DETAILED ACTION
Acknowledgements
This office action is in response to the claims filed 09/11/2021.
Claims 1-18 are pending.
Claims 1-18 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Objections
Claims 10 and 18 are objected to because of the following informalities: claim 10 lacks proper antecedent basis for “the pin” and claim 18 recites “hash based message authenticated code (HMAC) based on one time password algorithm (HOTP).  Improved Second Factor for Secure Password Authentication”.  It is unclear whether there is a grammatical, or typographical error and what Applicant meant as the “Improved Second Factor for Secure Password Authentication” after the end of the claim. Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. As described below, the claim(s) are/is directed to abstract idea(s), but there are no additional elements of the claim(s) that add sufficiently more to the abstract idea(s) to be permissible under 35 U.S.C. 101.

Subject Matter Eligibility Standard
When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (101 Analysis: Step 1). Even if the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (101 Analysis: Step 2a(Prong 1), and if so, Identify whether there are any additional elements recited in the claim beyond the judicial exception(s), and evaluate those additional elements to determine whether they integrate the exception into a practical application of the exception. (101 Analysis: Step 2a (Prong 2). If additional elements does not integrate the exception into a practical application of the exception, claim still requires an evaluation of whether the claim recites additional elements that amount to an inventive concept (aka “significantly more”) than the recited judicial exception. If the claim as a whole amounts to significantly more than the exception itself (there is an inventive concept in the claim), the claim is eligible. If the claim as a whole does not amount to significantly more (there is no inventive concept in the claim), the claim is ineligible. (101 Analysis: Step 2b). 
The 2019 PEG explains that the abstract idea exception includes the following groupings of subject matter: a) Mathematical concepts b) Certain methods of organizing human activity and c) Mental processes
Analysis
In the instant case, claim 1 is directed to a method, claim 10 is directed to a machine.

101 Analysis: Step 2a (Prong 1) – Identifying an Abstract Idea
The claims recite the steps of “storing a … key … communicating to an app… receiving … a selection… communicating an image… receiving … a digital representation… determining if the digital representation entered by the user on the second computing device matches… determining if the PIN is as expected… and authorizing the user” While the process is geared at authentication towards a transaction, the claim recites an abstract idea that is directed towards a mental process, in this case, information is stored, received, sent and an image and pin are compared with the end result of authorizing a user. .

101 Analysis: Step 2a (Prong 2) – Identifying a Practical Application
 The claim does recite additional elements but these elements do not integrate the judicial exception into a practical application. For example, determining the image matches and the Pin is as expected. These require a visual check of the image/PIN sent and the image/PIN received. This act does not turn the abstract idea into a practical application as being able to visibly compare images is still a mental process, Applicant’s claims are the automation of this mental process.  Therefore, based on case law precedent, the claims are claiming subject matter similar to concepts already identified by the courts as dealing with abstract ideas. See Alice Corp. Pty. Ltd., 134 S.Ct. at 2356 (citing Bilski v. Kappos, 561, U.S. 593, 611 (2010)). Mere instructions to apply the exception using generic computer components and limitations to a particular field of use or technological environment do not amount to practical applications.

101 Analysis - Step 2b
Viewed as a whole, instructions/method claims recite the concept of a mental process as performed by a generic computer. The method claims do not, for example, purport to improve the functioning of the computer itself. Nor do they effect an improvement in any other technology or technical field. Instead, the claims at issue amount to nothing significantly more than an instruction to apply the abstract idea using some unspecified, generic computer. Claims 2-8, 11-17 provide further nonfunctional descriptive language of the entities in the claims. And claims 9 and 18 recite another mental process of creating and sending a password.  See Alice Corp. Pty. Ltd., 134 S.Ct. at 2360. Mere instructions to apply the exception using a generic computer component and limitations to a particular field of use or technological environment cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). Therefore, the claim is not patent eligible.
Conclusion
The claim as a whole, does not amount to significantly more than the abstract idea itself. This is because the claim does not affect an improvement to another technology or technical filed; the claim does not amount to an improvement to the functioning of a computer system itself; and the claim does not move beyond a general link of the use of an abstract idea to a particular technological environment. 
Accordingly, the Examiner concludes that there are no meaningful limitations in the claim that transform the judicial exception into a patent eligible application such that the claim amounts to significantly more than the judicial exception itself. 
Dependent claims do not resolve the deficiency of independent claims and accordingly stand rejected under 35 USC 101 based on the same rationale.
Dependent claims 2- 9 and 11-18 are also rejected. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-18 are  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1 and 10 recite “determine if the PIN… is as expected”. The claims are unclear and indefinite as to what the expectations are and who or what determines what to expect and how that is measurable by a server. The claims are unclear and indefinite. Dependent claims 2-9 and 11-18 are also rejected. 
Claims 4 and 13 recite “image has been determined to be appropriate”. The claims are unclear and indefinite. It is unclear how a determination of appropriateness is measure and who sets that metric and how a device would measure appropriateness. 
Claim 16 recites “wherein receiving from the second computing device a digital representation entered by the user representing the image and the PIN is over a secure channel between the app and the authorization server.” In Independent claim 10, the receiving from the second computing device a digital representation entered by the user representing the image and the PIN, never occurs, the claim is therefore unclear and indefinite what Applicant is alluding to that is is over a secure channel between the app and the authorization server.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Reading et al. (US 10438225) (“Reading”), and further in view of Leonetti et al. (WO 2018/198036) (“Leonetti”).
Regarding claims 1 and 10, Reading discloses at an authorization server, storing a shared electronic key (column 17, line 58-67, column 18, line 10-17); 
Reading – In another example, the override may include a key generated by an application executed by the second device 514 and the customer may enter the key into the first device which causes the first device to transmit the key to one or more services of the online retailer.  (column 18, line 10-17)

