Acknowledgements
This communication is in response to applicant’s response filed on 10/15/2021.
Claims 1, 5-6, 8, 12-13, 15, and 19-20 have been amended. 
Claims 1-20 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/15/2021 has been entered.
 
Response to Arguments
Regarding applicant’s arguments:
Regarding applicant’s argument under Claim Rejections - 35 USC § 103 that the combination of Wajs (US 20200177584) in view of Ecker (US 20190188705) in further view of Quentin (US 20200005306) does not disclose “receive encrypted passport data from the contactless card; extract one attribute of 
Applicant argues dependent claims are patentable because of their dependency on independent claims 1, 8, and 15. Examiner respectfully argues applicant’s arguments are moot in light of the new grounds of rejection necessitated by the amendments to claims 1, 8, and 15. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-13, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wajs (US 20200177584) in view of Quentin (US 20200005306) in further view of McDougall (US 20210176242) in further view of Ecker (US 20190188705).

Regarding Claims 1, 8, and 15, Wajs teaches receive, by the application via the wireless communications interface, encrypted passport data from the contactless card, the encrypted passport data for a passport associated with the account, the encrypted passport data encrypted based on at least one attribute of the passport (Paragraph 0007 teaches electronic passports have a smart card chip in them and use standard near field communication (NFC) technology to interface to, and communicate with, a passport reader (i.e., user device); the user device (i.e., capable of NFC communication) can also interface to, and communicate with, electronic passports; the communication with the electronic passport is protected (e.g. encrypted) using one or more keys derived from data that is optically readable (e.g. data printed on a page of the electronic passport)); extract, by the application, the at least one attribute of the passport from a first image of the passport, wherein the first image depicts the at least one attribute of the passport (Paragraphs 0007 and 0111 teach an electronic passport scanner/reader (i.e., user device) may first read the passport optically, derive the key(s) for communication and use the secured data channel to request data fields from the electronic passport; the key for the secured NFC connection is derived from the information in the main page of the passport); decrypt, by the application, the encrypted passport data based on the extracted at least one attribute of the passport (Paragraphs 0113 and 0007 teach the use of the keys (i.e., passport data) encrypts the electronic passport data to secure the communication between the electronic passport and the reader to protect the data fields from eavesdropping; processing the image of the passport is required to gain access (i.e., decrypt) to the electronic information in the passport); transmit, by the application to the authentication server, an indication specifying that the encrypted passport data was decrypted (Paragraphs 00113 and 0011 teach the application on the device may issue a challenge to the passport and the passport proves itself by returning the decrypted number to the application or the server; the security relies on the secure chip in the device verifying the fingerprint and simply sending a signed authentication result to the server; this enables the server to know that a correct fingerprint was obtained by the device); and initiate, by the application, performance of the operation based on the received indication specifying the decryption of the encrypted passport data (Paragraphs 0012-0013 teach the user can use the decrypted electronic information for purposes of normal access of an account, or configuration of an account (i.e. show/demonstrate to the account issuer that they are in fact who they say they are and gain access to the account)).
However, Wajs does not explicitly teach determine, by the application, that a digital signature of the encrypted passport data received from the contactless card is a valid digital signature based on a public key associated with an entity providing the digital signature; and 2initiate, by the application, performance of the operation based on the determination that the digital signature is valid.
Quentin from same or similar field of endeavor teaches determine, by the application, that a digital signature of the encrypted passport data received from the contactless card is a valid digital signature based on a public key associated with an entity providing the digital signature (Paragraphs 0062 and 0080-0081 teach a piece of data from a digital identity document (user's identity card, biometric passport) in the user's possession is obtained independently and in a complementary manner; this piece of data is transmitted by a digital identity document that consists of a digital signature of certain of the pieces of data recorded therein; the digital identity document can generate a digital signature of the payment data (name, number, date, CVV) and transmit this signature to the communications terminal; the data are signed for example by means of a private key of the card; the data (name N1, number N2, date D, cryptogram C) are for example concatenated (N1|N2|D|C) to form a string of characters CC to which a cryptographic operation is applied in using the private key (KPriv) of the digital identity document; this private key (KPriv) is then kept only by the digital identity document (the public key has been transmitted to the transactional server by another means, as explained here above); the (bank) server, upon reception of the user authentication certificate from the communications terminal deciphers the user authentication certificate with the public key of the digital identity document); and 2initiate, by the application, performance of the operation based on the determination that the digital signature is valid (Paragraphs 0078 and 0104 teach a piece of complementary data (user identification certificate) directly derived from the identity document itself; these data are transmitted by means of the usual interfaces to the server (SrvT) in charge of processing the transaction; the processing of the transaction comprises a complementary phase which consists in verifying that the user identification certificate received is compliant with the expected user identification certificate; thus, this verification is carried out by a server that possesses the cryptographic data necessary for the verification of the user identification certificate; the transaction server uses the user identification certificate which it receives from the e-commerce platform to confirm or reject the transaction, according to mechanisms identical to those described in the present application (certificate data comparison/encryption/decryption using public keys/private keys, etc.)).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Wajs to incorporate the teachings of Quentin to determine, by the application, that a digital signature of the encrypted passport data received from the contactless card is a valid digital signature based on a public key associated with an entity providing the digital signature; and 2initiate, by the application, performance of the operation based on the determination that the digital signature is valid.
