DETAILED ACTION
	This is a Final Action on the merits.  The U.S. Patent and Trademark Office has received claims 1-18 in application number 16/428,530.  Claims 1-18 are pending and have been examined on the merits.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Remarks
	Regarding the rejection of claims 1-18 under 35 U.S.C. 101, Examiner finds the additional elements of the service provider computer, resource provider computer, client device, and supplemental device, implementing authentication using biometric data as that data is associated between several devices, to overcome the subject-matter eligibility rejection because the amended claims are sufficient under 2019 PEG Step 2A.2.
	Regarding the rejection of claims 1-18 under 35 U.S.C. 112(b), the amendments overcome the rejection.
	Regarding the rejections of claims 1-18 under 35 U.S.C. § 103 as obvious, Applicant argues with respect to the rejection of the independent claims 1 and 9 over ZHANG in view of CAO.  Applicant’s argument that the recitation to provisionally declined somehow distinguishes over the disclosure of transaction suspension in ZHANG is not found persuasive.  The modifier provisional is merely a term that addresses the state of whether a transaction is approved or 
	Applicant’s argument with respect to the priority date of the CAO reference is found unpersuasive because the provisional application 62/760,795 explicitly discloses the subject matter cited by Examiner; i.e. that an association is maintained between the user, the user device VID, and the VID server.  Applicant in contesting the priority of the CAO reference discusses only the first limitation of the independent claim in view of Examiner’s citation to ¶ 0074 of CAO.  Remarks at 17.  Applicant states that the closest support is ¶ 0024 of the Provisional Application. Id.  This ¶ 0024 does in fact depict elements of Fig. 1, as they appear cited to in the non-provisional application, and Examiner further points to ¶ 21 as describing the association between user and device. 
[0021] In the system 100, the VID 114 is disposed at a residence, office, etc. of the user 112 (not shown), whereby the VID 114 is generally accessible to the user 112, yet not mobile with the user 112. Other IoT devices, apart from a smart speaker, may be similarly employed as the VID 114 in the residence, office, etc., and also associated with the user 112 in the manner described herein. Conversely, in one or more other embodiments, the VID 114 may be mobile with the user 112. Regardless, through interactions with the user 112, and other users (not shown), potentially, the VID 114 is configured to generate additional information associated with the user 112 and the other users. The information generally includes details about the interactions between the user 112 and the VID 114 (and the other users). For example, a common pattern of asking for a specific radio station, speech patterns, speed of speech, pronunciation, accents, adding certain items to a grocery list, etc. may all be identified to the user 112 and stored as part of the additional information specific to the user 112, wireless network connected to the VID 114, or wireless devices on the same wireless network of the VID 114, etc.
[0024] As further shown in FIG. 1, the system includes a network-based authentication service 122 and a network-based voice recognition service 124, each of which is configured to communicate with other parts of system 100 through the network 110. The VID 114 is configured, by the application 126, to communicate with the services 122 and 124, as necessary and/or as described below. For example, during a setup and/or registration of the VID 114, the VID 
CAO Provisional at ¶ 0021 (at ¶ 0033 of non-provisional); CAO Provisional ¶ 0024 (compare to ¶ 0036 of non-provisional). These paragraphs support the description of the association between the user, VID, and VID server, as they appear in the non-provisional.  The fact that ¶ 0074 also mentions a “skill,” and that this “skill” is not explicitly mentioned in the provisional application, is not dispositive of the disclosure for which CAO is cited for.  Therefore Examiner maintains the cited ¶ 0074 of CAO as supported by the provisional application, and afforded the priority date of the provisional therein.

Examiner Note
	A typo in the Non-Final Rejection incorrectly listed Summerlin in the “Regarding” sentence introducing the prior art for claim 14.  The statement of rejection for claims 13 and 14 correctly stated ZHANG in view of CAO and further in view of MAHESHWARI as the basis of rejection.

Claim Rejections 35 U.S.C. 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Claims 1-7, 9-12, 15-18 are rejected under 35 U.S.C. § 103 over ZHANG (U.S Patent Application Publication 2015/0186892A1) in view of CAO (U.S Patent Application Publication 2020/2020/0153821) and further in view of SHAHIDZADEH (U.S. Patent No. US 11005839 B1.

