DETAILED ACTION
	This action is responsive to applicant’s communication filed 12/09/2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of the Claims
	Claims 1-6, 8-17, and 19-25 are rejected under 35 U.S.C. 103.

Response to Arguments
Due to the amendments, the claim objections and 35 U.S.C. 112(b) rejections raised in the prior office action have been withdrawn.

The title is objected to for not being descriptive of the claimed invention. A suggestion for a new title is given below. The other objections to the specification are being withdrawn.

Applicant’s arguments regarding the prior art have been fully considered but are respectfully moot in view of the new grounds for rejection necessitated by the amendment.

Specification
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 

The following title is suggested: “Authentication System using Visual Representations of an Authentication Challenge”.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 9-12, 15-16, 20-21, and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Arroyo (US 2019/0228140 A1) in view of Kumar (US 2019/0386981 A1).

Regarding Claim 1, Arroyo teaches a method for authenticating a user for accessing a restricted system, comprising: (See Figure 7, which provides an overview of a method for authenticating a user for accessing a restricted system. See Figure 6A and Paragraph 0198: the restricted system is a device 602 that is displaying a webpage that requires authentication.)
acquiring a code presented by the restricted system, (“At FIG. 6D, a user re-orients authenticating device 600 such that QR code 620 is fully in the field of view of the one or more cameras of authenticating device 600. In this new orientation, authenticating device 100 detects (or recognizes) QR code 620 that is displayed on display 605 of requesting device 602.” Paragraph 0204. A QR code presented by the restricted system 602 is acquired by an access device 600.)
the code… visually representing a second authentication challenge; (“Displaying alternative login webpage 618 includes displaying a computer readable representation of data such as a QR (quick response) code 620 and/or user instruction Paragraph 0201. The QR code visually represents an authentication challenge for authenticating a user as an alternative to their username and password.)
extracting the second authentication challenge from the code; (“Detecting QR code 620 includes capturing, via the one or cameras of authenticating device 600, the data represented by QR code 620. Detecting QR code 620 optionally includes interpreting the data represented by QR code 620.” Paragraph 0204. The information encoded by the QR code is extracted. See Figure 6E, which shows a prompt directing the user to complete the authentication challenge, i.e. the login information for a website with protected content, after scanning the code.)
receiving authentication information associated with the user for use in the second authentication challenge; (“A user presents their face for biometric authentication. Authenticating device 600 captures and process (e.g., analyzes) the biometric data associated with the user's face from the biometric sensor (e.g., facial recognition sensor 603)… As a result, authenticating device 600 initiates biometric Paragraph 0212. See Figure 6H: authentication information comprising biometric data of the user’s face is received by the access device 600.)
and authenticating the user according to the second authentication challenge for accessing the restricted system based on the authentication information. (“At FIG. 6I, authenticating device 600 determines that the captured biometric data satisfies certain biometric authentication criteria. As a result of successful user authentication, authenticating device 600 displays biometric authentication interface 634 having successful biometric authentication glyph 638” Paragraph 0213. “When two-factor authentication is not required, requesting device 602 proceeds to displaying user interface 648 of FIG. 6L or user interface 654 of FIG. 6M without prompting the user for additional authentication information” Paragraph 0217. “At FIG. 6M, requesting device 602 displays user account webpage 654 upon receiving input 652 at the location of trust affordance 650. The user has successfully logged in to the website. In some examples, user account webpage 654 includes content 655. Content 655 can be restricted content (e.g., content that requires authentication to access it).” Paragraph 0220. See Figure 6I and 6M, which show a user being successfully authenticated, logged into their account, and being presented with the restricted content.)
Arroyo does not teach that the code is presented in response to the user being authenticated according to a first authentication challenge. 
presented in response to the user being authenticated according to a first authentication challenge (“After successfully authenticating the user based on a first authentication factor (e.g., a username and/or password), the AM server can initiate the enrollment procedure by, for example, generating and sending a QR code to a Web browser or other application running on the user's primary device. The QR code can be displayed on the user's primary device and may include an authentication token” Paragraph 0028. Also see Paragraphs 0034-35 and 0037. After submitting a first factor of authentication comprising a username and password, the user is presented with a QR code for submission of a second factor of authentication.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the authentication of a user using an access device taught by Arroyo by initially authenticating the user using a conventional username and password that results in the display of a QR code, as taught by Kumar. Since both references are directed to user authentication for accessing a restricted system using an access device, the combination would yield predictable results. Such a combination would amount to merely adding a conventional username and password authentication procedure as a first factor of authentication. While Arroyo teaches the scanning of an optical code as an alternative to the conventional login method shown in Figure 6A, requiring both would provide for an extra level of security that would be appropriate depending on the restricted resource. As taught by Kumar (Paragraphs 0002-03), use of 