There is motivation to combine Quentin into Wajs because a server at the end of the chain is able to verify that the data that is provided for the implementation of the transaction are corroborated by additional data (for example in the form of an authentication certificate from the identity document), this certificate being able to be checked by the server to confirm the identity of the user. Thus, the implementation of a fraud is much more complex since it is necessary to have several different types of information to be able to forge a transaction. Thus, an attacker who only has the user's payment data is not able to forge a valid transaction. The server is in possession of particular cryptographic materials (for example from the digital identity document and/or a copy of the identity document (which the server uses to produce cryptographic data identical or complementary to those produced by communication terminal when such method is implemented) (Quentin Paragraph 0063). Such an implementation enables the (bank) server, upon reception of the user authentication certificate from the communications terminal, to decipher it with the public key of the digital identity document, and to verify that the identifier of the communications terminal corresponds to an identifier “authorized” by the (bank or transactional) server, thus enabling the addition of an additional level of security. In general, the communications terminal can parametrize the user identification certificate (and therefore use a certification parameter that it transmits to the identity document) in order to make it unique (i.e. not usable a second time) (Quentin Paragraph 0081).
However, the combination of Wajs and Quentin does not explicitly teach determine, by the application, that a first permissions level for the account does not meet a required permissions level to perform the operation using a function of the application; transmit, by the application to the authentication server, an indication of the first permissions level for the account; receive, by the application from the authentication server, a second permissions level assigned to the account based on the decryption of the encrypted passport data, the second permissions level having greater permissions than the first permissions level, wherein the first and second permissions levels are of a plurality of permissions levels; and initiate, by the function of the application, performance of the operation based on the second permissions level of the account.
McDougall from same or similar field of endeavor teaches determine, by the application, that a first permissions level for the account does not meet a required permissions level to perform the operation using a function of the application (Paragraphs 0020-0021 and 0031-0033 teach when a user attempts to access services of the transaction processing system the user login engine receives the user credentials and triggers the risk calculator to assess the risk by calculating a risk score for the user's request; the risk calculator can be further configured to compare the risk score with a predetermined risk threshold; based on the predetermined risk threshold, it can be determined further verification of the user identity is required because the user request is a higher risk request; if it is determined that the user identity needs to be verified, the user authentication signal is generated and associated with an input requiring one or more authentication steps to verify user identity; the method returns to execute the next authentication step wherein the user's passport data is requested and verified); transmit, by the application to the authentication server, an indication of the first permissions level for the account and an indication specifying that the encrypted passport data was decrypted (Paragraphs 0023, 0025, 0030, and 0033 teach a preliminary authentication step that can be implemented for user requests includes a numeral-based verification implemented by the first data verifier; upon receiving the first piece of data from the user, the first data verifier determines the authenticity/accuracy of the first piece of data received in the user's response; based on the output returned by the first data verifier the authentication step selector can determine if further verification of the user is needed; if further verification steps are required, the output from the first data verifier can be cached at the adaptive user authentication system and the next authentication step is initiated; the adaptive user authentication system can be configured to implement another authentication step via the passport verifier; when a third authentication step needs to be implemented, the passport verifier can be activated to transmit a request to the user to provide the user's passport information; the received passport information is compared with the corresponding information retrieved from the coupled databases, for authenticity determination; the passport data analyzer compares the received passport data with data from one or more of the coupled databases; the results from the executed authentication steps, which would now include the results from the first, the second, and third authentication steps are transmitted to the transaction processing system (Note: previous references taught verifying encrypted passport data by