Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received on 5/29/2019. Claims 2-19 are pending. Claim 1 is cancelled.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 15 is rejected under 35 USC 103 as being unpatentable over US 10789957 to Tiwari, hereinafter Tiwari.
Regarding claim 15, Tiwari discloses:
A system for authenticating a user comprising: an authentication server configured to manage a user authentication session (Fig. 1 col. 5:1-18: server 108 provides one-time use tokens, verifies the one-time use token to authenticate user, delete invalid tokens); a smart speaker system in electronic communication with the authentication server, the smart speaker system configured to manage user data corresponding with the user authentication session (Fig. 1, home assistant 104, communicate with the server 108, col. 2:45-53: store id of mobile device used to request the token, col. 8:49-52: store subscriber identity information); and a mobile device in wireless communication with the authentication server and the smart speaker system (Fig. 1 mobile device 102 communicates with server 108 and home assistant 104, receive and store one-time-use password), the mobile device configured to manage a password corresponding with the user authentication session (col. 4:49-62, col.9:13-28, col.9:43-56: receives and stores a single-use token from server, provides it to the authentication server for authentication; although Tiwari does not explicitly teach passwords corresponding with the user authentication session,  Tiwari discloses the token is short-lived (col.9:43-56), an invalid token results to rejecting establishing the session (col. 9:10-15) therefore it would have been obvious for the mobile device to manage multiple tokens for different  registration/authentication sessions i.e receiving and storing/providing the one-time use tokens for authentication i.e manage multiple passwords over time, because it would allow potential valid tokens to be used for successful session authentication and establishment). 

Claims 2-3, 8-12, 16-19 are rejected under 35 U.S.C. 103 as being unpatentable Tiwari, in view of WO 2015/187533 to Certus, hereinafter Certus.
Regarding claim 2, Hall discloses
A method for authenticating a user utilizing a smart speaker system, the method comprising (Fig. 1: home assistant 104, col.8:9-10 integrated with speaker): requesting a user authentication session by issuing a voice command to a smart speaker by the user (col. 7:35-38: user orally speak a request; col. 6:49-56: home assistant receives spoken registration information to send to server); playing a sonic one-time password (OTP) on the smart speaker received from an authentication server in response to the requesting the user authentication session (col.4:55-56 prompt user to speak the one-time use security token via the microphone of the home assistant, the one-time use token previously received from the server (col. 2:52-54 or col. 4: 49-53); receiving the sonic OTP by a mobile device of the user (col. 4: 49-53: mobile device retrieves the one-time use token; see also col. 6:57-61); transmitting the sonic OTP to the authentication server; and authorizing the user by the authentication server to execute a secure transaction using the smart speaker system (col. 5:19-47: server verifies the received one-time use token matches the one it sent previously, and send notifications to perform transactions e.g: payment transaction, using VPN connection (col.6:31-45).  
Tiwari discloses the home assistant retrieves the one-time use token from the mobile device, parses it and sends it to the server (col.9:29-42).  Tiwari does not teach transmitting a decoded OTP decoded from the sonic OTP to the authentication server by the mobile device. 
In an analogous art, Certus discloses a first mobile device in short range communications with a second device, and communicating over the Internet with  servers including an authoritative server (Fig. 1, [0014]). The authoritative server  provides a single-use authentication token to a first device ([0017]), using sonic transmission ([0026]). The first device encode the single-use token, modulates it in a payload, and  transmits to the second device for demodulation and decoding then transmission to the authoritative server, the authoritative server authenticates the single-use token ([0019][0035]). Therefore, Certus teaches transmitting a decoded OTP decoded from the sonic OTP to the authentication server by the mobile device ([0019]: the second device interpreted as the mobile device decodes the OTP and sends to the server). It would have been obvious to a skilled artisan before the application was filed to have the mobile device decode the OTP from the sonic OTP and send to the server for authentication as taught by Certus because it would allow using “existing microphones and speakers on personal communication devices” ([0026]), making the communication easier without requiring NFC-enabled devices.

 Regarding claim 3, Tiwari in view of Certus discloses the method of claim 2, further comprising: in response to the requesting the user authentication session, generating an OTP by the authentication server (Tiwari (col. 2:52-54)); encoding the OTP into a sonic OTP by the authentication server; and sending the sonic OTP to the smart speaker system (Certus [0019][0026]).  

Regarding claim 8, Tiwari in view of Certus discloses the method of claim 2, further comprising: in response to receiving the sonic OTP by the mobile device of the user, decoding the sonic OTP by a mobile application on the mobile device (Certus [0019], see motivation in claim 2).  

Regarding claim 9, Tiwari in view of Certus discloses the method of claim 2, wherein the authorizing the user by the authentication server comprises: determining whether a timeout is required; and if the timeout is required, terminating the user authentication session (Certus [0028]: single-use token must be used within one half second or less to ensure security against man in the middle attacks).  

Regarding claim 10, Tiwari in view of Certus discloses the method of claim 2, wherein the authorizing the user by the authentication server further comprises: determining whether the decoded OTP matches the OTP encoded by the authentication server (Certus [0023]); and if the decoded OTP and the OTP do not match, terminating the user authentication session (Certus [0024]).  