Regarding independent claims 1 and 9. ZHANG—which like the present invention is directed to a method and system for reducing false declines of transactions by requiring a secondary authorization of the transaction —discloses (in italics):
(Claim 1) A method comprising:
[In order to address the problems stated in the back ground section, the embodiments of the present disclosure provide methods and systems for real-time verification of a transaction. (ZHANG 0005)]
(Claim 9) A service provider computer comprising: a processor; and a memory including instructions that, when executed with the processor, cause the service provider computer to, at least:

NOTE: Henceforth only the limitations of method claim 1 are presented; claim limitations are enumerated by decimal for clarity in any later citation.
1.1		maintaining, at a service provider, an association between one or more supplemental devices and a user device, the one or more supplemental devices configured to provide context data, wherein the context data includes at least biometric information associated with a user of the user device;
[For example, in response to selection of remote entry affordance 516-1, biometric information (e.g., voice input) associated with information items 512-1 is input via the user's mobile device (i.e., the second device) and checked by server system 108. (ZHANG 0096); Attention is now directed towards embodiments of user interfaces and associated processes that may be implemented on a respective client device 104 with one or more speakers 602 enabled to output sound, zero or more microphones 604 enabled to receive sound input, and a touchscreen 606 (sometimes also herein called a touch screen display) enabled to receive one or more contacts and display information (e.g., media content, webpages and/or user interfaces for an application). (ZHANG 0099); after detecting a security risk in step 704, the service server sends the voice verification request to the voice processing system. The Voice verification request instructs the Voice processing system to establish Voice communication with the user using the Voice contact information included in the Voice verification request. In an optional embodiment, the voice verification request further includes Verification content information (e.g., transaction amount, date of birth, security question, and so the Voice processing system to prompt the user to provide verification information that corresponds to the verification content information. In some embodiments, the Voice processing system establishes (708) voice communication with client device 104. In some embodiments, the Voice processing system establishes voice communication with client device 104 according to the Voice contact information included in the Voice verification request. (ZHANG 0112-13)]
1.2		 receiving, at the service provider, an authorization request message associated with a transaction using the user device with a resource provider;
[In some embodiments, the service server obtains (702) a service request submitted by a user at client device104. In some embodiments, the user uses a user terminal Such as a mobile phone, a personal computer, and a tablet computer to submit the service request to the service server through a payment/transaction application, a service Submission web page, an instant messaging client, a simple notification Service (SNS) client, or the like. In some embodiments, the service request includes a login request, a transaction request, a payment request, a session request, and the like, where the transaction request and the payment request may include payment information Such as a transaction order and a payment amount. (ZHANG 0108)]; See further ZHANG at 0103-104 (disclosing the user device as the “client device” with an “interface for the payment/transaction application,” such that the “user of client device 104 . . . is the administrator of the account used to initiate the transaction at the resource provider POS terminal).
Claim Interpretation: Claims 1 and 9 have been amended to include the clause using the user device with a resource provider.  The present application describes the resource provider as follows: 