decrypting said data)); receive, by the application from the authentication server, a second permissions level assigned to the account based on the decryption of the encrypted passport data, the second permissions level having greater permissions than the first permissions level, wherein the first and second permissions levels are of a plurality of permissions levels (Paragraphs 0026 and 0030 teach based on the outputs from one or more of the first data verifier, the and the passport verifier, the transaction processing system may allow or disallow the user from accessing services; if the passport information is successfully verified, the passport result generator can transmit information regarding the successful authentication of the user to the transaction processing system; as the passport verification is the final step in the user authentication process, successful passport verification can further imply that the user's first piece of data (e.g., telephone number or PIN), image, and passport have all been authenticated); and initiate, by the function of the application, performance of the operation based on the second permissions level of the account (Paragraphs 0037 and 0022 teach if it is determined that the passport data was verified, then a message is transmitted to the transaction processing system that the user's authenticity is verified and the user may proceed with the requested transactions; when the authentication process is completed, the user device can be redirected back to the transaction processing system to conduct transactions if the user is authenticated).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Wajs and Quentin to incorporate the teachings of McDougall to determine, by the application, that a first permissions level for the account does not meet a required permissions level to perform the operation using a function of the application; transmit, by the application to the authentication server, an indication of the first permissions level for the account and an indication specifying that the encrypted passport data was decrypted; receive, by the application from the authentication server, a second permissions level assigned to the account based on the decryption of the encrypted passport data, the second permissions level having greater permissions than the first permissions level, wherein the first and second permissions levels are of a plurality of permissions levels; and initiate, by the function of the application, performance of the operation based on the second permissions level of the account.
There is motivation to combine McDougall into the combination of Wajs and Quentin because the adaptive user identity system disclosed herein provides a technical improvement over systems relying on static identity data alone which remains largely ineffective since digital content may be easily stolen, spoofed, or misused by fraudsters. A risk-based approach using digital identity intelligence as implemented by the disclosed adaptive user authentication system enables organizational entities to verify low-risk users with minimum friction to enhance digital content security and communication thereby providing users a more pleasant online experience and yet still pick out bad actors. Furthermore, a more robust and holistic approach for digital content security and communication using account classification and analysis may be provided to overcome the shortcoming of conventional systems and methods (McDougall Paragraph 0017). The adaptive user authentication system can seamlessly interact with the transaction processing system so that the user interface (UI) put forth by the adaptive user authentication system maintains the look and feel of the UI of the transaction processing system thereby making the redirection opaque to the user. The seamless redirection not only maintains the confidence of a genuine user but also serves in preventing a fraudulent user from being alerted regarding the additional authentication steps being required. The sequence of authentication steps is designed to engage the user while progressively collecting more and more information from the user. Therefore, if the user attempting the login is a fraudulent user, the adaptive user authentication system enables maintaining contact with a fraudulent user for a longer time while also collecting a greater amount of data from the fraudulent user that may enable identifying and prosecuting the fraudulent user (McDougall Paragraph 0022).
However, the combination of Wajs, Quentin, and McDougall does not explicitly teach receive, by an application executing on the processor, a request to perform an operation associated with an account; receive, by the application, encrypted data from a contactless card associated with the account, the encrypted data based on a cryptographic algorithm, a diversified key, and a customer identifier for the contactless card, the diversified key based on a counter value and a private key for the contactless card; receive, by the application from an authentication server, an indication specifying that the authentication server verified the encrypted data based on the diversified key for the contactless card; and 2initiate, by the application, performance of the operation based on the received indication specifying that the authentication server verified the encrypted data.