communicating to an app on a second computing device a copy of the shared electronic key (column 18, line 10-22); 
Reading – The key may also be provided to the customer by one or more services of the online retailer in response to a request transmitted from the second device.  (column 18, line 10-22)

receiving from a first computing device, a selection to use a system to complete a transaction (column 16, line 5-43, column 18, line 39-64); 
Claim Interpretation – Disclosure(¶ 24, 25), “At block 305 , a copy of the shared electronic key 230 may be communicated to an app on a second or portable computing device 104 which also may be a registered device 104. …[ 0025 ] At block 310 , a communication may be received from a first computing device 250 making a selection to use a system to complete a transaction”. Note occurrence. 
Reading – the webpage 502 may be displayed by a first computing device operated by a customer. The webpage 502 may contain detailed information corresponding to an item 506 for purchase and may also include a graphical user element configured as a “buy” button 504….  For example, when the customer selects the buy button 504 it may cause the application displaying the webpage 502 to transmit an HTTP request to one or more servers of the online retailers, the one or more servers of the online retailer may, based at least in part on the HTTP request, redirect the HTTP request to the CAPTCHA service… A customer may operate the first device 602 in order to access a website operated by an online retailer. The customer may access the website through a web browser or other application executed by the first device 602, such as the web browser described above in connection with FIG. 5. The first device 602 may transmit one or more requests to the online retailer.  (column 16, line 8-43, column 18, line 39-64)

communicating an image to the first computing device (column 25, line 61-67, column 26, line 1-15); 
Reading – The CAPTCHA service may also transmit in response to the particular request one or more graphical user elements that enable selection of a particular type of security check to transmit to the first device. For example, the requestor may not have access to any of the devices previously registered with the online retailer, the CAPTCHA service may allow the requestor to receive a security check on the first device determined to be more difficult than the security check that would have been transmitted to the second device. (column 25, line 61-67, column 26, line 1-15)

receiving from the second computing device a digital representation entered by a user representing the image and a PIN (column 16, line 55-67, column 17, line 1-67, column 18, line 1-22, column 26, line 53-67, column 27, line 1,2);
Reading –  For example, the security check 508 may require the customer to draw a figure on the second device 514 using a touchscreen connected to the second device 514…. the override may include a unique fingerprint associated with the second device 514 based at least in part on the set of sensors connected to the second device 514. In another example, the override may include a key generated by an application executed by the second device 514 and the customer may enter the key into the first device which causes the first device to transmit the key to one or more services of the online retailer… Other variations of process 1000 in accordance with the present disclosure may include transmitting additional information to the second device and requiring the customer to input the additional information received by the second device into the first device before the request may be processed. For example, a security code may be transmitted to the second device in response to a correctly solved security check and the online retailer may require the code to be entered into a webpage displayed on the first device before the request may be processed.   (column 16, line 55-67, column 18, line 1-22, column 26, line 53-67, column 27, line 1,2)

determining if the digital representation entered by the user on the second computing device matches the image communicated to the first computing device (column 13, line 41-57, column 20, line 1-15, column 21, line 62-67, column 26, line 27-51); 
Reading – he CAPTCHA service may cause the security check to be transmitted to the second device in response to the request. Returning to FIG. 10, in an embodiment, the process 1000 may receive a response to the security check from the second device and determine if the response is correct 1012. The CAPTCHA service or one or more other services of the online retailer may receive the response and determine if the response is correct. (column 26, line 27-51)