Specification at 19.  Thus, ZHANG at 0103-0104 discloses using the user device with a resource provider, as cited above.
1.3		 determining, based on the authorization request message, a level of risk associated with the transaction;
[In some embodiments, the service server detects (704) a security risk in the service request. In some embodiments, in accordance with a preset risk assessment mechanism, the service server performs a risk assessment process on the service request. For example, the service server determines whether the payment amount of the service request exceeds a daily payment limit predetermined by the user, whether a previous login of the user to the service server had a security risk, whether the good or service corresponding to the service request has a security risk, or the like. (ZHANG 0109); If the service server determines that the service request has a security risk, the service server performs step 706. Additionally and/or optionally, in some embodiments, the service server further assigns a security risk level to the service request according to the preset risk assessment mechanism. For example, the security risks are classified into high, medium, and low risk levels. If the service request is assigned a high risk level, the service server rejects the service request. If the service request is assigned a low risk level, the service server performs the service request and returns a message indicating that the 
(Claims 1 and 9 ) upon determining that the level of risk is greater than a threshold value: obtaining context data from the one or more supplemental devices that corresponds to a time of the transaction: 
1.4		determining that the level of risk is greater than a threshold value;
[In accordance with a determination that the security level for the transaction meets (1006) a predetermined criterion, the server system: instructs (1008) the first device to Suspend the transaction and to display a first interface on the first device indicating Suspension of the transaction and sends (1010) a confirmation request to a second device associated with the account to request voice verification for the transaction. In some embodiments, the transaction meets the predetermined criterion when the security risk assigned to the transaction by security determination module 224 is a high or medium level risk.  (ZHANG 0155)]
1.5		determining, at the service provider, that the transaction is provisionally declined based on the level of risk being greater than the threshold value;
ZHANG at 0155 (disclosing the “suspension of the transaction,” as the recited phrase provisionally declined).  Claim Interpretation: The phrase provisionally declined simply means that a transaction is declined and not yet approved.  The term provisional carries no patentable weight as a modifier that would somehow distinguish a declined transaction over a suspended one.
1.6	upon determining that the transaction is provisionally declined and before generating and transmitting an authorization response message declining the transaction: 
obtaining, from the one or more supplemental devices, the context data that corresponds to a time of the transaction;
ZHANG at 0155 (disclosing “the server system . . . sends (1010) a confirmation request to a second device associated with the account to request voice verification for the transaction.”).
1.7		 determining a degree to which the context data supports an authenticity of the user;
[In some embodiments, the service server performs (714) service processing on the service request according to the verification information from the user. In some embodiments, the service server verifies the obtained verification information by determining whether the verification information is the same as the related information corresponding to the service request (e.g., by comparison). (ZHANG 0117); alternatively and/or additionally, in some embodiments, the Verification information includes Voice information from the user. In this event, the service server performs voice recognition on the voice information to verify that the Voice signature in the Voice information matches a voice signature corresponding to the user of the account used to initiate the transaction. (ZHANG 0118); if the verification succeeds, the security risk is downgraded by one level; in other words, it is determined that the current service request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current service request has a higher risk. (ZHANG 0119]
1.8		 adjusting the level of risk based on the degree to which the context data supports the authenticity of the user;
[Further, in some embodiments, the service server adjusts the security risk level assessment of the current Service request according to the verification result. For example, 
1.9		approving the transaction if the adjusted level of risk is less than the threshold value;
[Further, in some embodiments, the service server adjusts the security risk level assessment of the current Service request according to the verification result. For example, if the verification succeeds, the security risk is downgraded by one level; in other words, it is determined that the current service request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current service request has a higher risk. (ZHANG 0119); Additionally and/or optionally, in some embodiments, the service server further assigns a security risk level to the service request according to the preset risk assessment mechanism… If the service request is assigned a low risk level, the service server performs the service request and returns a message indicating that the service processing is successful. (ZHANG 0110)]
1.10		 generating the authorization response message indicating whether the transaction is approved or declined;
1.11		 and transmitting the authorization response message to the resource provider.  




Nevertheless, CAO — which like the present invention is directed to systems and methods facilitate authentication of users in connection with interactions by the users with voice interactive devices as ZHANG — specifically teaches (in italics):
1.1		maintaining, at a service provider, an association between one or more supplemental devices and a user device
[It should be understood that the user 112 is associated with an account for the skill 126 (i.e., a capability of VID 114), whereby a backend for the skill 126, such as, for example, the issuer 108, is permitted to identify the user 112. That is, the user 112 has registered for an account with the backend for the skill 126, such that the skill 126 is linked to the account (e.g., includes an account number, an email contact, a phone number, etc.). In addition, as described above, the user 112 is also associated with an account for the voice interactive device 114 (VID 114), whereby the VID server 128 associates the user 112 (and certain information about the user 112) with the VID 114. (CAO 0074)]
Examiner Note:  This passage, ¶ 0074 of CAO is cited for the premise that the service provider is maintaining an association between a user device and the one or more supplemental devices, as the supplemental devices as recited are disclosed by ZHANG, as detailed above.  The cited passage discloses this association.  The fact that ¶ 0074 also mentions a “skill,” and that this “skill” is not explicitly mentioned in the provisional application, is not dispositive of the disclosure which CAO is cited for.  This paragraph 0074 invokes elements of Fig. 1 and the 
	Thus, ZHANG shows it was known in the art before the effective filling date of the invention to operate a system and method for a two-step authentication including user biometric data authentication. Once a transaction is provisionally declined, the system in ZHANG obtains voice verification of the transaction for further authentication. The system is capable of obtaining the voice verification through a voice capture module (which includes one or more input devices, e.g., a microphone) to which a user can provide audio data. ZHANG discloses that it functions using the voice capture module that can collect voice information from the user for authenticating the user identity. CAO shows it was known to associate voice interactive device (VID) to a user (and certain information about the user). By going into more details regarding how the voice capture module is related to the user, CAO complements the voice capture module features of ZHANG. However, because ZHANG expressly discloses that the devices by which users input their voice data can be registered (e.g., “the user receives the notification on his registered device (e.g., a mobile phone associated with the account)…the user enters the required voice input using his registered device.” (ZHANG 0109)), and CAO teaches just a consequence of registration a device to a user account, that is, establishing an association between the device and the user, a person having ordinary skill in the art would have been able to combine the features of the two references using techniques known in the art and would have expected predictable results. In other words, the invention is ZHANG is expressly technically capable of being combined with CAO, they are simply not disclosed in a single reference. 