Ecker from same or similar field of endeavor teaches receive, by an application executing on the processor, a request to perform an operation associated with an account (Paragraphs 0065-0067 teach a customer attends at a merchant's POS terminal (i.e., the POS terminal is being equated to the mobile device in the primary reference) to complete a financial transaction (e.g. pay for wares and/or services); the POS terminal receives the authorization amount from the data input device, or from the associated ECR (if any) via the network interface, and prompts the customer to interface a payment card (i.e., contactless card) with the payment card interface of the POS terminal; after the customer (cardholder) interfaces a payment card with the payment card interface and approves the displayed authorization amount, the transaction processor (i.e., comprises the application) of the POS terminal transmits to the payment card a Read Record command requesting various data elements from the payment card; typically, the Read Record command requests at least the primary account number, and the expiry date of the payment card); receive, by the application, encrypted data from a contactless card associated with the account, the encrypted data based on a cryptographic algorithm, a diversified key, and a customer identifier for the contactless card, the diversified key based on a counter value and a private key for the contactless card (Paragraphs 0080-0081 teach the transaction processor (i.e., application) initiates online authorization of the financial transaction by transmitting to the payment card a Generate Application Cryptogram command that requests an online cryptogram from the payment card; upon receipt of the Generate Application Cryptogram command, the payment card may generate an online Application Request Cryptogram (ARQC) by (i) generating a session key by applying the payment card's cryptographic master key and the transaction counter as inputs to a cryptographic algorithm, and (ii) applying the session key, the primary account number, and the authorization amount as inputs to the cryptographic algorithm; the payment card may transmit the online cryptogram ARQC to the POS terminal); receive, by the application from an authentication server, an indication specifying that the authentication server verified the encrypted data based on the diversified key for the contactless card (Paragraphs 0082-0085 teach the transaction processor (i.e., application) may generate an Authorization Request message that includes the primary account number, the authorization amount, and the online cryptogram ARQC, and forward the Authorization Request message to the acquirer server; then, the acquirer server may direct the Authorization Request message to the issuer server (i.e., authentication server); the issuer server may verify that the payment card generated the online cryptogram ARQC from the authorization amount; if the issuer server determines that the payment card generated the online cryptogram ARQC from the authorization amount, and the cardholder account has sufficient credit/funds to complete the transaction, the issuer server may generate an authorization code that indicates that the financial transaction was authorized; the issuer server may generate an Authorization Response message that includes the authorization code, and may transmit the Authorization Response message to the acquirer server, then the acquirer server may forward the Authorization Response message to the POS terminal); and 2initiate, by the application, performance of the operation based on the received indication specifying that the authentication server verified the encrypted data (Paragraphs 0089 and 0092-0093 teach to initiate clearing of these pre-authorized transactions, the transaction processor (i.e., application) generates a Clearing Payload that includes all (or a smaller portion) of the authorization confirmation messages that are saved in the clearing database, and transmits the Clearing Payload to the merchant's acquirer server; the transaction processor may transmit the Clearing Payloads (and optionally purge the saved authorization confirmation messages) when the number of stored authorization confirmation messages reaches a predetermined maximum number of massages; alternately, or additionally, the transaction processor may transmit the Clearing Payloads (and optionally purge the saved authorization confirmation messages) periodically (e.g. once at the end of each business day), and/or earlier when the capacity in the clearing database for additional authorization confirmation messages reaches or approaches a maximum capacity; each card issuer server may complete clearing of its respective transactions by posting the authorization amounts to the respective cardholder accounts in the secure accounts database; each card issuer server may then effect settlement of any amounts owed to the respective acquirers, in the conventional manner).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Wajs, Quentin, and McDougall to incorporate the teachings of Ecker to receive, by an application executing on the processor, a request to perform an operation associated with an account; receive, by the application, encrypted data from a contactless card associated with the account, the encrypted data based on a cryptographic algorithm, a diversified key, and a customer identifier for the contactless card, the diversified key based on a counter value and a private key for the contactless card; receive, by the application from an authentication server, an indication specifying that the authentication server verified the encrypted data based on the diversified key for the contactless card; and 2initiate, by the application, performance of the operation based on the received indication specifying that the authentication server verified the encrypted data.
There is motivation to combine Ecker into the combination of Wajs, Quentin, and McDougall because the base invention is improved because the authentication of the contactless card is more secure. In order to verify the contactless card, the issuer server may verify that the payment card generated the online cryptogram ARQC from the authorization amount. To do so, the issuer server may (i) recover the payment card's session key by applying the payment card's cryptographic master key and transaction counter as inputs to the cryptographic algorithm, (ii) decrypt the online cryptogram ARQC with the recovered session key, (iii) compute a message authentication code from the primary account number and the authorization amount, and (iv) compare the computed message authentication code against the decrypted cryptogram (Ecker Paragraph 0083).
Regarding Claim 1, Wajs teaches a system, comprising: a processor; and a memory storing instructions which when executed by the processor cause the processor to execute the above functions (Paragraph 0031 teaches the method may be performed by executing software on a processor of the user device; the software may (i) form at least a part of the application, (ii) use one or more of: software obfuscation; data protection techniques, and (iii) control flow protection techniques; the processor of the user device that executes the software may be a secured hardware processor).
