DETAILED ACTION
Acknowledgements
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in reply to the claims filed October 17, 2019. 
Claims 25-44 are pending and have been examined. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970);and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b). Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claim 25 is rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claim 1 of U.S. Patent No. US 10489852 B2  to Bhat et al (“Patent Document”). 
Although the conflicting claims are not identical, they are not patentably distinct from each other. Claim 1 of the Patent Document recites all the limitations of claim 25 of the instant application; however, claim 1 of the Patent Document differs since it further recites additional claim limitations including: receiving, by the server computer system from the computer system of the financial institution, an OAuth token for accessing financial data of the financial account associated with the financial institution, the OAuth token providing alternative credentials other than login credentials for the financial account; storing, at the server computer system, the OAuth token to access and aggregate financial data describing the financial account associated with the financial institution; accessing, by the server computer system, the computer system of the financial institution using the OAuth token to aggregate financial data describing the financial account associated with the financial institution;
However, it would have been obvious to a person of ordinary skill in the art to modify claim 1 of the Patent Document by removing the additional limitations noted above, resulting generally in the claims of the present application, since the claims of the present application and the claim recited in the Patent Document actually perform a similar function.  It is well settled that the omission of an element and its function is an obvious expedient if the remaining elements perform the same function as before.  In re Karison, 136 USPQ 184 (CCPA 1963).  Also note Ex parte Rainu, 168 USPQ 375 (Bd. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 25-27, 29, 32-34, 36, 39-41 & 43 are rejected under 35 U.S.C. 103 as being unpatentable over Connors et al (US 20100138316 A1) (“Connors”) in view of Miyazaki et al (US 20010037300 A1) (“Miyazaki”) and further in view of Funahashi (US 20080178009 A1) (“Funahashi”).

As per claims 25, 32 & 39,  Connors discloses:
receiving, from a user device, a request to include user data describing a user account in an interface, the user account being associated with an account provider (¶ [0195]; fig. 13 & related text);
identifying one or more metadata attributes (e.g. login information)   for accessing the user account associated with the account provider (financial institution server) (¶¶ [0131]- [0132]); 
[…]
transmitting, to the user device, data describing the one or more metadata attributes […] (¶¶ [0131]- [0132]);; 
receiving, from the user device, respective values for the one or more metadata attributes (e.g. user name & password) (¶¶ [0131]- [0132]), […]; 
storing the […] values for the one or more metadata attributes for use in accessing and aggregating the user data describing the user account (¶¶ [0008], [0047], [0049],  [0140]); 
transmitting, to a computer system of the account provider, the […] values for the one or more metadata attributes for logging in into one or more webpages associated with the account provider  (¶¶ [0008], [0047], [0049],  [0140]); 
generating for display in the interface the user data describing the user account (e.g. accessing account information) (¶¶ [0061], [0206]-[0208], [0045], [0046], [0060] [0146]; fig. 14); 

Connors further discloses receiving, by the server computer system from the computer system of the financial institution, alternative credentials (token or gadget’s access) other than login credentials for accessing financial data describing the financial account associated with the financial institution  (¶¶ [0061], [0142], [0146]; fig. 14; claim 9). 

Connors does not but Miyazaki discloses:
receiving a public digital key associated with the account provider (¶¶ [0019], [0050], [0054]); 

transmitting, to the user device, … the public digital key associated with the account provider  (¶¶ [0019], [0050], [0054]);

the respective values (e.g. encrypted personal information) having been encrypted by the user device using the public digital key  (¶¶ [0019], [0050], [0054]);

It would have been obvious to a person of ordinary skill in the art to modify Connors’s teachings to use PKI infrastructure, as disclosed by Miyazaki, to facilitate secure electronic transfer of financial information where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred thereby increasing financial transactions’ security.

Connors does not but Funahashi, however, disclose: 

determining that the public digital key associated with the account provider has expired (¶ [0159]); and 
based on determining that the public digital key associated with the account provider has expired, deleting the stored encrypted values for the one or more metadata attributes (¶ [0159]).

It would have been obvious to a person of ordinary skill in the art to modify Connors’s teachings to use delete encrypted personal information when corresponding encryption key has expired, as disclosed by Funahashi, to enhance security of personal information thereby preventing fraudulent transactions.

The examiner further notes that the following limitations have been considered but are given less patentable weight because the limitations have been interpreted as intended use limitations that are not positively claimed:
for accessing the user account associated with the account provider… as recited by at least claim 25.
for use in accessing and aggregating the user data describing the user account… as recited by at least claim 25.
for display in the interface the user data describing the user account… as recited by at least claim 25.
for logging in into one or more webpages associated with the account provider… as recited by at least claim 25.
A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is Ex parte Masham, 2 USPQ2d 1647 (Bd. Pat. App. & Inter. 1987).  

As per claims 26, 33 & 40,  Connors/ Miyazaki/ Funahashi discloses as shown above. 