	However, the combination of ZHANG in view of CAO does not explicitly disclose: at (1.10) generating the authorization response message indicating whether the transaction is approved or declined; and at (1.11) transmitting the authorization response message to the resource provider.
	SHAHIDZADEH discloses the remaining limitations:
1.10		 generating the authorization response message indicating whether the transaction is approved or declined;
	[In the embodiment of FIG. 1, the Risk and Analytics Engine 108 includes a network interface 116 coupled to network 111 and a processor 118. The processor 118 may be configured to implement the policy engine 114 as well as a transaction module 120 configured to complete a transaction (or validation) based on a request as received from the user entity 102. The transaction module 120 may further provide automatic authorizations or rejections based on authorization policies. The processor 118 may also be configured to implement an information module 122 configured to transmit information to and receive information from the devices 104 or 106, such as authorization requests and responsive authorization approvals or rejections. Operation of the Risk and Analytics Engine 108 will be discussed in detail below. (SHAHIDZADEH at 6:47-67)].
1.11		 and transmitting the authorization response message to the resource provider.  

	SHAHIDZADEH is analogous art to ZHANG, CAO, and the present application, as the invention of SHAHIDZADEH involves, inter alia, “detection system and method 100 used in calculating individual transaction risk based on contextual factors such as user entity behavior, device, browser, and the network traffic and request for authentication by account owner when risk greater than allowed.” SHAHIDZADEH at 18:27-34/
	ZHANG discloses the steps of to operate a system and method for a two-step authentication including one or more voice input devices with user devices; CAO discloses it was known to associate voice interactive device (VID) to a user (and certain information about the user); and SHAHIDZADEH further discloses a server analogous to that of ZHANG that can generate authorization response messages for transaction approval and decline based on the threshold values for risk. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of ZHANG implementing the biometric association steps of CAO, to include the generated and transmitted authorization messages of SHAHIDZADEH.  This is because implementing the supplemental device association of CAO with the system of ZHANG, performing the authorization response steps of SHAHIDZADEH, can be performed to a predictable result the same alone as in combination.  Therefore independent claims 1 and 9 are rendered obvious by ZHANG in view of CAO and further in view of SHAHIDZADEH.

Regarding claim 2. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, CAO further teaches (in italics):
the degree to which the context data supports the authenticity of the user is weighted based on a type of supplemental device from which the context data was received. [For example, a risk score, for a given transaction, may be determined based on whether the specific transaction is a transaction commonly performed on the type of the VID 114 (e.g., a smart speaker, etc.) (CAO 0095]

Regarding claim 3. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, CAO further teaches (in italics):
at least one of the one or more supplemental devices is an Internet of Things (loT) device.
[For example, a voice interactive device (VID) (e.g., a smart speaker, a vehicle with a voice interface, or an internet of things (IoT) device with a voice interface, etc.), which receives the voice command for the interaction, may authenticate the user through a voice reference for the user (either directly on the VID, or through a network - based authentication service (e.g., a cloud service, etc.)). (CAO 0016)]

Regarding claim 4. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, ZHANG further teaches (in italics):
the context data comprises at least one of audio data, image data, biometric data, or user action data. [Alternatively, in some embodiments, the user pro vides the verification information to the Voice processing system by means of voice. (ZHANG 0115)]