Regarding claim 11, Tiwari in view of Certus discloses the method of claim 9, wherein the timeout comprises a process window of less than approximately 0.5 seconds (Certus [0028]: single-use token must be used within one half second or less to ensure security against man in the middle attacks).  

Regarding claim 12, Tiwari in view of Certus discloses the method of claim 2, wherein the mobile device and the smart speaker are required to be located within close proximity (Tiwari col. 8:8-17).

Regarding claim 16, Tiwari discloses the system of claim 15, wherein the authentication server comprises: a one-time-password (OTP) generator for generating an OTP (col. 9:3-11) but does not teach an OTP encoder for generating a sonic OTP from the OTP.
In an analogous art, Certus discloses a method for conducting a transaction includes generating a single-use token by an authoritative server, encoding the single-use token using an error control code and transmitting to a client device ([0005]) in a 

Regarding claim 17, Tiwari in view of Certus discloses the system of claim 16, wherein the smart speaker system comprises: a smart speaker for receiving vocal commands from a user and for playing the sonic OTP ; and a smart speaker server for handling electronic communication between the smart speaker and the authorization server (Tiwari, col.4:55-56 prompt user to speak the one-time use security token via the microphone of the home assistant, the one-time use token previously received from the server (col. 2:52-54 or col. 4: 49-53)).

Regarding claim 18, Tiwari in view of Certus discloses the system of claim 16, wherein the mobile device comprises:   a mobile application for decoding the sonic OPT to a decoded OTP (Certus [0019][0035] It would have been obvious to a skilled artisan before the application was filed to have the mobile device decode the OTP from the sonic OTP and send to the server for authentication as taught by Certus because it would allow using “existing microphones and speakers on personal communication devices” ([0026]), making the communication easier without requiring NFC-enabled devices).
Regarding claim 19, Tiwari in view of Certus discloses the system of claim 18, wherein the authentication server further comprises: a password comparator for comparing the OTP with the decoded OTP (Certus  [0023][0024]).

Claim 6 is rejected under 35 USC 103 as being unpatentable over Tiwari and Certus, in view of publication title “my mouse-my music” by Conrad, 2010, 15 pages, hereinafter Conrad.
Regarding claim 6, Tiwari in view of Certus discloses the method of claim 3, but does not teach wherein the sonic OTP is an MP3 file.  
Using sonic data as authentication data in MP3 format is well-known in the art, as attested by Conrad. Conrad discloses the sonic OTP is an MP3 file (p.2: sonic events used as authentication data; p. 3: some pre-factored examples in mp3 format ). It would have been obvious to a skilled artisan before the application was filed to implement the sonic OTP in an MP3 file as taught by Conrad, because mp3 is widely used in smart devices and would not require further testing.

Claim 7 is rejected under 35 USC 103 as being unpatentable over Tiwari and Certus, in view of publication titled “The research and implementation of the VPN gateway based on SSL” by Fei et al, 2013, pages 1376-1379, hereinafter Fei.
Claim  Regarding claim 7, Tiwari in view of Certus discloses the method of claim 3; additionally Tiwari discloses using a VPN channel for communication with the server (Tiwari col.6:31-61). Tiwari in view of Certus does not explicitly teach wherein the sending is accomplished over an SSL channel established by a mutual authentication of a plurality of SSL certificates.  In an analogous art Fei discloses establishing VPN using .


Allowable Subject Matter
Claims 4-5, 13-14 are allowable over the prior art of record.
Tiwari alone or in combination with Certus or any other prior art of the record fails to teach: “wherein the sonic OTP encoding requires that each OTP bit is coded in a narrow band spread spectrum audio signal centered at a far end of a decodable audio spectrum”, as recited in claim 4. Therefore claim 4, and claim 5 dependent from claim 4 are found allowable.
Tiwari alone or in combination with Certus or any other prior art of the record fails to teach: “wherein close proximity is determined by comparing a GPS based location of the mobile device and an IP geo-location of the smart speaker”, as recited in claim 13. Therefore claim 13 is found allowable.
Tiwari alone or in combination with Certus or any other prior art of the record fails to teach: “registering a guest on the smart speaker, wherein the registering comprises: opening a user authentication server interface by the user; setting a plurality of guest conditions for the guest; and closing the user authentication server interface. “ as recited in claim 14.
Claims  3-4, 13-14 are being objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Suzuki et al  20140109211 disclose a device generating an audio otp, encodes and sends thru a speaker to an authentication server, which reconstitutes the otp and compares it with the received audio otp.
Hubner et al 20150089607 disclose a user attempting to login to to website, the website authenticates a user ID and generates a OTP sent back to the user device.
Hall 20160080381 discloses an otp request by interactive voice response from a user, the user receives the otp, provides the otp to authentication server which determines whether the otp is valid.
Gubbi 9119076 discloses a server receiving an OTP request by telephone call from a mobile, if the mobile is registered, the server sends an OTP to the mobile; the OTP is disabled if not used within a time period.
Norefors et al 20060094403  disclose a server receiving a login request, providing an otp to the user station over a mobile communication system (SMS), requesting the otp from the mobile and verifying the validity/authenticity of the otp.

 Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        12/3/2021