Regarding Claim 8, Wajs teaches a non-transitory computer-readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by a processor (Paragraph 0040 teaches there is provided a computer program which, when executed by one or more processors, causes the one or more processors to carry out a method according to any one of the above first to fourth aspects of the invention; the computer program may be stored on a computer-readable medium).
Regarding Claim 15, Wajs teaches a method, comprising: receiving, by an application executing on a processor, a request to perform an operation associated with an account (Paragraphs 0018 and 0030 teach an access method is provided in which the user registers information that enables the restoration of credentials that reflect biometric data obtained by a mobile phone (or other device) or that are stored in an external device; the external storage device may be an apparatus comprising a secured module arranged to communicate with the user device via near field communication; the method may then comprise optically reading data from the apparatus (i.e., electronic passport) and deriving one or more keys based on the data optically read from the apparatus, wherein the near field communication is secured using the one or more keys).

Regarding Claims 2, 9, and 16, the combination of Wajs, Quentin, McDougall, and Ecker teaches all the limitations of claims 1, 8, and 15 above; and Wajs further teaches receive, by the application, the first image, wherein the first image depicts at least one page of the passport (Paragraph 0111 teaches the Access Recovery Enrolment module scans the passport the user wants to use for later recovery; the module first captures the passport's main page using the camera and then); extract, by the application from the first image, a text of the at least one page of the passport (Paragraph 0111 teaches the module extracts the data stored electronically in the passport using a secured NFC connection; the key for the secured NFC connection is derived from the information in the main page of the passport; therefore, some processing of the image of the passport is required to gain access to the electronic information in the passport).

Regarding Claims 3, 10, and 17, the combination of Wajs, Quentin, McDougall, and Ecker teaches all the limitations of claims 2, 9, and 16 above; and Wajs further teaches output, by the application, an indication specifying to capture the first image to authorize the operation (Paragraph 0113 teaches the application on the device or on the server may issue a challenge (i.e., indication) to the passport by encrypting a number with the public key that can be read out from the passport); and capture the first image by an image capture device of the system (Paragraphs 0111 and 0113 teach the user device scans the passport the user wants to use, wherein the module captures the passport's main page using the camera; the passport proves itself by returning the decrypted number to the application or the server; this proves that the actual passport is present and that an attacker has not previously read data from the passport and is in effect cloning the passport).

Regarding Claims 4, 11, and 18, the combination of Wajs, Quentin, McDougall, and Ecker teaches all the limitations of claims 3, 10, and 17 above; and Wajs further teaches receive, by the application, authentication credentials associated with the account, the authentication credentials comprising one or more of a login, a password, or biometric credentials (Paragraph 0119 teaches after validating that the appropriate passport is present, the Access Recovery Validation module then uses a sensor and the retrieved biometric parameters to validate that the person holding the device (mobile phone) is valid; the validation step matches a recorded identification pattern (photo, retina scan, or fingerprint) and uses one of the sensors in the device to determine a match with the user of the device).

Regarding Claims 5, 12, and 19, the combination of Wajs, Quentin, McDougall, and Ecker teaches all the limitations of claims 1, 8, and 15 above; and Wajs further teaches authentication using the encrypted passport data (Paragraphs 00113 and 0011 teach the application on the device may issue a challenge to the passport and the passport proves itself by returning the decrypted number to the application or the server; the security relies on the secure chip in the device verifying the fingerprint and simply sending a signed authentication result to the server; this enables the server to know that a correct fingerprint was obtained by the device).
However, the combination does not explicitly teach determine, by the application responsive to the indication received from the authentication server and based on a first rule of a plurality of rules, that authentication using passport data is required to initiate performance of the requested operation, wherein the required permissions level is specified by a second rule of the plurality of rules.
