following limitations, however Mossoba teaches: 

generating a trap authentication code as one of the plurality of authentication codes, wherein receiving the trap authentication code from the computing device associated with the user causes the secure transaction to be denied. 


(Mossoba – [0016] the authentication platform may dynamically generate a plurality of codes, one of which corresponds to a correct authentication code to be used as a second factor for authentication of the user's identity. The remaining codes in the plurality of codes may serve as decoy codes, which will prevent access to the protected resource if presented to the authentication server as the second factor for authentication. [0017] the authentication platform may additionally store the plurality of codes for comparison to an incorrect authentication code received from the user device for use in detecting potential instances of fraud or malicious attempts at obtaining access to the protected resource. For example, if the incorrect authentication code corresponds to one of the decoy codes in the plurality of codes, then a provider of the protected resource may determine or infer that the user device receiving the codes may be compromised and, thus, require the use of an additional factor for authenticating the user's identity…further security actions may be implemented by the provider, such as, for example, locking the user out of an account to prevent access to the protected resource until a time at which the user's identity can be authenticated.)

Examiner Note: The decoy code corresponds to the trap authentication code.


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].




Claim 14. 

Kortina in combination with the references taught in Claim 9 teach those respective limitations.  Kortina further teaches:

wherein the operations further comprise identifying the plurality of transaction options from an account profile associated with the user.  

(Kortina – [col 10 ln 17-24] If the new payment instrument is to be stored for future use (210), in some implementations, registration of the new payment instrument is requested (212). In some implementations, upon entry, by the user, of payment instrument information the user is presented with the option to store the new payment instrument information with a third party entity, such as the payment gateway 104 described in relation to FIG. 1. [col 10 ln 40-44] If, rather than entering new payment instrument information, one or more payment instruments were found to be previously registered with the mobile device (204), in some implementations, the one or more registered payment instruments are presented as payment options to the user (216).)


Claim 17. 

Kortina teaches the respective limitations of Claim 15.  Kortina does not explicitly teach the following limitations, however Mossoba teaches: 


wherein the operations further include generating a trap authentication code that does not correspond to any of the plurality of transaction options, 

(Mossoba – [0016] the authentication platform may dynamically generate a plurality of codes, one of which corresponds to a correct authentication code to be used as a second factor for authentication of the user's identity. The remaining codes in the plurality of codes may serve as decoy codes, which will prevent access to the protected resource if presented to the authentication server as the second factor for authentication.)


wherein sending the trap authentication code to the server computer system causes the secure transaction to be denied.  

(Mossoba – [0017] the authentication platform may additionally store the plurality of codes for comparison to an incorrect authentication code received from the user device for use in detecting potential instances of fraud or malicious attempts at obtaining access to the protected resource. For example, if the incorrect authentication code corresponds to one of the decoy codes in the plurality of codes, then a provider of the protected resource may determine or infer that the user device receiving the codes may be compromised and, thus, require the use of an additional factor for authenticating the user's identity…further security actions may be implemented by the provider, such as, for example, locking the user out of an account to prevent access to the protected resource until a time at which the user's identity can be authenticated.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].


Claim 18. 

Kortina teaches the respective limitations of Claim 15.  Kortina does not explicitly teach the following limitations, however Mossoba teaches: 


wherein the operations further include, in response to determining that a particular amount of time has elapsed, causing the plurality of authentication codes to be cleared from the screen of the device of the user.  

codes dynamically generated by the authentication platform may expire after a predetermined amount of time to increase the security level associated with the multi-factor authentication technique or process being implemented by the authentication platform. [0041] the authentication platform may perform a declined action based on declining to authenticate the request from the first user device to access the protected device…the declined action may include affording the user an additional opportunity to identify a correct authentication code based on a newly generated set of codes.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].



Claim 19. 

Kortina in combination with the references taught in Claim 18 teach those respective limitations.  Kortina further teaches:


the plurality of transaction options; 

(Kortina – [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device;) 

causing the [different] plurality of authentication codes to be displayed on the screen of the device of the user.  

(Kortina – [col 6 ln 10-17] The instructions may cause the processor to prepare, for presentation to a user of the computing device within an entity application, a graphical user interface presenting the one or more payment options for selection. The instructions may cause the processor to, receive, responsive to presentation of the one or more payment options, an indication of selection of a first payment option of the one or more payment options. [claim 1] providing, by the communications interface of the payment gateway via the network, responsive to the request, the plurality of codes output through a graphical user interface of the user computing device…in response to receiving, by the communications interface of the payment gateway via the network, a communication from the mobile application that is responsive to the plurality of codes 


Kortina does not explicitly teach the following limitations, however Mossoba teaches: 

wherein the operations further include: in response to input from the user, generating a different plurality of authentication codes corresponding to [the plurality of transaction options]; and 

(Mossoba – [0041] the authentication platform may perform a declined action based on declining to authenticate the request from the first user device to access the protected device…the declined action may include affording the user an additional opportunity to identify a correct authentication code based on a newly generated set of codes. [0116] if the code was one of the incorrect decoy codes, then the user device receiving the codes may be compromised.)

Examiner Note: The input is established by selecting an incorrect code.


It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].




Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Kortina (US 9947011) in view of Oberheide (US 20180255054), and further in view of Strand (US 10417634).


Claim 16. 