Connors further discloses:
in response to transmitting the encrypted values for the one or more metadata attributes to the account provider, receiving access to the user account associated with the account provider  (¶¶ [0061], [0206]-[0208], [0045], [0046], [0060] [0146]; fig. 14);  
receiving, from the account provider, account data describing the user account  (¶¶ [0061], [0206]-[0208], [0045], [0046], [0060] [0146]; fig. 14); and 
aggregating the account data for use in describing the user account in the interface  (¶¶ [0061], [0206]-[0208], [0045], [0046], [0060] [0146]; fig. 14).

As per claims 27, 34 & 41,  Connors/ Miyazaki/ Funahashi discloses as shown above. 
Connors further discloses wherein access to the user account associated with the account provider is restricted to read-only access based on the respective values for the one or more metadata attributes being encrypted (accessing/viewing account information, ¶ [0142]).

As per claims 29, 36 & 43,  Connors/ Miyazaki/ Funahashi discloses as shown above. 
Connors does not discloses wherein the authentication token is an OAuth token.

However, the examiner notes that using Oauth token framework is old and well known in the art ( See ¶ [0012] of applicant’s specification as published, …the aggregation system can be configured to use other authorization standards and frameworks (e.g., OAuth) to simplify the integration with third-party systems).  

It would have been obvious to a person of ordinary skill in the art to modify Connors’s teachings to use OAuth standards, , to grant websites or applications access to their information on other websites but without giving them the passwords thereby enhancing the security of user’s accounts.   


As per claims 30, 37 & 44,  Connors/ Miyazaki/ Funahashi discloses as shown above. 
Connors further discloses wherein the one or more metadata attributes include a login, password, and one or more multi-factor authentication questions associated with the user device (¶¶ [0108], [0140], [0188]).

Claims 28, 30, 31,  35, 37, 38,  42 & 44 are rejected under 35 U.S.C. 103 as being unpatentable over Connors et al (US 20100138316 A1) (“Connors”) in view of Miyazaki et al (US 20010037300 A1) (“Miyazaki”) and further in view of Funahashi (US .

As per claims 28, 35 & 42,  Connors/ Miyazaki/ Funahashi discloses as shown above. 

Connors further discloses in response to transmitting the […] values for the one or more metadata attributes the account provider (¶¶ [0008], [0047], [0049],  [0140]), 

Connors does not expressly disclose receiving, from the account provider an authentication token for accessing account data of the user account, the authentication token providing alternative credentials other than login credentials for the user account.

Notani, however, clearly discloses receiving, from the account provider an authentication token (e.g. access token) for accessing account data of the user account, the authentication token providing alternative credentials other than login credentials for the user account (col. 10, lines 55-67).

It would have been obvious to a person of ordinary skill in the art to modify Connors’s teachings to use a generated access token after verifying user name and passwords, as disclosed by Notani, to provide strong security measures thereby
preventing fraudulent transactions. 

As per claims 30, 37 & 44,  Connors/ Miyazaki/ Funahashi discloses as shown above.  

Connors further discloses receiving, by the server computer system from the computer system of the financial institution, alternative credentials (token or gadget’s access) other than login credentials for accessing financial data describing the financial account associated with the financial institution  (¶¶ [0061], [0142], [0146]; fig. 14; claim 9). 

Connors does not expressly disclose based on transmitting the encrypted values for the one or more metadata attributes to account provider: obtaining access to the user account associated with the account provider; and receiving, from the account provider, an alternative set of credentials for accessing the user account associated with the account provider; and receiving, from the account provider, account data describing the user account. 

Notani, however, clearly discloses based on transmitting the encrypted values for the one or more metadata attributes to account provider: obtaining access to the user account associated with the account provider; and receiving, from the account provider, an alternative set of credentials (e.g. access token) for accessing the user account associated with the account provider; and receiving, from the account provider, account data describing the user account  (col. 10, lines 55-67).



As per claims 31 & 38 ,  Connors/ Miyazaki/ Funahashi discloses as shown above.  
Connors further discloses in response to transmitting the […] values for the one or more metadata attributes the account provider (¶¶ [0008], [0047], [0049],  [0140]), 
Connors further discloses receiving, by the server computer system from the computer system of the financial institution, alternative credentials (token or gadget’s access) other than login credentials for accessing financial data describing the financial account associated with the financial institution  (¶¶ [0061], [0142], [0146]; fig. 14; claim 9)

Connors does not expressly disclose based on transmitting the encrypted values for the one or more metadata attributes to account provider: obtaining access to the user account associated with the account provider; and receiving, from the account provider, an alternative set of credentials for accessing the user account associated with the account provider; and receiving, from the account provider, account data describing the user account.