Regarding claim 5. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, ZHANG further teaches (in italics):
the threshold value represents a level of risk that the service provider is willing to undertake. [For example, the security risks are classified into high, medium, and low risk levels. If the service request is assigned a high risk level, the service server rejects the service request. If the service request is assigned a low risk level, the service server performs the service request and returns a message indicating that the service processing is successful. If the service request is assigned a medium risk level, the service server performs step 706. (ZHANG 0110)]

Regarding claim 6. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, ZHANG further teaches (in italics):
the level of risk associated with the transaction is determined based at least in part on historical transaction data for the user. [In some embodiments, the service server detects (704) a security risk in the service request. In some embodiments, in accordance with a preset risk assessment mechanism, the service server performs a risk assessment process on the service request. For example, the service server determines whether the payment amount of the service request exceeds a daily payment limit predetermined by the user, whether a previous login of the user to the service server had a security risk, whether the good or service corresponding to the service request has a security risk, or the like. (ZHANG 0110)]

Regarding claim 7. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, CAO further teaches (in italics):
obtaining context data from the one or more supplemental devices comprises contacting one or more application servers associated with the one or more supplemental devices.
 [The VID 114 also includes a skill 126 (e.g., an application that runs on the VID 114, alone or in combination with potentially multiple applications; etc.) that configures the VID 114 to interact with the user 112 and / or a third party, as described herein. (CAO 0027); For example, the authentication service 122 and/or the voice recognition service 124 may be included in the VID 114 in one or more embodiments, or more likely, the payment network 106, in various embodiments, whereby the payment network 106 is configured to provide associated services in connection with authentication requests (in connection with an interaction with the VID 114), etc. The requests, then, may be received, when the authentication service 122 is integrated in the payment network 106, or not, for example, via the VID 114 (directly or via the VID server 128) (or the application 132 included in the communication device 130 or otherwise). (CAO 0036); as such, in response to the command, the VID 114 is configured, by the skill 126, to request that the VID server 128 authenticate the user 112. The request is associated with identifying information about the user 112, such as, for example, an account number of an account at the VID server 128 for the user 112 or other information specific to the user 112 and known to the VID server 128. In response, the VID server 128 is configured to identify the user 112, based on the account number, email address, device information, etc. included in the request and to request an authentication input from the user 112, at the communication device 130 (rather than at the VID 114) (e.g., via the application 132 , etc.).The communication device 130, in turn, is configured (e.g., generally, or by the application 132, etc.) to solicit an authentication input (e.g., a PIN, a passcode, an OTP, etc.) from the user 112 and to verify the authentication input once received. (CAO 0054-55)]

Regarding claim 10. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 9, CAO further teaches (in italics):
the instructions further cause the service provider computer to maintain an association between one or more additional supplemental devices and at least one resource provider [It should be appreciated that while the VID server 128 is illustrated as separate from the merchant 102, in one or more embodiments, the merchant 102 and the VID server 128 may be integrated at least in part (whereby the VID server 128 may be configured to facilitate purchases of products from the merchant 102, etc.). For example, the Alexa™ speaker by Amazon provides the Amazon™ online store through the Alexa™ speaker, whereby the backend for the Alexa™ speaker may then be both a backend, as described, and also a merchant, etc. (CAO 0028)]

Regarding claim 11. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 9, ZHANG further teaches (in italics):
obtain additional context data from at least one of the one or more additional supplemental devices, the at least one of the one or more additional supplemental devices comprising supplemental devices associated with a resource provider indicated in the authorization request message. [the service server sends (706) a voice verification request to the voice processing system. (ZHANG 0110); the voice verification request further includes Verification content information (e.g., transaction amount, date of birth, security question, and so on), which is used by the Voice processing system to prompt the user to provide verification information that corresponds to the verification content information. (ZHANG 0112)]
CAO further teaches (in italics):
obtain additional context data from at least one of the one or more additional supplemental devices, the at least one of the one or more additional supplemental devices comprising supplemental devices associated with a resource provider indicated in the authorization request message. [The VID 114 also includes a skill 126 (e.g., an application that runs on the VID 114, alone or in combination with potentially multiple applications; etc.) that configures the VID 114 to interact with the user 112 and/r a third party, as described herein… Other skills may be included at the VID 114, for example , and may be associated with other entities or capabilities, such as mobile telecommunication providers, utilities, other banking institutions, vehicles, smart home retailers, merchants, etc. (CAO 0028); Regardless of whether the authentication request (AReq) is from the merchant 102 or the VID server 128, the AReq includes the detail of the transaction or transfer, including, without limitation , an amount of the transaction/transfer , a date/time, a payment account credential (e.g., a token, etc.), merchant data (e.g., a name or ID of the merchant 102, a MCC for the merchant 102 , etc.), etc. (CAO 0094)]