determining if the PIN is as expected (column 18, line 1-22, column 26, line 53-67);
Reading – The key may then be authenticated by one or more services of the online retailer and the request may be processed if the key can be authenticated.  (column 18, line 1-22, column 26, line 53-67)

in response to determining the digital representation entered by the user matches the image and the PIN from the second computing device is as expected, authorizing the user (column 19, line 64-67, column 20, line 1-24, column 26, line 53-67, column 27, line 1,2).  
Reading – Other variations of process 1000 in accordance with the present disclosure may include transmitting additional information to the second device and requiring the customer to input the additional information received by the second device into the first device before the request may be processed. For example, a security code may be transmitted to the second device in response to a correctly solved security check and the online retailer may require the code to be entered into a webpage displayed on the first device before the request may be processed… For example, if the security check was completed successfully, the CAPTCHA service 612 may transmit an acknowledgment to the bot detection service 608 indicating that the security check was completed successfully. The bot detection service may then cause the request to be processed and may also use the acknowledgment to update the bot detection service 608.   (column 19, line 64-67, column 20, line 1-24, column 26, line 53-67, column 27, line 1,2)

Reading does not disclose a PIN calculated using the copy of the shared electronic key.
Leonetti teaches a PIN calculated using the copy of the shared electronic key (Abstract; Page 7, line 1-29, Page 13, line 1-18, Page 18, line  2-34, Page 19, line 5-24).
Leonetti- The symmetric key can be saved in the protected storage of the mobile device 101 and in the identity provider 107. At the next step 413 the user 100 acquires the encrypted QR code 403 with the portable device 101 and, through the software application (app) on board of the portable personal device, checks the hash (HMAC) , decrypts the content with the symmetric key and extract the PIN.(Page 19, line 5-24)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Reading(column 1, line 44-46), which teaches “CAPTCHAs have also evolved in an attempt to improve the security that they provide”  and Leonetti(Page 19, line 14-17) “the identity provider 107 checks the PIN 404 and, if this corresponds to the encrypted PIN previously entered in the QR code 403 and sent to the browser in step 412, the authentication is successful” in order to provide authentication of users through multiple methods to reduce risk of identity theft (Leonetti; Page 1, 2).
Regarding claims 2 and 11, Reading discloses wherein the system is a payment system (column 16, line 5-43, column 18, line 39-64).  
Regarding claims 3 and 12, Reading discloses wherein digital representation entered by the user representing the image is converted into a code (column 13, line 41-57, column 20, line 1-15, column 21, line 62-67, column 26, line 27-51).  
Regarding claims 4 and 13, Reading discloses wherein the image has been determined to be appropriate to be inputted on a mobile computing device (column 16, line 55-67, column 17, line 1-67, column 18, line 1-22, column 26, line 53-67, column 27, line 1,2).  
Regarding claims 5 and 14, Reading discloses wherein the image is randomly selected from a plurality of images (column 11, line 3-20, column 13, line 3-20).  
Regarding claims 6 and 15, Reading discloses wherein communicating to an app on a second computing device a copy of the shared electronic key is over a secure channel between the app and the authorization server (column 19, line 1-30, column 20, line 47-62, column 21, line 13-67).  
Regarding claims 7 and 16, Reading discloses wherein receiving from the second computing device a digital representation entered by the user representing the image and the Pins over a secure channel between the app and the authorization server (column 19, line 1-30, column 21, line 13-67).  
Regarding claims 8 and 17, Reading discloses wherein the image is valid only for a current session (column 21, line 13-41).  
Regarding claims 9 and 18, Leonetti teaches verifying the application is on a registered device of the user by generating and automatically submitting a one-time PIN computed as the keyed function of a counter using hash based message authenticated code (HMAC) based on one time password algorithm.(HOTP) (Abstract; Page 7, line 1-29, Page 13, line 1-18, Page 18, line  2-34, Page 19, line 5-24, column 21, line 15-36).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Hilger (US 8,881,251) teaches user drawings as an authentication method.

 Any inquiry concerning this communication or earlier communications from the examiner should be directed to ILSE I IMMANUEL whose telephone number is (469)295-9094.  The examiner can normally be reached on Monday-Friday 9:00 am to 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEHA PATEL can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ILSE I IMMANUEL/Examiner, Art Unit 3685