Notani, however, clearly discloses based on transmitting the encrypted values for the one or more metadata attributes to account provider: obtaining access to the user account associated with the account provider; and receiving, from the account provider, 

It would have been obvious to a person of ordinary skill in the art to modify Connors’s teachings to use alternate authentication, as disclosed by Notani, to provide strong security measures thereby preventing fraudulent transactions.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is cited in the Notice of References Cited (form PTO-892).

Mahaffey et al (us 20140189808 a1) discloses: 
[0103] In general, the processes of FIGS. 4A-4C operate such that when the application is activated, the requesting client displays a waiting for authorization user interface and sends a request to the server to authorize access to the application. The server contacts the authorizing client, and an authorizing client must approve access to the application in order for the request to be granted. If approved, authorizing client returns an indication of authorization to server. The server returns authorization (e.g. Boolean value, decryption key, username/password) to requesting client. The requesting client activates application and allows user to use it. In identifying a user/client to a website or application, the requesting client performs extra validation of site/application to ensure security. The authenticating information comprising the credentials provided by the system, such as by a server or the authorizing client can be a username/password combination or a session token for the application's backend service, or an authorization token to retrieve login from a service (local or network-based), or other type of credential as described above.


Vongsouvanh et al (US 20140223516 A1) discloses:  [0017] Techniques of this disclosure may, in various aspects, enable a client device to initiate an authorization flow with a user and to send an authorization request for the authorization flow to a mobile computing device of the user when the mobile 
Govindarajan et al (US 20100083358 A1) discloses a computer implemented method and system that securely aggregates and manages user related data in an online environment while maintaining privacy of a user. The user provides access credentials at a client device for each of multiple data sources. The access credentials are transformed to an unreadable format at the client device using a public key transmitted by a web server. The transformed access credentials in the unreadable format are stored locally on the client device. A communicating software agent on the client device communicates the stored access credentials to the web server. The web server transforms the communicated access credentials to a readable format using a private key and retrieves the user related data by accessing the data sources using the access credentials in the readable format. The web server presents the retrieved user related data to the user in one or more presentation modes.
Purvis et al (US 20130036454 A1) discloses access to an on-line account management system is facilitated. A request is received to perform a first action using an on-line account management system. The request comprises a first access identifier. A global party identifier associated with the first access identifier is determined. Restriction information associated with the first access identifier and the global party identifier is accessed from a global party profile operable to store at least one of a time-based, a location-based, and a device-based restriction associated with actions capable of being performed using the on-line account management system. A processor determines whether the first action is permissible based on the restriction information associated with the first access identifier and the global party identifier.

Geshwind et al (US 20080031447 A1) discloses a method and computer system for access aggregation comprising the storage and retrieval of website userids and passwords, and potentially other information, which is secure and convenient and automates access to the variety of websites of interest to users, and to the other information. An embodiment comprises a web server with web pages and files including client application code and server code, databases, and other components, to store encrypted versions of the userid and password for the user to login to the various sites for which the user is a member. The encryption/decryption key(s) to encrypt/decrypt the userids and passwords are never sent to the server and are only present on the client, so that the method is secure. The invention optionally additionally provides an interface allowing a user to manage various accounts, ids, passwords and other information.

Pruthi et al (US 20160350748 A1) discloses: Methods, systems, and computer-readable media for providing access to account information using authentication tokens are presented. In some embodiments, a customer of a financial institution may visit an account information aggregator site and request to add an account maintained by the financial institution to a collection of accounts for which the aggregator may collect account information on behalf of the customer. Rather than providing their username, password, and/or other bank login credentials to the aggregator, the customer may be redirected to a page provided by the financial institution where the customer can enter their credentials and authenticate with the financial institution. After authenticating the customer, the financial institution may generate a token and provide the token to the aggregator. Subsequently, the aggregator may use the token to obtain read-only access to financial account information for one or more financial accounts that are maintained by the financial institution for the customer.


Hsiao et al (US 20030200202 A1) discloses a method is provided for accessing information in a content management system including a library server for generating non-transferable access tokens and an object server for storing objects to which access may be requested by a client user. Enhanced security is achieved by generating non-transferable access tokens which can be used by a particular client user to access a particular data object in the object server. However, should the token be transferred to a user other then the client user for which the token was generated, the system will not permit access to the object.
[0022] FIG. 4 is a flowchart which depicts process flow of the disclosed content management technology employing either a transferable or a non-transferable access token. A user logs on to client 120 and requests access to an object stored in resource manager 110 as per step 400. A test is conducted by library server 105 at step 405 to determine if the user possesses the privilege of accessing the requested object. If the user does not have that privilege, access is denied as per rejection step 410. However, if the user does have the privilege of being permitted access to the requested object, then the library server generates 

 
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to MAMON OBEID whose telephone number is (571)270-1813.  The Examiner can normally be reached on 8 AM- 5 PM.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Patrick McAtee can be reached on 5712727575.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MAMON OBEID/Primary Examiner, Art Unit 3685