Regarding claim 12. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 9, CAO further teaches (in italics):
the association between one or more supplemental devices and the user is established when the user enrolls the one or more supplemental devices with the service provider computer.
The VID server 128 is configured to maintain an account for the user 112, whereby interactions between the VID 114 and the user 112 may be associated with the user's account and/or based on information contained in the user's account, as described below. In general, the user 112 registers for the account with the VID server 128 through the VID 114, or through a communication device associated with the user 112 (e.g., communication device 130 via an application included therein, etc.), whereby the VID 114 and / or the VID server 128 is configured to solicit and receive information associated with the registration from the user 112, etc. The account may include (without limitation) a name, billing or account may include (without limitation) a name, billing or shipping addresses, a phone number, an email address, etc., for the user 112. (CAO 0028); For example, during a setup and/or registration of the VID 114 (e.g. , with the VID server 12 , etc.), the VID 114 is configured to solicit inputs from the user 112 to register the VID 114 to the user 112 and create an account associating and/or binding the user 112 and the VID 114. (CAO 0038)]

Regarding claim 15. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 9, ZHANG further teaches (in italics):
the degree to which the context data supports the authenticity of the user comprises a numeric value by which the level of risk should be adjusted. [Further, in some embodiments, the payment server adjusts the security risk level assessment of the current payment request according to the Verification result. For example, if the verification Succeeds, the security risk is downgraded by one level; in other words, it is determined that the current payment request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is  In some embodiments, the payment server sends (818) an online payment result to the first device. (ZHANG 0132)]

Regarding claim 16. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 15, ZHANG further teaches (in italics):
adjusting the level of risk by the degree to which the context data supports the authenticity of the user comprises subtracting the numeric value from the level of risk. [Further, in some embodiments, the payment server adjusts the security risk level assessment of the current payment request according to the Verification result. For example, if the verification Succeeds, the security risk is downgraded by one level; in other words, it is determined that the current payment request has a lower risk. If the verification fails, the security risk is upgraded by one level; in other words, it is determined that the current payment request has a higher risk. In some embodiments, the payment server sends (818) an online payment result to the first device. (ZHANG 0132)]

Regarding claim 17. ZHANG in view of CAO and further in view of SHAHIDZADEH teaches all the limitation of claim 1, ZHANG further teaches (in italics):
receiving, by a processor computer, an authorization request message comprising interaction data for an interaction between a user and a resource provider;
[A user submits (802) a payment request to a payment server through a first device (e.g., POS device 122). Specifically, the first user terminal in this embodiment is an Internet enabled device Such as a personal computer, a tablet computer, a Smart phone, or the like, which can Submit the payment request to the payment server through a payment/ transaction In some embodiments, the payment request includes payment information Such as a transaction identifier or order number and a payment amount. (ZHANG 0122); In an example usage scenario, when a user is standing in front of a POS device in a store, and after making a selection for remote entry of required verification information (e.g., as shown in FIG. 5A), the POS device displays the notification regarding Suspension of the transaction (e.g., as shown in FIG. 5B). (ZHANG 0106)]