Regarding Claim 10, Arroyo further teaches an access device for authenticating a user for accessing a restricted system, comprising: an image sensor for acquiring a code presented by the restricted system, the code visually representing an authentication challenge; (“At FIG. 6D, a user re-orients authenticating device 600 such that QR code 620 is fully in the field of view of the one or more cameras of authenticating device 600. In this new orientation, authenticating device 100 detects (or recognizes) QR code 620 that is displayed on display 605 of requesting device 602.” Paragraph 0204. Device 600 is an access device that acquires the code presented by the restricted system 602 using a camera. See Figure 2 optical sensor 164.)
a processor; and a memory to store computer program instructions, the computer program instructions when executed on the processor cause the processor to perform operations comprising: (See Figure 3 memory 307 and CPU 310 and the associated description in Paragraph 0146. See Figure 1A memory 102 and processor 120 and the associated description in Paragraph 0042.)
Claim 10 otherwise recites the same limitations as claim 1 and is therefore rejected using the same reasoning described above.

Regarding Claim 15, Arroyo further teaches a non-transitory computer readable medium storing computer program instructions for authenticating a user for accessing a restricted system, the computer program instructions when executed by a processor cause the processor to perform operations comprising: (See Figure 3 memory 307 and the associated description in Paragraph 0146 and Figure 1A memory 102 and the associated description in Paragraph 0042.)
Claim 15 otherwise recites the same limitations as claim 1 and is therefore rejected using the same reasoning described above.

Regarding Claim 21, Arroyo further teaches an authentication system, comprising: a restricted system for presenting a code visually representing a second authentication challenge… (“At FIG. 6A, a user of device 602 wishes to access content associated with the website, CLOUD.COM, which requires authentication before providing access to the content… Displaying alternative login webpage 618 includes displaying a computer readable representation of data such as a QR (quick response) code 620 and/or user instruction 622.” Paragraphs 0198-0201. Device 602 and the display of a webpage that requires authentication is a restricted system. A QR code that represents an authentication challenge is displayed on the system 602.)
an access device for: acquiring the code presented by the restricted system (“At FIG. 6D, a user re-orients authenticating device 600 such that QR code 620 is fully in the field of view of the one or more cameras of authenticating device 600. In this new orientation, authenticating device 100 detects (or recognizes) QR code 620 that is displayed on display 605 of requesting device 602.” Paragraph 0204. Device 600 is an access device that acquires the code presented by the restricted system 602.)


Regarding Claim 2, Arroyo in view of Kumar further teaches wherein the code comprises a QR (quick response) code. (Arroyo, “The personal laptop computer displays a QR code that can be detected via a camera of the personal smartphone device” Paragraph 0033. See Figure 6B, which shows the display of a QR code.)
Claim 11 is directed to an access device but otherwise recites the same limitations as claim 2. Claim 11 is therefore rejected using the same reasoning described above.
Claim 16 is directed to a non-transitory computer readable medium but otherwise recites the same limitations as claim 2. Claim 16 is therefore rejected using the same reasoning described above.

Regarding Claim 3, Arroyo in view of Kumar further teaches wherein the code comprises a bar code. (Arroyo, “The first electronic device (e.g., the authenticating device, 600) detects (702), via a first camera of the one or more cameras, the presence of a visual representation of data (e.g., 620, a QR code, a bar code, or other visual representation of information that identifies the second electronic device” Paragraph 0236.)
Claim 12 is directed to an access device but otherwise recites the same limitations as claim 3. Claim 12 is therefore rejected using the same reasoning described above.