Kortina in combination with the references taught in Claim 15 teach those respective limitations.  Kortina further teaches:

transaction options into the plurality of authentication codes.

(Kortina – [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device;) 


Kortina does not explicitly teach the following limitations, however Strand further teaches:


wherein the operations further include encoding an identifier for each of the plurality of 

(Strand – [col 12 ln 11-14 & 18-19] the EKA and AA (account authorization) codes may be set by the supervising user as a simple password defined by…a keyword…the EKA and AA codes may be encrypted or use hashes from other values to generate the codes [col 13 ln 20-22 & 29-31] transaction server 120 may calculate the AA code automatically and/or in response to receipt of a transaction request The AA code returned by the hash function are represent hash values, hash codes, hash sums, or simply hashes. [claim 8] at least part of the account authorization code is one of a color sequence, an alphanumeric sequence, or a keyword.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Strand in order to establish authorization codes with a keyword identifier that can further be hashed using a hashing function [Strand – col 12 ln 11-19 & col 13 ln 29-31].



Claims 10 & 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kortina (US 9947011) in view of Oberheide (US 20180255054), and further in view of Mossoba (US 20190377864), and further in view of Strand (US 10417634).


Claim 10. 

Kortina in combination with the references taught in Claim 9 teach those respective limitations.  Kortina further teaches:

transaction options into each of the plurality of authentication codes.

(Kortina – [claim 1] generating a plurality of codes, each code comprising a token representing a respective payment option of the registered payment options, the token uniquely identifying the respective payment option to an entity computing device of the retailer without providing payment information for the respective payment option to the entity computing device;) 


Kortina does not explicitly teach the following limitations, however Strand further teaches:


wherein the operations further comprise encoding, in response to the request, an identifier for each of the plurality of 

(Strand – [col 12 ln 11-14 & 18-19] the EKA and AA (account authorization) codes may be set by the supervising user as a simple password defined by…a keyword…the EKA and AA codes may be encrypted or use hashes from other values to generate the codes [col 13 ln 20-22 & 29-31] transaction server 120 may calculate the AA code automatically and/or in response to receipt of a transaction request The AA code returned by the hash function are represent hash values, hash codes, hash sums, or simply hashes. [claim 8] at least part of the account authorization code is one of a color sequence, an alphanumeric sequence, or a keyword.)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Strand in order to establish authorization codes with a keyword identifier that can further be hashed using a hashing function [Strand – col 12 ln 11-19 & col 13 ln 29-31].


Claim 13. 

Kortina in combination with the references taught in Claim 10 teach those respective limitations.  Kortina further teaches:


wherein the operations further comprise: receiving, from the user, a different request to perform a secure transaction for which the plurality of transaction options is available; 

(Kortina – [col 2 ln 23-28] an intermediary party provides an online retailer with a software library for building a computing device application (e.g., mobile application) including a software library directed towards enabling electronic transactions via the intermediary party (e.g., payment gateway). [col 3 ln 31-34] the third party transaction support solution, in some implementations, includes migration of registered payment instruments between member merchants. [col 4 ln 25-33] receiving…a request for registered payment options associated with a user computing device…identifying…one or more payment options associated with the device identifier, where each of the one or more payment options is associated with respective payment instrument [col 5 ln 18-25] Identifying the one or more payment options may include identifying that none of the one or more payment options is associated with the retail entity identifier. The method may further include, prior to providing the one or more codes, requesting authorization to associate the one or more payment options with the retail entity identifier, and receiving authorization to associate the one or more payment options with the retail entity identifier. [col 9 ln 40-47])


Kortina does not explicitly teach the following limitations, however Mossoba teaches: 


determining that a particular amount of time has elapsed since generating the plurality of authentication codes; and 

(Mossoba – [0031] the codes dynamically generated by the authentication platform may expire after a predetermined amount of time to increase the security level associated with the multi-factor authentication technique or process being implemented by the authentication platform.)

in response to receiving a particular one of the plurality of authentication codes, denying the different request to [perform the secure transaction].  

(Mossoba – [0016] the authentication platform may dynamically generate a plurality of codes, one of which corresponds to a correct authentication code to be used as a second factor for authentication of the user's identity. The remaining codes in the plurality of codes may serve as decoy codes, which will prevent access to the protected resource if presented to the authentication server as the second factor for authentication. [0017] the authentication platform may additionally store the plurality of codes for comparison to an incorrect authentication code received from the user device for use in detecting potential instances of fraud or malicious attempts at 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kortina with Mossoba in order to dynamically generate and transmit multiple authentication codes, including decoy codes, to a user device using multi-factor authentication for accessing a protected resource [Mossoba – abstract, 0016].



Conclusion
The prior art made of record, and not relied upon, considered pertinent to applicant' s disclosure or directed to the state of art is listed on the enclosed PTO-892.  
The following is a brief description for relevant prior art that was cited but not applied:	

Hockey (US 20200106764) provides a system for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials.

Weiss (US 8234220) provides a method to allow a user to select any one of a plurality of accounts associated with the user to employ in a financial transaction.)

Alves (US 20200265423) provides an offline end-user token generator and method relating ot secure input into an online platform using the tokens. 


Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULMAJEED AZIZ whose telephone number is (571)270-5046. The examiner can normally be reached M-F 7-4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon can be reached on 571-270-3602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for 





/ABDULMAJEED AZIZ/Examiner, Art Unit 3695