initially determining, by the processor computer, that the interaction is uncharacteristic for the user;
[In some embodiments, the payment server detects (804) a security risk in the payment request. In some embodiments, in accordance with a preset risk assessment mechanism, the payment server performs a risk assessment process on the payment request. For example, the payment server determines whether the payment amount of the payment request exceeds a daily payment preset by the user, whether a previous login of the user to the payment server had a security risk, whether the good or service corresponding to the payment request has a security risk, or the like. (ZHANG 0123)]
obtaining, by the processor computer, further information regarding the user, the further information obtained using one or more sensors proximate to the user during the interaction; 
[In some embodiments, the payment server sends (806) a payment processing Suspension notification to the first device. As such, the payment server notifies the user that the payment request has a security risk and that the user needs to provide verification information, by means of voice communication with the Voice processing system, in order for the payment server to process the payment request. (ZHANG 0125); in some embodiments, the Voice processing system obtains (812), by means of the voice communication, the verification information from the user of the second device. (ZHANG 0128); in some embodiments, the voice processing system sends (814) the obtained verification information to the payment Server. (ZHANG 0130)]

evaluating, by the processor computer, the interaction using the further information; and 
[In some embodiments, the payment server processes (816) the payment request according to the verification information. In some embodiments, the payment server verifies the verification information by determining whether the Verification information matches stored information corresponding to the verification content information. (ZHANG 0131)]
generating, by the processor computer, an indication of approval of the interaction after evaluating the further information and initially determining that the interaction is uncharacteristic for the user.
[Once the server receives and verifies the voice input received from the registered device of the user, the server sends a confirmation to the POS device, and the POS device displays the notification indicating that the Voice verification has been completed, and the transaction has been processed (as shown in FIG.5C). The entire transaction process is completed within the same session at the POS device in real-time, while the user is waiting in front of the POS device. (ZHANG 0106)]

Regarding claim 18. ZHANG teaches all the limitation of claim 17, ZHANG further teaches (in italics):
the further information comprises context data obtained from one or more supplemental devices having the one or more sensors. [Alternatively, in some embodiments, the user provides the verification information to the Voice processing system by means of Voice. For example, the user reads the information related to the service request according to the prompt during the Voice communication. The Voice processing system obtains the Voice information which serves as the verification information, and returns the obtained voice information to the service server. Further optionally, the voice processing system prompts the user to read a sentence (e.g., the verification content information, or another piece of information such as “I am XX, and I confirm this payment”). The Voice processing system sends the whole piece of voice information to the service server as a service credential of this service request. (ZHANG 0129)]

Claim 8 is rejected under 35 U.S.C. § 103 over ZHANG in view of CAO, in view of SHAHIDZADEH and in further view of SUMMERLIN (US Patent Application Publication 2018/0082304 A1).

Regarding claim 8. The combination of ZHANG and CAO teaches all the limitations of claim 1. ZHANG teaches all the limitations of claims 1 and 7. However, the combination of ZHANG and CAO does not disclose remaining limitation of claim 8. 
italics):
providing login credentials to the one or more application servers to obtain the context data from the one or more application servers. [Using network access point 410, a user logs into an online environment, for example through a mobile app, requiring identity authentication. (SUMMERLIN 0088); During a logon process, system 400 prompts the user for user identification data, e. g., a username, and active authentication data, e. g., a password . At the same time, system 400 passively gathers one or more additional authentication data at network access point. This authentication data can include keystroke data (e.g., from the keyboard or touch panel), mouse motion data, facial images (e. g., from a webcam), voice recognition (e. g., from a microphone). This data is transmitted to authentication server 140 where it is processed to verify or deny the user’s identity as discussed previously. (SUMMERLIN 0089)]
SUMMERLIN is analogous art to ZHANG, CAO, and SHAHIDZADEH as the invention of SUMMERLIN involves “obtaining identification data indicative of a subject's identity; identifying the subject using a computer system based on the identification data; obtaining, using one or more sensors, a plurality of authentication data each separately indicative of the subject's identity, at least one of the authentication data being obtained passively; individually analyzing each one of the plurality of authentication data using the computer system; and validating or denying the subject's identity, using the computer system, based on the analysis of the authentication data.”  SUMMERLIN (Abstract).