McDougall further teaches determine, by the application responsive to the indication received from the authentication server and based on a first rule of a plurality of rules, that authentication using passport data is required to initiate performance of the requested operation, wherein the required permissions level is specified by a second rule of the plurality of rules (Paragraphs 0032-0033 teaches it is further determined if another authentication step is to be executed; the determination regarding the necessity for another authentication step can be made based on the authentication of the user at the prior authentication step; the adaptive user authentication system can be configured to automatically execute a next authentication step if the user is not authenticated at the prior authentication step; if the user authenticity cannot be confirmed at the first authentication step, the adaptive user authentication system may automatically execute a second authentication step wherein the user's passport data is requested and processed to determine the user's authenticity; if it is determined that another authentication step is to be executed, the method executes the next authentication step wherein the user's passport data is requested and verified; the method returns the results to the transaction processing system from the executed authentication steps, which would now include the results from multiple authentication steps).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Wajs, Quentin, McDougall, and Ecker to incorporate the further teachings of McDougall to determine, by the application responsive to the indication received from the authentication server and based on a first rule of a plurality of rules, that authentication using passport data is required to initiate performance of the requested operation, wherein the required permissions level is specified by a second rule of the plurality of rules.
There is motivation to further combine McDougall into the combination of Wajs, Quentin, McDougall, and Ecker because as the passport verification is the final step in the user authentication process, successful passport verification can further imply that the user's first piece of data (e.g., telephone number or PIN), image, and passport have all been authenticated. In an example, if the information supplied in the previous authentication steps is different from the data in the configured databases, and the user has cleared the passport authentication step, then such information can be provided to the transaction processing system so that the user can be updated if needed (McDougall Paragraph 0030).

Regarding Claims 6, 13, and 20, the combination of Wajs, Quentin, McDougall, and Ecker teaches all the limitations of claims 5, 12, and 19 above; however the combination does not explicitly teach determine, by the application, that the decryption of the encrypted passport data satisfies the first rule; determine, by the application, that the second permissions level meets the required permissions level specified by the second rule; and authorize performance of the operation by the application based on the determination that the decryption of the encrypted passport data satisfies the first rule and the determination that the second permissions level meets the required permissions level specified by the second rule, wherein the required permissions level is one of the plurality of permissions levels.
McDougall further teaches determine, by the application, that the decryption of the encrypted passport data satisfies the first rule (Paragraph 0030 teaches the authentication step selector triggers the passport verifier to execute the passport data verification of the user; when triggered, the passport data receiver transmits a message to the user device to provide the user's passport information; if the passport information is successfully verified, the passport result generator can transmit information regarding the successful authentication of the user to the transaction processing system; if the passport information is successfully verified, the passport result generator can transmit information regarding the successful authentication of the user to the transaction processing system; as the passport verification is the final step in the user authentication process, successful passport verification can further imply that the user's first piece of data, image, and passport have all been authenticated); determine, by the application, that the second permissions level meets the required permissions level specified by the second rule (Paragraph 0033 teaches if it is determined that yet another authentication step is to be executed, the method executes the next authentication step wherein the user's passport data is requested and verified; the method returns the results from the executed authentication steps, which would now include the results from the first, the second, and third authentication steps are transmitted to the transaction processing system); and authorize performance of the operation by the application based on the determination that the decryption of the encrypted passport data satisfies the first rule and the determination that the second permissions level meets the required permissions level specified by the second rule, wherein the required permissions level is one of the plurality of permissions levels (Paragraphs 0025-0026 teach depending on the successful authentication of the user at previous authentication step, the adaptive user authentication system can be configured to implement yet another authentication step via the passport verifier; when another authentication step needs to be implemented, the passport verifier can be activated to transmit a request to the user to provide the user's passport information; the received passport information is compared with the corresponding information retrieved from the coupled databases, for authenticity determination; based on the outputs from one or more of the first data verifier, the image verifier, and the passport verifier, the transaction processing system may allow the user from accessing services).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Wajs, Quentin, McDougall, and Ecker to incorporate the further teachings of McDougall to determine, by the application, that the decryption of the encrypted passport data satisfies the first rule; determine, by the application, that the second permissions level meets the required permissions level specified by the second rule; and authorize performance of the operation by the application based on the determination that the decryption of the encrypted passport data satisfies the first rule and the determination that the second permissions level meets the required permissions level specified by the second rule, wherein the required permissions level is one of the plurality of permissions levels.
There is motivation to further combine McDougall into the combination of Wajs, Quentin, McDougall, and Ecker because the adaptive user authentication system implements an adaptive “truth diode” that can be used to collect the required level of biometric evidence. When a fraudulent user attempts to access the transaction processing system, the adaptive user authentication system is configured to capture the fraudulent user in the act of committing the fraud. Also, the sequencing of information collection is such that there will be low dropout rates in the early steps with exception flows enabled (McDougall Paragraph 0026).