Regarding Claim 9, Arroyo in view of Kumar further teaches wherein the authentication challenge is a biometric authentication challenge, and receiving authentication information associated with the user for use in the authentication challenge comprises: receiving biometric authentication information associated with the user for the biometric authentication challenge. (Arroyo, “In response to authenticating device 600 transmitting data to the remote device, requesting device 602 receives data about the type of authentication available to a user to authenticate the user at authenticating device 600… Icon 632 is associated with facial recognition authentication. Icon 632 indicates to the user that the user can authenticate at authenticating device 600 using facial recognition authentication… At FIG. 6I, authenticating device 600 determines that the captured biometric data satisfies certain biometric authentication criteria. As a result of successful user authentication, authenticating device 600 displays biometric authentication interface 634 having successful biometric authentication glyph 638” Paragraphs 0208-0213. See the transitions from Figure 6C to 6I: after scanning of a QR code, a biometric authentication user interface is launched in order to execute the authentication challenge, the biometric authentication information associated with the user is obtained, and the user is authenticated. Figure 6H shows the biometric authentication being facial recognition, while Figure 6N shows an alternative embodiment in which the biometric authentication challenge is a fingerprint recognition.)
Claim 20 is directed to a non-transitory computer readable medium but otherwise recites the same limitations as claim 9. Claim 20 is therefore rejected using the same reasoning described above.

Regarding Claim 24, Arroyo in view of Kumar further teaches wherein the first authentication challenge comprises a username and a password (Kumar, “After successfully authenticating the user based on a first authentication factor (e.g., a username and/or password), the AM server can initiate the enrollment procedure by, for example, generating and sending a QR code to a Web browser” Paragraph 0028.)

Regarding Claim 25, Arroyo in view of Kumar further teaches wherein the first authentication challenge comprises a username and a password (Kumar, “After successfully authenticating the user based on a first authentication factor (e.g., a username and/or password), the AM server can initiate the enrollment procedure by, for example, generating and sending a QR code to a Web browser” Paragraph 0028.)

Claims 4 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Arroyo (US 2019/0228140 A1) in view of Kumar (US 2019/0386981 A1) and further in view of Ozolins (US 2005/0044387 A1).

Regarding Claim 4, Arroyo in view of Kumar teaches all the limitations of claim 1, on which claim 4 depends.
 wherein the code comprises a series of intermittent flashing lights.
However, Ozolins, which is directed to an access device and authentication system, teaches wherein the code comprises a series of intermittent flashing lights. (“In some embodiments of the invention signals are generated by the system to which access is sought by causing portion 603 of the display screen (which may include all or a portion of screen 601) to flash on and off in a series of illuminations representing data. As such screen portion 603 functions as a signal generator or light source. The intermittent flashes of light generated by screen portion 603 and sensed by signal sensor 102 are provided to processor 105, and interpreted by that or any other processor linked thereto, as representing data that may be used to provide a code, such as a session-unique, human readable code, to output device 104. The signal portion 603 may provide any suitable coded light signal.” Paragraph 0052.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the code presented by a restricted system for granting access to a user using an access device taught by Arroyo in view of Kumar by incorporating the light-signal code comprising intermittent flashing lights taught by Ozolins. Since both references are directed to user authentication using an access device scanning an optical code, the combination would yield predictable results. Such an implementation would amount to a simple substitution of the optical code presented to the user for use as an authentication challenge. As further taught by Ozolins 
Claim 17 is directed to a non-transitory computer readable medium but otherwise recites the same limitations as claim 4. Claim 17 is therefore rejected using the same reasoning described above.

Claims 5-6, 13-14, and 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over Arroyo (US 2019/0228140 A1) in view of Kumar (US 2019/0386981 A1) and further in view of Thakur (US 8,689,294 B1).