The system of CAO also includes a VID (voice interactive device) server, by which is contacted prior to collecting data from users. SUMMERLIN is directed to system and methods for multifactor authentication. The system is capable of obtaining the identity data from activity the user engages in when they interact with a system via a terminal. SUMMERLIN shows it was known to requiring user to input logon credential before obtaining identity data. Because CAO expressly disclose that the users are registered with their corresponding input devices using their account credentials and all the input devices are associated with a server (“the account through which the user 112 is registered is associated with the merchant 102, for example, upon instruction by the user 112, whereby payment account credentials (e.g., provisioned to the merchant 102, provisioned to the VID 114, etc.) are accessible via the VID 114, or are stored in the VID 114 , to initiate purchase transactions through the merchant 102.” (CAO 0038)), using those account credentials to later access the input devices and server, as taught by SUMMERLIN, is a predictable and reasonable consequence. 
Therefore, a person having ordinary skill in the art would have been able to combine the features of these references using techniques known in the art and would have expected predictable results. In other words, the invention in the combination of ZHANG, CAO, and further in view of SHAHIDZADEH is expressly technically capable of being combined with SUMMERLIN, they are simply not disclosed in a single reference. 	


Claims 13-14 are rejected under 35 U.S.C. § 103 over the combination of ZHANG in view of CAO, in view of SHAHIDZADEH and in further view of MAHESHWARI (US Patent Application Publication 2018/0025356 A1).
Regarding claim 13. The combination of ZHANG and CAO teaches all the limitations of claim 9. However, the combination of ZHANG and CAO does not disclose remaining limitation of claim 13. 
Nonetheless, MAHESHWARI – which like the present invention is directed to a computer device for monitoring for fraudulent activity– specifically teaches (in italics):
the level of risk associated with the transaction is determined based at least in part on a resource provider associated with the transaction. [If the Fraud Engine 118 determines , at step 500 , that the authentication is associated with an in - App purchase , then the Fraud Engine 118 generates , at step 502 , the current location of the device 10 and determines, 504, if the current location falls within a set of secure locations. If so, then the Fraud Engine 118 increments, at step 506, the Confidence Level. (MAHESHWARI 0182); If the Fraud Engine 118 the user has previously made a successful purchase with the same merchant, then the Fraud Engine 118 increments, at step 510, the Confidence Level. Further, the Fraud Engine 118 checks, at 512, to determine if the repeat purchase was recently made. If so, then the Fraud Engine 118 increments, at step 514, the Confidence Level. (MAHESHWARI 0193); The Fraud Engine 118 checks, at step 516, to see if the site where the purchase is being made is suspicious. If found to be suspicious, then the Fraud Engine 118 decrements, at step 518, the Confidence Level. (MAHESHWARI 0200)]

MAHESHWARI is analogous art to ZHANG, CAO, and SHAHIDZADEH as the invention of MAHESHWARI involves “a computer device for monitoring for fraudulent activity, . . .  to perform the steps of: (i) receiving instructions to determine a confidence level; (ii) determining a confidence level by monitoring one or more of the following: sensor data; user behaviour; payment history; security level; connected devices; and location data; and [0031] (iii) returning said confidence level, wherein the confidence level represents a relative risk of fraudulent activity.” MAHESHWARI at [0020-32].
The combination of ZHANG and CAO shows it was known before the effective filing date of the invention to operate a system and method in which one or more input devices collects biometric data from users they are associated with, and the collected data is used for further authenticating the identity of the users, with the authentication response steps of SHAHIDZADEH.  The combined system allows a transaction made between a user and a resource provider (that is, a merchant, a vendor, etc.) to be preliminary authenticated based on historical data associated with the user. The system in CAO is capable of determining a risk score of each transaction based on whether the specific transaction is a transaction commonly 
Therefore, before the effective filing date of the invention it would have been obvious to a person having ordinary skill in the art to determine a level of risk of transaction as disclosed in ZHANG and CAO in combination with SHAHIDZADEH based on the resource provider using the criteria taught by MAHESHWARI, because the combination of these references is merely a combination of prior art elements according to known methods to yield predicable result.

Regarding claim 14. The combination of ZHANG, CAO, and SHAHIDZADEH in further view of MAHESHWARI teaches all the limitations of claims 9 and 13. MAHESHWARI further teaches (in italics):
the level of risk associated with the transaction is inversely correlated to a level of trustworthiness associated with the resource provider. [The Confidence Level is preferably a number which reflects the level of trust that should be associated with the procedure. (MAHESHWARI 0157)]

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFREY L LICITRA whose telephone number is (571)272-5340. The examiner can normally be reached 9:00AM-5:00PM M-F.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on 571-272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

J.L.L.
Examiner
Art Unit 3685



/STEVEN S KIM/Primary Examiner, Art Unit 3685