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Wajs (US 20200177584) in view of Quentin (US 20200005306) in further view of McDougall (US 20210176242) in further view of Ecker (US 20190188705) in further view of Filzhuth (WO 2016071196).

Regarding Claims 7 and 14, the combination of Wajs, Quentin, McDougall, and Ecker teaches all the limitations of claims 1 and 8 above; and Wajs further teaches wherein the type of the operation comprises one or more of: (i) viewing attributes of the account, (ii) modifying the attributes of the account, (iii) accessing a page of the application, or (iv) processing a transaction using the contactless card (Paragraphs 0031-0032 and 0095 teach the smart card may be configured to generate a one-time code based on sensitive data stored on the smart card; the one-time code may be a one-time public representation of sensitive data stored on the smart card and/or the one-time public representation may be usable to initiate a purchase transaction with a merchant point-of-sale terminal (i.e., initiate a performance of an operation)).
However, the combination does not explicitly teach receive, by the application, an updated version of the encrypted passport data; and transmit, by the application to the contactless card, the updated version of the encrypted passport data for storage in the contactless card.
Filzhuth from same or similar field of endeavor teaches receive, by the application, an updated version of the encrypted passport data (Page 9 Steps 6-7, lines 12-23 teach the smart card terminal establishes the communication channel via the network interface and the network to the signature device; the chip card terminal transmits thereto a request for the generation of an updated security object to the signature device; this request contains the data which the signature device requires for this purpose, namely, for example, the data groups of the changed data structure and/or its hash values; for this purpose, for example, the smart card terminal reads the security object which contains these hash values and transmits this together with the changed data group DG'i or its hash value hash (DG'i) via the communication channel to the signature device; then, the signature device generates, based on the request, the updated security object with the changed signature over the combination of hash values of the data groups, including the new hash value hash (DG'i); this can be done so that the signature device takes the hash values from the security object, where the hash (DGi) is replaced by hash (DG'i), and then concatenates these hash values to the hash values Signature S to form, that is S '= sign (hash (DG1) |! Hash (DG2), I1 ... I | Hash' (DG'i) I1 ... fj hash (DGN), PK)); and transmit, by the application to the contactless card, the updated version of the encrypted passport data for storage in the contactless card (Page 9 Step 8, lines 26-29 teaches the updated security object thus generated by the signature device is then transmitted in response to the request via the communication channel from the signature device to the smart card terminal, which then subsequently transmits the updated security object via the communication channel to the chip card).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Wajs, Quentin, McDougall, and Ecker to incorporate the teachings of Filzhuth to receive, by the application, an updated version of the encrypted passport data; and transmit, by the application to the contactless card, the updated version of the encrypted passport data for storage in the contactless card.
There is motivation to combine Filzhuth into the combination of Wajs, Quentin, McDougall, and Ecker because it is particularly advantageous to change or delete one or more data groups of the data structure stored in the chip card without having to call into question the security of the chip card against unauthorized access (Page 3, lines 15-19).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wilson (US 20190087813) teaches a digital transaction apparatus including a Data Assistance Device (DAD), including a user interface that is operable to at least select data, and a DAD transmitter, a Digital Transaction Card (DTC), including a Digital Transaction Processing Unit (DTPU), and a DTC receiver, wherein the DAD and DTC are operable to transfer data from the DAD to the DTC and when subsequently using the DTC to effect a digital transaction with one or more digital transaction devices, the DTC operates in accordance with the data selected and transferred from the DAD to the DTC, wherein each digital transaction requires a sufficient verification score for authorization of the transaction, and the apparatus is operable to obtain at least one verification type, with each verification type having a verification type score, and the verification type score being awarded subsequent to obtaining the corresponding verification type.
Chapman (US 20170032231) teaches a novel multilayer card has embedded therein a faraday cage layer which protects a RFID or ICC chip that is also embedded in the card. The antenna for the RFID or ICC device has an actuable switch which can alternatively open and close the antenna circuit enabling the user to disable or enable the RFID or ICC chip. The card can also be converted into a hollow prism with the faraday cage layer nearer the outer surface of the prism so that the RFID or ICC chip can only be accessed from the prism interior. Private or sensitive information stored on the interior surface is also protected from unauthorized access. 













Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:00 pm CST (M-F).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/COURTNEY P JONES/Examiner, Art Unit 3685