Regarding Claim 5, Arroyo in view of Kumar teaches all the limitations of claim 1, on which claim 5 depends.
Arroyo further teaches wherein the acquiring, the extracting, and the receiving are performed by an access device, (“FIG. 6A illustrates authenticating device 600 (e.g., device 100, device 300, or device 500) and requesting device 602 (e.g., device 100, device 300, or device 500)” Paragraph 0197. See Figure 6A-6I, which shows the acquiring, extracting, and receiving being performed by an access device 600.)
… displaying a token to the user, wherein the displayed token is input into the restricted system by the user to authenticate the user according to the authentication challenge for accessing the restricted system. (“Prompt 644 includes input fields for receiving input via one or more input devices (e.g., a keyboard). Prompt 644 optionally indicates to the user that an authentication code (e.g., Paragraphs 0215-216. See Figure 6J: A token 646 is displayed to the user and the user enters the token in the input field 644 in order to authenticate the user.)
Arroyo in view of Kumar does not teach and wherein authenticating the user according to the second authentication challenge for accessing the restricted system based on the authentication information comprises: in response to determining that the access device is offline, displaying the token to the user.
However, Thakur, which is directed to managing offline authentication, teaches and wherein authenticating the user according to the authentication challenge for accessing the restricted system based on the authentication information comprises: in response to determining that the access device is offline, displaying the token to the user. (“in response to determining that the client device is offline, authenticate the user using offline authentication that does not require an active network connection with a remote authentication service. For example, offline-authentication module 107 may, in response to determining that computing device 202 is offline, authenticate the user using an offline authentication process that does not require an active network connection with authentication service 130 on server 206… For example, offline-authentication module 107 may request, from the user, the authentication-device identifier. In this example, the authentication-device identifier may represent the token-based authentication credential required as part of two-factor authentication.” Column 8 Lines 36-44 and Column 10 Lines 36-52. See Figure 3 step 306 and Figure 4 step 406. In response to a determination that a device is offline, an offline-authentication process is performed, which is illustrated in Figure 4. The process includes requesting a token to be entered by a user.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the presentation of a token to a user to input into a restricted system taught by Arroyo in view of Kumar by presenting the token when the access device is determined to be offline as taught by Thakur. Since both references are directed to authenticating a user using an access device, the combination would yield predictable results. As taught by Thakur (Col. 3:60-4:5), this would improve the user experience by allowing the user to still access the restricted system despite their device being offline while still ensuring security since two-factor authentication is being used.
Claim 13 is directed to an access device but otherwise recites the same limitations as claim 5. Claim 13 is therefore rejected using the same reasoning described above.
Claim 22 is directed to an authentication system but otherwise recites the same limitations as claim 5. Claim 22 is therefore rejected using the same reasoning described above.

Regarding Claim 6, Arroyo in view of Kumar teaches all the limitations of claim 1, on which claim 6 depends.
wherein the acquiring, the extracting, and the receiving are performed by an access device, (“FIG. 6A illustrates authenticating device 600 (e.g., device 100, device 300, or device 500) and requesting device 602 (e.g., device 100, device 300, or device 500)” Paragraph 0197. See Figure 6A-6I, which shows the acquiring, extracting, and receiving being performed by an access device 600.)
…transmitting an indication that the user was authenticated according to the second authentication challenge for accessing the restricted system. (“in response to authenticating device 600 determining that the captured biometric data satisfies certain biometric authentication criteria, requesting device 602 receives data indicating that a user has successfully authenticated at authenticating device 600.” Paragraph 0214. See Figure 6I, which shows an indication that a user was authenticated. Also see Figures 6L and 6M, which shows the user being given access to the restricted resource.)
Arroyo in view of Kumar does not teach wherein authenticating the user according to the second authentication challenge for accessing the restricted system based on the authentication information comprises: in response to determining that the access device is online, transmitting the indication.
However, Thakur, which is directed to managing offline authentication, teaches wherein authenticating the user according to the second authentication challenge for accessing the restricted system based on the authentication information comprises: in response to determining that the access device is online, transmitting the indication. (“online-authentication module 117 may, in response to detecting that computing device 202 is online, authenticate the user using online authentication, after which online-access module 119 may unlock computing device 202 and allow the user to again access computing device 202” Column 13 Lines 45-55. “online-authentication module 117 may send the one-time password received from the user as part of step 502 to authentication service 130 on server 206 via network 204, and may receive from authentication service 130 a response indicating that the one-time password has been validated successfully” Column 14 Lines 4-10. In response to the determination that an access device (Figure 2 computing device 202) is online, an authentication procedure is performed that results in an indication being transmitted that the user was authenticated.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method of authenticating a user according to an authentication challenge provided by a restricted system to an access device taught by Arroyo in view of Kumar by transmitting an indication of the authentication to the system in response to the determination that the access device is online as taught by Thakur. Since both references are directed to authenticating a user using an access device, the combination would yield predictable results. Determining whether a device is online before performing an authentication procedure with a remote server would have been an obvious implementation to one of ordinary skill in the art. Furthermore, as suggested by Thakur (Col. 13:30-34), for resources that require online authentication, such an implementation would have been necessary to ensure security of the restricted resource.
Claim 14 is directed to an access device but otherwise recites the same limitations as claim 6. Claim 14 is therefore rejected using the same reasoning described above.
Claim 23 is directed to an authentication system and recites an authentication backend system, which is further taught by the “authentication device or server” in Arroyo, such as in Paragraphs 225 and 229. Claim 23 otherwise recites the same limitations as claim 6. Claim 23 is therefore rejected using the same reasoning described above.

Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Arroyo (US 2019/0228140 A1) in view of Kumar (US 2019/0386981 A1) and further in view of Koutenaei (US 2016/0269403 A1).

Regarding Claim 8, Arroyo in view of Kumar teaches all the limitations of claim 1, on which claim 8 depends.
While Arroyo teaches an embodiment where notifications are presented to the user at different stages of an authentication process, Arroyo in view of Kumar does not explicitly teach further comprising: in response to the user being authenticated according to the first authentication challenge, receiving a notification; receiving input from the user interacting with the notification; and in response to receiving the input from the user, automatically opening an authentication application for acquiring the code.
further comprising: in response to the user being authenticated according to the first authentication challenge, receiving a notification; (“after the user enters the username or other required information… At 120, a notification may be pushed to the user's previously registered authentication device 20” Paragraph 0023. A notification is presented to a user after the user logs in to an account.)
receiving input from the user interacting with the notification; (“At 130, the user opens the notification on the authentication device 20” Paragraph 0023.
Arroyo teaches a similar embodiment: “At FIG. 6F, authenticating device 600 receives input 625 (e.g., tap gesture) via the touchscreen of display 601 at the location of banner 626” Paragraph 0206. A notification in the form of a banner is displayed responsive to the scanning of a code. A user selects the notification in order to launch an authentication application.)
and in response to receiving the input from the user, automatically opening an authentication application for acquiring the code. (Koutenaei, See Paragraph 0023. See Paragraphs 0026-27, which discusses an embodiment where a QR code is presented in order to download the authentication application after an initial authentication challenge. Also see Figure 1 step 130: “The push notification directs the user to the authentication app that acquires user authentication”.
Arroyo teaches a similar embodiment: “As illustrated in FIG. 6H, authenticating device 600 initiates biometric authentication upon receiving selection of banner 626 of FIG. 6F.” Paragraph 0211. After a user selects the notification as shown in Figure 6F, 
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the authentication of a user using an access device using multiple factors of authentication taught by Arroyo in view of Kumar by presenting a notification to a user to open an authentication application in response to a first factor of authentication, as taught by Koutenaei. Since both references are directed to user authentication for accessing a restricted system using an access device, the combination would yield predictable results. It would have been further obvious to modify Arroyo to present a notification, wherein responsive to a user interacting with the notification, an authentication application for acquiring the code is automatically opened since Arroyo similarly teaches automatically opening a biometric authentication user interface responsive to a user interacting with a notification. Such an implementation would amount to a rearrangement of the multi-factor authentication method taught by Arroyo in which after an initial authentication challenge, the notification shown in Figure 6F is presented to the user followed by automatically opening the camera application shown in Figure 6C rather than the facial recognition interface shown in Figure 6H.
Claim 19 is directed to a non-transitory computer readable medium but otherwise recites the same limitations as claim 8. Claim 19 is therefore rejected using the same reasoning described above.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAMI RAFAT OKASHA whose telephone number is (571)272-0675. The examiner can normally be reached M-F 9-5 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/R.R.O./Examiner, Art Unit 2173                                                                                                                                                                                                        
/HAOSHIAN SHIH/Primary Examiner, Art Unit 2173